Total
36252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43968 | 1 Concretecms | 1 Concrete Cms | 2025-05-13 | N/A | 6.1 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-43967 | 1 Concretecms | 1 Concrete Cms | 2025-05-13 | N/A | 6.1 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-43695 | 1 Concretecms | 1 Concrete Cms | 2025-05-13 | N/A | 4.8 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-2574 | 1 Mekshq | 1 Meks Easy Social Share | 2025-05-13 | N/A | 4.8 MEDIUM |
| The Meks Easy Social Share WordPress plugin before 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2563 | 1 Themeum | 1 Tutor Lms | 2025-05-13 | N/A | 4.8 MEDIUM |
| The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2527 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 7.3 HIGH |
| An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests. | |||||
| CVE-2022-2428 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 6.4 MEDIUM |
| A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests | |||||
| CVE-2024-13124 | 1 10web | 1 Photo Gallery | 2025-05-13 | N/A | 3.5 LOW |
| The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-30009 | 2025-05-13 | N/A | 6.1 MEDIUM | ||
| he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application | |||||
| CVE-2025-46825 | 2025-05-13 | N/A | N/A | ||
| Kanboard is project management software that focuses on the Kanban methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site Scripting (XSS) Vulnerability in the `name` parameter of the `http://localhost/?controller=ProjectCreationController&action=create` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. Note that the default content security policy (CSP) blocks the JavaScript attack, though it can be exploited if an instance is badly configured and the software is vulnerable to CSS injection because of the unsafe-inline on the default CSP. Version 1.2.45 contains a fix for the issue. | |||||
| CVE-2025-26662 | 2025-05-13 | N/A | 4.4 MEDIUM | ||
| The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. | |||||
| CVE-2025-22249 | 2025-05-13 | N/A | 8.2 HIGH | ||
| VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL. | |||||
| CVE-2024-51446 | 2025-05-13 | N/A | 6.5 MEDIUM | ||
| A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application. | |||||
| CVE-2025-43006 | 2025-05-13 | N/A | 6.1 MEDIUM | ||
| SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity. | |||||
| CVE-2025-4647 | 2025-05-13 | N/A | 8.4 HIGH | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG. This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29. | |||||
| CVE-2024-57097 | 1 Classcms | 1 Classcms | 2025-05-13 | N/A | 4.8 MEDIUM |
| ClassCMS 4.8 is vulnerable to Cross Site Scripting (XSS) in class/admin/channel.php. | |||||
| CVE-2024-13328 | 1 Tanng | 1 Giga Messenger | 2025-05-13 | N/A | 6.1 MEDIUM |
| The Giga Messenger WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-13330 | 1 Canaveralstudio | 1 Justrows Free | 2025-05-13 | N/A | 7.1 HIGH |
| The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-13331 | 1 Neoloki | 1 Wp Dream Carousel | 2025-05-13 | N/A | 6.1 MEDIUM |
| The WP Dream Carousel WordPress plugin through 1.0.1b does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-24966 | 1 Yogeshojha | 1 Rengine | 2025-05-13 | N/A | 5.4 MEDIUM |
| reNgine is an automated reconnaissance framework for web applications. HTML Injection occurs when an application improperly validates or sanitizes user inputs, allowing attackers to inject arbitrary HTML code. In this scenario, the vulnerability exists in the "Add Target" functionality of the application, where the Target Organization and Target Description fields accept HTML payloads. The injected HTML is rendered and executed in the target area, potentially leading to malicious actions. Exploitation of HTML Injection can compromise the application's integrity and user trust. Attackers can execute unauthorized actions, steal sensitive information, or trick users into performing harmful actions. The organization's reputation, customer trust, and regulatory compliance could be negatively affected. This issue affects all versions up to and including 2.2.0. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds. | |||||