Total
40531 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-53897 | 2025-12-16 | 4.6 Medium | ||
| Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2024-28165 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-12-16 | 8.1 High |
| SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL which could lead to high impact on Confidentiality and Integrity of the application | ||||
| CVE-2024-31488 | 1 Fortinet | 1 Fortinac | 2025-12-16 | 6.1 Medium |
| An improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC version 9.4.0 through 9.4.4, 9.2.0 through 9.2.8, 9.1.0 through 9.1.10, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 7.2.0 through 7.2.3 may allow a remote authenticated attacker to perform stored and reflected cross site scripting (XSS) attack via crafted HTTP requests. | ||||
| CVE-2024-31156 | 1 F5 | 22 Big-ip, Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager and 19 more | 2025-12-16 | 8 High |
| A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-68116 | 2025-12-16 | 8.9 High | ||
| FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue. | ||||
| CVE-2025-59935 | 2025-12-16 | 6.5 Medium | ||
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch. | ||||
| CVE-2025-45805 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-12-16 | 7.6 High |
| In phpgurukul Doctor Appointment Management System 1.0, an authenticated doctor user can inject arbitrary JavaScript code into their profile name. This payload is subsequently rendered without proper sanitization, when a user visits the website and selects the doctor to book an appointment. | ||||
| CVE-2023-53870 | 1 Jorani | 1 Jorani | 2025-12-16 | N/A |
| Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information. | ||||
| CVE-2023-53880 | 1 Lucee | 1 Lucee Server | 2025-12-16 | N/A |
| Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions. | ||||
| CVE-2023-53891 | 1 Blackcat-cms | 1 Blackcat Cms | 2025-12-16 | N/A |
| Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page. | ||||
| CVE-2023-53884 | 1 Webedition | 1 Webedition Cms | 2025-12-16 | N/A |
| Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users. | ||||
| CVE-2023-53887 | 1 Zomplog | 1 Zomplog | 2025-12-16 | N/A |
| Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser. | ||||
| CVE-2025-68115 | 1 Parse Community | 1 Parse Server | 2025-12-16 | N/A |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. | ||||
| CVE-2025-68078 | 2 Themenectar, Wordpress | 2 Salient Core, Wordpress | 2025-12-16 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2. | ||||
| CVE-2025-67951 | 2 Wordpress, Wpzoom | 2 Wordpress, Wpzoom Addons For Elementor | 2025-12-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10. | ||||
| CVE-2025-67986 | 1 Wordpress | 1 Wordpress | 2025-12-16 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7. | ||||
| CVE-2025-68079 | 2 Themenectar, Wordpress | 2 Salient Core, Wordpress | 2025-12-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Shortcodes salient-shortcodes allows Stored XSS.This issue affects Salient Shortcodes: from n/a through <= 1.5.4. | ||||
| CVE-2025-11220 | 2 Elementor, Wordpress | 2 Elementor, Wordpress | 2025-12-16 | 6.4 Medium |
| The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-67912 | 1 Wordpress | 1 Wordpress | 2025-12-16 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gal Dubinski Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4. | ||||
| CVE-2025-68076 | 2 Select-themes, Wordpress | 2 Stockholm Core, Wordpress | 2025-12-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6. | ||||