Total
40640 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-40892 | 1 Nozomi Networks | 2 Cmc, Guardian | 2025-12-18 | 8.9 High |
| A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | ||||
| CVE-2025-40891 | 1 Nozomi Networks | 2 Cmc, Guardian | 2025-12-18 | 4.7 Medium |
| A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions. | ||||
| CVE-2025-67787 | 1 Drivelock | 1 Operations Center | 2025-12-18 | 9.6 Critical |
| An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network. | ||||
| CVE-2025-13537 | 2 Livecomposer, Wordpress | 2 Live Composer, Wordpress | 2025-12-18 | 6.4 Medium |
| The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13217 | 2 Ultimatemember, Wordpress | 2 Ultimatemember, Wordpress | 2025-12-18 | 6.4 Medium |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page. | ||||
| CVE-2025-65233 | 1 Slims | 1 Slims 9 Bulian | 2025-12-18 | 6.1 Medium |
| Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | ||||
| CVE-2023-53906 | 1 Projectsend | 1 Projectsend | 2025-12-18 | 4.6 Medium |
| projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection. | ||||
| CVE-2023-53904 | 1 Xenforo | 1 Xenforo | 2025-12-18 | 4.6 Medium |
| Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks. | ||||
| CVE-2023-53931 | 1 Revive-adserver | 1 Revive Adserver | 2025-12-18 | 5.4 Medium |
| Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute arbitrary JavaScript when an admin views the page. | ||||
| CVE-2023-53910 | 1 Wbce | 1 Wbce Cms | 2025-12-18 | 5.4 Medium |
| WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script content in the content parameter to execute JavaScript when users view the affected page. | ||||
| CVE-2023-53909 | 1 Wbce | 1 Wbce Cms | 2025-12-18 | 5.4 Medium |
| WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file. | ||||
| CVE-2023-53927 | 1 Phpjabbers | 1 Simple Cms | 2025-12-18 | 8.8 High |
| PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections, potentially enabling client-side code execution. | ||||
| CVE-2023-53911 | 1 Textpattern | 1 Textpattern | 2025-12-18 | 4.6 Medium |
| Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users. | ||||
| CVE-2023-53928 | 1 Php-fusion | 1 Phpfusion | 2025-12-18 | 5.4 Medium |
| PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks. | ||||
| CVE-2025-12885 | 2 Awsm, Wordpress | 2 Embed Any Document, Wordpress | 2025-12-18 | 6.4 Medium |
| The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-37732 | 1 Elastic | 1 Kibana | 2025-12-18 | 5.4 Medium |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection. | ||||
| CVE-2025-65778 | 1 Wekan Project | 1 Wekan | 2025-12-18 | 8.1 High |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions. | ||||
| CVE-2021-28957 | 6 Debian, Fedoraproject, Lxml and 3 more | 7 Debian Linux, Fedora, Lxml and 4 more | 2025-12-17 | 6.1 Medium |
| An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. | ||||
| CVE-2025-14347 | 1 Proliz Software | 1 Obs | 2025-12-17 | 6.3 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS.This issue affects OBS (Student Affairs Information System)0: before 26.5009. | ||||
| CVE-2025-13977 | 3 Elementor, Wordpress, Wpdevteam | 3 Elementor, Wordpress, Essential Addons For Elementor | 2025-12-17 | 6.4 Medium |
| The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event Calendar widget's custom attributes handling and the Image Masking module's element ID rendering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||