Total
40722 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12670 | 1 Wordpress | 1 Wordpress | 2025-12-01 | 6.4 Medium |
| The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5540 | 1 Carrier | 2 Automatedlogic Webctrl, I-vu | 2025-12-01 | N/A |
| The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser . | ||||
| CVE-2025-30190 | 1 Open-xchange | 1 Ox App Suite | 2025-12-01 | 5.4 Medium |
| Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | ||||
| CVE-2025-12713 | 1 Wordpress | 1 Wordpress | 2025-12-01 | 6.4 Medium |
| The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12649 | 1 Wordpress | 1 Wordpress | 2025-12-01 | 6.4 Medium |
| The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction. | ||||
| CVE-2025-30186 | 1 Open-xchange | 1 Ox App Suite | 2025-12-01 | 5.4 Medium |
| Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | ||||
| CVE-2025-66036 | 1 Retro Project | 1 Retro | 2025-12-01 | 6.1 Medium |
| Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7. | ||||
| CVE-2025-64730 | 1 Sony | 2 Snc-cx600w, Snc-cx600w Firmware | 2025-12-01 | 6.1 Medium |
| Cross-site scripting vulnerability exists in SNC-CX600W all versions. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the product. | ||||
| CVE-2025-66420 | 2025-12-01 | 5.4 Medium | ||
| Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67. | ||||
| CVE-2025-66421 | 2025-12-01 | 5.4 Medium | ||
| Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | ||||
| CVE-2025-41070 | 2025-12-01 | N/A | ||
| Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | ||||
| CVE-2025-45778 | 1 Languagesloth | 1 The Language Sloth | 2025-12-01 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description text field. | ||||
| CVE-2024-22048 | 1 Gov.uk | 1 Govuk Tech Docs | 2025-11-29 | 6.1 Medium |
| govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page. | ||||
| CVE-2025-34032 | 1 Geoffrowland | 1 Jmol | 2025-11-29 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC. | ||||
| CVE-2024-9440 | 2 Brian Voelker, Slimselectjs | 2 Slim Select, Slim Select | 2025-11-29 | 5.4 Medium |
| Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available. | ||||
| CVE-2024-0758 | 1 Ipb-halle | 1 Molecularfaces | 2025-11-28 | 6.1 Medium |
| MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles. | ||||
| CVE-2025-66093 | 2 Hupe13, Wordpress | 2 Extensions For Leaflet Map, Wordpress | 2025-11-28 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a through <= 4.8. | ||||
| CVE-2025-66092 | 1 Wordpress | 1 Wordpress | 2025-11-28 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bqworks Accordion Slider accordion-slider allows Stored XSS.This issue affects Accordion Slider: from n/a through <= 1.9.13. | ||||
| CVE-2024-11831 | 1 Redhat | 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more | 2025-11-28 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2025-34253 | 2 D-link, Dlink | 2 Nuclias Connect, Nuclias Connect | 2025-11-28 | 5.4 Medium |
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain a stored cross-site scripting (XSS) vulnerability due to improper sanitization of the 'Network' field when editing the configuration, creating a profile, and adding a network. An authenticated attacker can inject arbitrary JavaScript to be executed in the context of other users viewing the profile entry. NOTE: D-Link states that a fix is under development. | ||||