Total
36252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24676 | 2025-05-19 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in umangmetatagg Custom WP Store Locator allows Reflected XSS.This issue affects Custom WP Store Locator: from n/a through 1.4.7. | |||||
| CVE-2024-6533 | 1 Monospace | 1 Directus | 2025-05-19 | N/A | 5.4 MEDIUM |
| Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover. | |||||
| CVE-2024-2692 | 1 B3log | 1 Siyuan | 2025-05-19 | N/A | 9.0 CRITICAL |
| SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS. | |||||
| CVE-2024-57273 | 2025-05-19 | N/A | 5.4 MEDIUM | ||
| Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key. | |||||
| CVE-2023-35006 | 1 Ibm | 1 Security Qradar Edr | 2025-05-19 | N/A | 5.4 MEDIUM |
| IBM Security QRadar EDR 3.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |||||
| CVE-2024-3851 | 1 Pribai | 1 Privategpt | 2025-05-19 | N/A | 5.4 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the 'imartinez/privategpt' repository due to improper validation of file uploads. Attackers can exploit this vulnerability by uploading malicious HTML files, such as those containing JavaScript payloads, which are then executed in the context of the victim's session when accessed. This could lead to the execution of arbitrary JavaScript code in the context of the user's browser session, potentially resulting in phishing attacks or other malicious actions. The vulnerability affects the latest version of the repository. | |||||
| CVE-2025-47786 | 2025-05-19 | N/A | N/A | ||
| Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists. | |||||
| CVE-2024-54779 | 2025-05-19 | N/A | 5.4 MEDIUM | ||
| Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php. | |||||
| CVE-2024-45516 | 2025-05-19 | N/A | 6.1 MEDIUM | ||
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction. | |||||
| CVE-2023-49272 | 1 Kashipara | 1 Hotel Management | 2025-05-19 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-49271 | 1 Kashipara | 1 Hotel Management | 2025-05-19 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_out_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-49270 | 1 Kashipara | 1 Hotel Management | 2025-05-19 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_in_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-49269 | 1 Gvnpatidar | 1 Hotel Management System | 2025-05-19 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'adults' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2024-5286 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 4.8 MEDIUM |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-5283 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 6.1 MEDIUM |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-5282 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 6.1 MEDIUM |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-5281 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 6.1 MEDIUM |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-3641 | 1 Mndpsingh287 | 1 Newsletter Popup | 2025-05-19 | N/A | 6.1 MEDIUM |
| The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins | |||||
| CVE-2024-3644 | 1 Mndpsingh287 | 1 Newsletter Popup | 2025-05-19 | N/A | 4.8 MEDIUM |
| The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-2968 | 1 Backie | 1 Wp-eggdrop | 2025-05-19 | N/A | 4.4 MEDIUM |
| The WP-Eggdrop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||