Total
39743 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62074 | 2 Amauri, Wordpress | 2 Wpmobile.app, Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amauri WPMobile.App wpappninja.This issue affects WPMobile.App: from n/a through <= 11.71. | ||||
| CVE-2025-54718 | 1 Wordpress | 1 Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Reflected XSS.This issue affects Yogi - Health Beauty & Yoga: from n/a through <= 2.9.2. | ||||
| CVE-2025-64224 | 1 Wordpress | 1 Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Reflected XSS.This issue affects Grand Conference Theme Custom Post Type: from n/a through < 2.6.4. | ||||
| CVE-2025-62032 | 2 Tagdiv, Wordpress | 2 Cloud Library, Wordpress | 2025-11-06 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Cloud Library td-cloud-library allows DOM-Based XSS.This issue affects tagDiv Cloud Library: from n/a through < 3.9.2. | ||||
| CVE-2025-64232 | 1 Wordpress | 1 Wordpress | 2025-11-06 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.This issue affects Import from YML: from n/a through <= 3.1.17. | ||||
| CVE-2025-53574 | 1 Wordpress | 1 Wordpress | 2025-11-06 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ptibogxiv Doliconnect doliconnect allows Reflected XSS.This issue affects Doliconnect: from n/a through <= 9.3.2. | ||||
| CVE-2020-36866 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 5.4 Medium |
| Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-46786 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-11-06 | 4.3 Medium |
| Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access. | ||||
| CVE-2025-11162 | 2 Brainstormforce, Wordpress | 2 Spectra, Wordpress | 2025-11-06 | 6.4 Medium |
| The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11820 | 3 Elementor, Iqonicdesign, Wordpress | 3 Elementor, Graphina, Wordpress | 2025-11-06 | 6.4 Medium |
| The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affects multiple chart widgets including Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart, and Advance Data Table widgets. | ||||
| CVE-2025-20289 | 1 Cisco | 1 Identity Services Engine Software | 2025-11-06 | 4.8 Medium |
| Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have at least a low-privileged account on the affected device. | ||||
| CVE-2025-20303 | 1 Cisco | 1 Identity Services Engine Software | 2025-11-06 | 5.4 Medium |
| Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have at least a low-privileged account on the affected device. | ||||
| CVE-2025-20304 | 1 Cisco | 1 Identity Services Engine Software | 2025-11-06 | 5.4 Medium |
| Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have at least a low-privileged account on the affected device. | ||||
| CVE-2025-61431 | 1 Zucchetti | 2 Infinity Zucchetti, Zmaintenance Infinity | 2025-11-06 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in the /jsp/gsfr_feditorHTML.jsp endpoint of Zucchetti ZMaintenance Infinity and Infinity Zucchetti v4.1 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the pHtmlSource parameter. A vendor fix was released on 2025-06-18. | ||||
| CVE-2025-62722 | 1 Linkace | 1 Linkace | 2025-11-06 | N/A |
| LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, the social media sharing functionality contains a Stored Cross-Site Scripting (XSS) vulnerability that allows any authenticated user to inject arbitrary JavaScript by creating a link with malicious HTML in the title field. When a user views the link details page and the shareable links are rendered, the malicious JavaScript executes in their browser. This vulnerability affects multiple sharing services and can be exploited to steal session cookies, perform actions on behalf of users, or deliver malware. This issue is fixed in version 2.4.0. | ||||
| CVE-2025-55341 | 1 Quipux | 1 Quipux | 2025-11-06 | 6.5 Medium |
| Cross Site Scripting vulnerability in Quipux 4.0.1 through e1774ac allows anexos/anexos_nuevo.php asocImgRad. | ||||
| CVE-2025-36054 | 1 Ibm | 1 Business Automation Workflow | 2025-11-06 | 6.1 Medium |
| IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-10853 | 1 Wso2 | 11 Api Control Plane, Api Manager, Carbon and 8 more | 2025-11-06 | 5.2 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking. | ||||
| CVE-2025-5770 | 1 Wso2 | 3 Api Control Plane, Api Manager, Identity Server | 2025-11-06 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector. | ||||
| CVE-2025-61994 | 1 Growi | 1 Growi | 2025-11-06 | N/A |
| Cross-site scripting vulnerability exists in GROWI prior to v7.2.10. If a malicious user creates a page containing crafted contents, an arbitrary script may be executed on the web browser of a victim user who accesses the page. | ||||