Total
37815 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39648 | 1 Themewinter | 1 Eventin | 2025-08-11 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5. | |||||
| CVE-2024-12047 | 1 Wpcompress | 1 Wp Compress | 2025-08-11 | N/A | 6.1 MEDIUM |
| The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-51531 | 2025-08-11 | N/A | 6.1 MEDIUM | ||
| A reflected cross-site scripting (XSS) vulnerability in Sage DPW 2024_12_004 and earlier allows attackers to execute arbitrary JavaScript in the context of a victim's browser via injecting a crafted payload into the tabfields parameter at /dpw/scripts/cgiip.exe/WService. The vendor has stated that the issue is fixed in 2025_06_000, released in June 2025. | |||||
| CVE-2024-27499 | 1 Webkul | 1 Bagisto | 2025-08-11 | N/A | 6.5 MEDIUM |
| Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option. | |||||
| CVE-2024-47384 | 1 Wpcompress | 1 Wp Compress | 2025-08-11 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Compress WP Compress – Image Optimizer [All-In-One] allows Reflected XSS.This issue affects WP Compress – Image Optimizer [All-In-One]: from n/a through 6.20.13. | |||||
| CVE-2025-26530 | 1 Moodle | 1 Moodle | 2025-08-11 | N/A | 8.3 HIGH |
| The question bank filter required additional sanitizing to prevent a reflected XSS risk. | |||||
| CVE-2025-54395 | 1 Netwrix | 1 Directory Manager | 2025-08-11 | N/A | 6.1 MEDIUM |
| Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication configuration data. | |||||
| CVE-2025-54392 | 1 Netwrix | 1 Directory Manager | 2025-08-11 | N/A | 6.1 MEDIUM |
| Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data, a different vulnerability than CVE-2025-47189. | |||||
| CVE-2023-41529 | 1 Kishan0725 | 1 Hospital Management System | 2025-08-11 | N/A | 6.1 MEDIUM |
| Hospital Management System v4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in func2.php via the fname and lname parameters. | |||||
| CVE-2024-9595 | 1 Tablepress | 1 Tablepress | 2025-08-09 | N/A | 6.4 MEDIUM |
| The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2020-9322 | 2025-08-08 | N/A | 8.8 HIGH | ||
| The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO. | |||||
| CVE-2025-4576 | 2025-08-08 | N/A | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp | |||||
| CVE-2025-50927 | 2025-08-08 | N/A | 6.3 MEDIUM | ||
| A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter. | |||||
| CVE-2025-2808 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2025-08-08 | N/A | 5.4 MEDIUM |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-26528 | 1 Moodle | 1 Moodle | 2025-08-08 | N/A | 3.4 LOW |
| The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2025-26529 | 1 Moodle | 1 Moodle | 2025-08-08 | N/A | 8.3 HIGH |
| Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2025-0719 | 1 Ibm | 1 Cloud Pak For Data | 2025-08-08 | N/A | 6.1 MEDIUM |
| IBM Cloud Pak for Data 4.0.0 through 4.8.5 and 5.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-2685 | 1 Tablepress | 1 Tablepress | 2025-08-08 | N/A | 6.4 MEDIUM |
| The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-42034 | 1 Visualware | 1 Myconnection Server | 2025-08-08 | N/A | 8.8 HIGH |
| Visualware MyConnection Server doRTAAccessCTConfig Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Visualware MyConnection Server. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the doRTAAccessCTConfig method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21613. | |||||
| CVE-2025-2254 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 8.7 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks. | |||||