Total
40657 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14284 | 1 Tiptap | 2 Extension-link, Tiptap | 2025-12-11 | 6.1 Medium |
| Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction. | ||||
| CVE-2022-36548 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2025-12-11 | 5.4 Medium |
| Edoc-doctor-appointment-system v1.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability at /patient/settings.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field. | ||||
| CVE-2025-14200 | 1 Alokjaiswal | 1 Hotel-management-services-using-mysql-and-php | 2025-12-11 | 3.5 Low |
| A vulnerability has been found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-65229 | 1 Lyrion | 2 Lyrion Music Server, Music Server | 2025-12-11 | 4.6 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page. | ||||
| CVE-2025-65228 | 1 Rvr | 2 Tlk302t, Tlk302t Firmware | 2025-12-11 | 3.5 Low |
| A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799). | ||||
| CVE-2025-66469 | 2 Nicegui, Zauberzeug | 2 Nicegui, Nicegui | 2025-12-11 | 6.1 Medium |
| NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0. | ||||
| CVE-2025-62210 | 1 Microsoft | 2 365, Dynamics 365 | 2025-12-11 | 8.7 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-62211 | 1 Microsoft | 2 365, Dynamics 365 | 2025-12-11 | 8.7 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-62459 | 1 Microsoft | 1 365 Defender Portal | 2025-12-11 | 8.3 High |
| Microsoft Defender Portal Spoofing Vulnerability | ||||
| CVE-2025-67549 | 2 Bobbingwide, Wordpress | 2 Oik, Wordpress | 2025-12-11 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3. | ||||
| CVE-2025-12635 | 1 Ibm | 1 Websphere Application Server | 2025-12-11 | 5.4 Medium |
| IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site. | ||||
| CVE-2025-67557 | 2 Rhys Wynne, Wordpress | 2 Wp Ebay Product Feeds, Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9. | ||||
| CVE-2025-67556 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows Stored XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. | ||||
| CVE-2025-67555 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict UseStrict's Calendly Embedder cal-embedder-lite allows Stored XSS.This issue affects UseStrict's Calendly Embedder: from n/a through <= 1.1.7.2. | ||||
| CVE-2025-67554 | 2 Hu-manity, Wordpress | 2 Cookie Notice & Compliance For Gdpr / Ccpa, Wordpress | 2025-12-10 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS.This issue affects Cookie Notice & Compliance for GDPR / CCPA: from n/a through <= 2.5.8. | ||||
| CVE-2025-67553 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. | ||||
| CVE-2025-67552 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS.This issue affects Walker Core: from n/a through <= 1.3.17. | ||||
| CVE-2025-67551 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wappointment team Wappointment wappointment allows Stored XSS.This issue affects Wappointment: from n/a through <= 2.6.9. | ||||
| CVE-2025-67550 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhewlif Donation Thermometer donation-thermometer allows Stored XSS.This issue affects Donation Thermometer: from n/a through <= 2.2.6. | ||||
| CVE-2025-67545 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirePlugins FireBox firebox allows Stored XSS.This issue affects FireBox: from n/a through <= 3.1.0-free. | ||||