Export limit exceeded: 336269 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44002 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-20533 | 1 Cisco | 46 Desk Phone 9841, Desk Phone 9841 With Multiplatform Firmware, Desk Phone 9851 and 43 more | 2026-01-05 | 4.8 Medium |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. | ||||
| CVE-2025-65233 | 2 Slims, Slims Project | 2 Slims 9 Bulian, Slims | 2026-01-05 | 6.1 Medium |
| Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | ||||
| CVE-2018-25138 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2026-01-05 | 9.8 Critical |
| FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations. | ||||
| CVE-2025-15355 | 1 Netvision | 1 Isoinsight | 2026-01-05 | 6.1 Medium |
| ISOinsight developed by NetVision Information has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | ||||
| CVE-2021-47744 | 2 Cypress, Linux | 3 Ctm-200, Ctm-one, Linux | 2026-01-05 | 7.5 High |
| Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices. | ||||
| CVE-2025-15371 | 1 Tenda | 7 4g03 Pro, 4g05, 4g08 and 4 more | 2026-01-05 | 7.8 High |
| A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2021-47725 | 1 Stvs | 1 Provision | 2026-01-05 | 5.4 Medium |
| STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site. | ||||
| CVE-2021-47743 | 1 Commax | 1 Biometric Access Control System | 2026-01-05 | 6.1 Medium |
| COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session. | ||||
| CVE-2022-50801 | 2026-01-02 | 4.3 Medium | ||
| JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users' browsers when they view the affected content. | ||||
| CVE-2024-6797 | 2 Dyadyalesha, Wordpress | 2 Dl Robots.txt, Wordpress | 2026-01-02 | 4.8 Medium |
| The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-64778 | 2 Mirion, Mirion Medical | 2 Biodose\/nmis, Nmis Biodose | 2026-01-02 | 7.3 High |
| NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | ||||
| CVE-2025-65237 | 2 Opencode, Opencode Systems | 2 Ussd Gateway, Ussd Gateway | 2026-01-02 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2025-35034 | 2 Medical Informatics Engineering, Mieweb | 2 Enterprise Health, Enterprise Health | 2026-01-02 | 4.3 Medium |
| Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portlet_user_id' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14. | ||||
| CVE-2025-68935 | 1 Onlyoffice | 1 Document Server | 2026-01-02 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | ||||
| CVE-2025-68936 | 1 Onlyoffice | 1 Document Server | 2026-01-02 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | ||||
| CVE-2025-68942 | 1 Gitea | 1 Gitea | 2026-01-02 | 5.4 Medium |
| Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | ||||
| CVE-2025-68948 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-01-02 | 8.1 High |
| SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session. | ||||
| CVE-2025-66580 | 1 Openagentplatform | 1 Dive | 2026-01-02 | 9.7 Critical |
| Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue. | ||||
| CVE-2025-68614 | 1 Librenms | 1 Librenms | 2026-01-02 | 4.3 Medium |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. | ||||
| CVE-2025-68915 | 1 Riello-ups | 1 Netman 208 | 2026-01-02 | 5.5 Medium |
| Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. | ||||