Export limit exceeded: 337168 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 44089 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44089 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6710 | 2 Modcluster, Redhat | 3 Mod Proxy Cluster, Enterprise Linux, Jboss Core Services | 2025-11-20 | 5.4 Medium |
| A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. | ||||
| CVE-2024-42749 | 1 Altocms | 2 Alto Cms, Altocms | 2025-11-19 | 6.1 Medium |
| Cross Site Scripting vulnerability in Alto CMS v.1.1.13 allows a local attacker to execute arbitrary code via a crafted script. | ||||
| CVE-2025-25035 | 1 Jalios | 1 Jcms | 2025-11-19 | 7.3 High |
| Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.This issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5 | ||||
| CVE-2025-64302 | 1 Advantech | 2 Deviceon/iedge, Deviceon\/iedge | 2025-11-19 | 6.4 Medium |
| Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation. | ||||
| CVE-2025-2610 | 1 Magnussolution | 1 Magnusbilling | 2025-11-19 | 7.6 High |
| Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects MagnusBilling: through 7.3.0. | ||||
| CVE-2025-20353 | 1 Cisco | 1 Catalyst Center | 2025-11-19 | 6.1 Medium |
| A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | ||||
| CVE-2025-54272 | 1 Adobe | 1 Experience Manager | 2025-11-19 | 5.4 Medium |
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | ||||
| CVE-2025-61796 | 1 Adobe | 1 Experience Manager | 2025-11-19 | 5.4 Medium |
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | ||||
| CVE-2025-61797 | 1 Adobe | 1 Experience Manager | 2025-11-19 | 5.4 Medium |
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | ||||
| CVE-2025-64747 | 2 Directus, Monospace | 2 Directus, Directus | 2025-11-19 | 5.5 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue. | ||||
| CVE-2025-63830 | 2 Ckeditor, Cksource | 2 Ckfinder, Ckfinder | 2025-11-19 | 6.1 Medium |
| CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content. | ||||
| CVE-2025-13202 | 2 Code-projects, Fabian | 2 Simple Cafe Ordering System, Simple Cafe Ordering System | 2025-11-19 | 3.5 Low |
| A security flaw has been discovered in code-projects Simple Cafe Ordering System 1.0. This affects an unknown part of the file /add_to_cart. Performing manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-13244 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 4.3 Medium |
| A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-13245 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 3.5 Low |
| A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-64046 | 1 Openrapid | 1 Rapidcms | 2025-11-19 | 6.1 Medium |
| OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php. | ||||
| CVE-2024-44647 | 1 Phpgurukul | 1 Small Crm | 2025-11-19 | 6.1 Medium |
| PHPGurukul Small CRM 3.0 is vulnerable to Cross Site Scripting (XSS) via the aremark parameter in manage-tickets.php. | ||||
| CVE-2024-46334 | 1 Kashipara | 1 School Management System | 2025-11-19 | 6.1 Medium |
| kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php. | ||||
| CVE-2024-46336 | 1 Kashipara | 1 School Management System | 2025-11-19 | 6.1 Medium |
| kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php. | ||||
| CVE-2024-46335 | 1 Phpgurukul | 1 Complaint Management System | 2025-11-19 | 4.6 Medium |
| PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php. | ||||
| CVE-2025-12457 | 2 Ideastocode, Wordpress | 2 Enable Svg, Webp & Ico Upload, Wordpress | 2025-11-19 | 6.4 Medium |
| The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||