Total
37076 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3252 | 1 Xujiangfei | 1 Admintwo | 2025-04-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in xujiangfei admintwo 1.0 and classified as problematic. This vulnerability affects unknown code of the file /resource/add. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-37859 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the page parameter to php-lfis/admin/index.php. | |||||
| CVE-2025-3253 | 1 Xujiangfei | 1 Admintwo | 2025-04-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in xujiangfei admintwo 1.0 and classified as problematic. This issue affects some unknown processing of the file /ztree/insertTree. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-24050 | 1 Remyandrade | 1 Workout Journal App | 2025-04-23 | N/A | 4.7 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Sourcecodester Workout Journal App 1.0 allows attackers to run arbitrary code via parameters firstname and lastname in /add-user.php. | |||||
| CVE-2022-45758 | 1 Sens Project | 1 Sens | 2025-04-23 | N/A | 5.4 MEDIUM |
| SENS v1.0 is vulnerable to Cross Site Scripting (XSS) via com.liuyanzhao.sens.web.controller.admin, getRegister. | |||||
| CVE-2022-45008 | 1 Online Leave Management System Project | 1 Online Leave Management System | 2025-04-23 | N/A | 4.8 MEDIUM |
| Online Leave Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /leave_system/admin/?page=maintenance/department. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted payload injected into the Name field under the Create New module. | |||||
| CVE-2022-44637 | 1 Redmine | 1 Redmine | 2025-04-23 | N/A | 6.1 MEDIUM |
| Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization in Redcloth3 Textile-formatted fields. Depending on the configuration, this may require login as a registered user. | |||||
| CVE-2022-43668 | 1 Typora | 1 Typora | 2025-04-23 | N/A | 6.1 MEDIUM |
| Typora versions prior to 1.4.4 fails to properly neutralize JavaScript code, which may result in executing JavaScript code contained in the file when opening a file with the affected product. | |||||
| CVE-2025-43952 | 2025-04-23 | N/A | 6.1 MEDIUM | ||
| A cross-site scripting (reflected XSS) vulnerability was found in Mettler Toledo FreeWeight.Net Web Reports Viewer 8.4.0 (440). It allows an attacker to inject malicious scripts via the IW_SessionID_ parameter. | |||||
| CVE-2025-26159 | 2025-04-23 | N/A | 6.1 MEDIUM | ||
| Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field. | |||||
| CVE-2025-3814 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class-name’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-53569 | 2025-04-23 | N/A | 5.4 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in the New Goal Creation section of Volmarg Personal Management System v1.4.65 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the description parameter. | |||||
| CVE-2025-23175 | 2025-04-23 | N/A | 6.1 MEDIUM | ||
| Multiple XSS (CWE-79) | |||||
| CVE-2025-1054 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12863 | 2025-04-23 | N/A | N/A | ||
| Stored XSS in Discussions in OpenText Content Management CE 20.2 to 25.1 on Windows and Linux allows authenticated malicious users to inject code into the system. | |||||
| CVE-2025-2839 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-32960 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 7.2.7. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2025-32961 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 1.1.1. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2023-51306 | 1 Phpjabbers | 1 Event Ticketing System | 2025-04-23 | N/A | 5.4 MEDIUM |
| PHPJabbers Event Ticketing System v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "name, title" parameters. | |||||
| CVE-2023-51312 | 1 Phpjabbers | 1 Restaurant Booking System | 2025-04-23 | N/A | 5.4 MEDIUM |
| PHPJabbers Restaurant Booking System v3.0 is vulnerable to Reflected Cross-Site Scripting (XSS) in Reservations menu, Schedule section date parameter. | |||||