Total
40740 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12029 | 1 Gitlab | 1 Gitlab | 2025-12-23 | 8 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI." | ||||
| CVE-2025-52842 | 3 Apple, Laundry Project, Linux | 3 Macos, Laundry, Linux Kernel | 2025-12-23 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Laundry on Linux, MacOS allows Account Takeover. This issue affects Laundry: 2.3.0. | ||||
| CVE-2024-21496 | 1 Authcrunch | 1 Caddy-security | 2025-12-23 | 6.1 Medium |
| All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions. | ||||
| CVE-2024-12641 | 1 Cht | 1 Tenderdoctransfer | 2025-12-23 | 9.6 Critical |
| TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands. | ||||
| CVE-2024-5125 | 2 Lollms, Parisneo | 2 Lollms-webui, Lollms-webui | 2025-12-23 | 7.3 High |
| parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module. | ||||
| CVE-2025-68387 | 1 Elastic | 1 Kibana | 2025-12-23 | 6.1 Medium |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator. | ||||
| CVE-2025-68385 | 1 Elastic | 1 Kibana | 2025-12-23 | 7.2 High |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation. | ||||
| CVE-2025-64672 | 1 Microsoft | 1 Sharepoint Server | 2025-12-23 | 8.8 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64675 | 1 Microsoft | 1 Cosmos Db | 2025-12-23 | 8.3 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64677 | 1 Microsoft | 1 Office Out Of-box Experience | 2025-12-23 | 8.2 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2019-25216 | 2 Starfish, Wordpress | 2 Rich Review, Wordpress | 2025-12-23 | 7.2 High |
| The Rich Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the POST body 'update' parameter in versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-66501 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Pdfonline | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties. | ||||
| CVE-2025-66502 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Pdfonline | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded. | ||||
| CVE-2025-66519 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Pdfonline | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed. | ||||
| CVE-2025-66520 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Pdfonline | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered. | ||||
| CVE-2025-66521 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Pdfonline | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded. | ||||
| CVE-2025-66522 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Pdfonline | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded. | ||||
| CVE-2025-66500 | 2 Foxit, Foxitsoftware | 2 Pdf Editor Cloud, Webplugins | 2025-12-23 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received. | ||||
| CVE-2025-65540 | 1 Exrick | 1 Xmall | 2025-12-23 | 6.1 Medium |
| Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts. | ||||
| CVE-2025-65892 | 1 Krpano | 1 Krpano | 2025-12-23 | 6.1 Medium |
| Reflected Cross-Site Scripting (rXSS) in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled. | ||||