Export limit exceeded: 44069 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44069 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47885 | 2 Astro, Withastro | 2 Astro, Astro | 2025-11-25 | 5.9 Medium |
| The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue. | ||||
| CVE-2024-36625 | 1 Zulip | 1 Zulip | 2025-11-25 | 6.1 Medium |
| Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. | ||||
| CVE-2024-36624 | 1 Zulip | 1 Zulip | 2025-11-25 | 6.1 Medium |
| Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. | ||||
| CVE-2025-5092 | 9 Famatehemes, Galaxyweblinks, Lightgalleryteam and 6 more | 9 Onepress, Gallery With Thumbnail Slider, Lightgallery Wp and 6 more | 2025-11-24 | 6.4 Medium |
| Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-51662 | 2 Filecodebox, Lanol | 2 Filecodebox, Filecodebox | 2025-11-24 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code. | ||||
| CVE-2025-11770 | 2 Billybigpotatoes, Wordpress | 2 Brighttalk Wordpress Shortcode, Wordpress | 2025-11-24 | 6.4 Medium |
| The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11768 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 6.4 Medium |
| The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11885 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 6.1 Medium |
| The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12135 | 2 Iqonicdesign, Wordpress | 2 Wpbookit, Wordpress | 2025-11-24 | 7.2 High |
| The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13159 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 7.1 High |
| The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint (`flo_form_submit`) without proper file content validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when an administrator views the uploaded file in the WordPress admin interface, leading to potential full site compromise. | ||||
| CVE-2025-11799 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 6.4 Medium |
| The Affiliate AI Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'asin' shortcode attribute in the affiai_img shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11803 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 6.4 Medium |
| The WPSite Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the wpsite_y shortcode and the 'before' attribute in the wpsite_postauthor shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping in error messages. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-55059 | 1 Maxum | 1 Rumpus | 2025-11-24 | 4.8 Medium |
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | ||||
| CVE-2025-26391 | 1 Solarwinds | 1 Observability Self-hosted | 2025-11-24 | 5.4 Medium |
| SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | ||||
| CVE-2025-55056 | 2 Maxum, Maxum Development Corporation | 2 Rumpus, Rumpus Ftp Server | 2025-11-24 | 4.8 Medium |
| Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | ||||
| CVE-2025-13178 | 2 Bdtask, Codecanyon | 2 Saleserp, Saleserp | 2025-11-24 | 3.5 Low |
| A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-62731 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 4.8 Medium |
| SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | ||||
| CVE-2025-62729 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | ||||
| CVE-2025-62297 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | ||||
| CVE-2025-62296 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||||