Export limit exceeded: 13710 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 44062 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44062 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66309 | 1 Getgrav | 2 Grav, Grav-plugin-admin | 2025-12-03 | 6.1 Medium |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1. | ||||
| CVE-2025-66310 | 1 Getgrav | 2 Grav, Grav-plugin-admin | 2025-12-03 | 5.4 Medium |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][template] parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. This vulnerability is fixed in 1.11.0-beta.1. | ||||
| CVE-2025-66311 | 1 Getgrav | 2 Grav, Grav-plugin-admin | 2025-12-03 | 5.4 Medium |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1. | ||||
| CVE-2025-66312 | 1 Getgrav | 2 Grav, Grav-plugin-admin | 2025-12-03 | 5.4 Medium |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 1.11.0-beta.1. | ||||
| CVE-2025-60646 | 1 Xuxueli | 1 Xxl-api | 2025-12-03 | 6.1 Medium |
| A stored cross-site scripting (XSS) in the Business Line Management module of Xxl-api v1.3.0 attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | ||||
| CVE-2024-1648 | 1 Fraserxu | 1 Electron-pdf | 2025-12-03 | 7.5 High |
| electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. | ||||
| CVE-2024-1647 | 3 Kumaf, Pyhtml2pdf, Pyhtml2pdf Project | 3 Pyhtml2pdf, Pyhtml2pdf, Pyhtml2pdf | 2025-12-03 | 7.5 High |
| Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. | ||||
| CVE-2025-65676 | 1 Classroomio | 1 Classroomio | 2025-12-03 | 5.4 Medium |
| Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | ||||
| CVE-2025-4779 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2025-12-03 | 6.1 Medium |
| lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. | ||||
| CVE-2025-65956 | 1 Formwork Project | 1 Formwork | 2025-12-03 | 6.5 Medium |
| Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0. | ||||
| CVE-2025-64070 | 2 Remyandrade, Sourcecodester | 2 Student Grades Management System, Student Grades Management System | 2025-12-03 | 5.4 Medium |
| Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. | ||||
| CVE-2023-0835 | 1 Markdown-pdf Project | 1 Markdown-pdf | 2025-12-03 | 8.2 High |
| markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. | ||||
| CVE-2025-10931 | 2 Drupal, Umami | 3 Drupal, Umami Analytics, Umami Analytics | 2025-12-03 | 3.8 Low |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1. | ||||
| CVE-2022-43984 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. | ||||
| CVE-2025-12083 | 2 Drupal, Salsa.digital | 3 Civictheme Design System, Drupal, Civictheme Design System | 2025-12-03 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | ||||
| CVE-2022-41706 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. | ||||
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | 8.4 High |
| Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol). | ||||
| CVE-2022-43983 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. | ||||
| CVE-2025-66359 | 1 Logpoint | 1 Siem | 2025-12-03 | 8.5 High |
| An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2025-12-03 | 5.4 Medium |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | ||||