Export limit exceeded: 44175 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44175 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-29830 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | 9.1 Critical |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z, and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.065T allows a remote unauthenticated attacker to disclose or tamper with sensitive information. As a result, unauthenticated attackers may obtain information about project files illegally. | ||||
| CVE-2022-29829 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | 6.8 Medium |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, Motion Control Setting(GX Works3 related software) versions from 1.035M to 1.042U, and MT Works2 versions from 1.100E to 1.200J allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | ||||
| CVE-2022-29825 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | 5.6 Medium |
| Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, and MT Works2 versions from 1.100E to 1.200J allows an unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | ||||
| CVE-2025-26662 | 2025-11-07 | 4.4 Medium | ||
| The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. | ||||
| CVE-2024-12020 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 6.1 Medium |
| There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge. This vulnerability only affects LogicalDOC Enterprise. | ||||
| CVE-2025-62800 | 2 Fastmcp, Jlowin | 2 Fastmcp, Fastmcp | 2025-11-07 | 6.1 Medium |
| FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0. | ||||
| CVE-2025-5347 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | 6.3 Medium |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module. | ||||
| CVE-2025-5343 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | 6.3 Medium |
| Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option. | ||||
| CVE-2024-29034 | 1 Carrierwave Project | 1 Carrierwave | 2025-11-07 | 6.8 Medium |
| CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6. | ||||
| CVE-2025-12547 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.7 Low |
| A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be executed remotely. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12546 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11946 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-3384 | 1 Redhat | 1 Quay | 2025-11-07 | 5.4 Medium |
| A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). | ||||
| CVE-2025-26258 | 2 Remyandrade, Sourcecodester | 2 Employee Management System, Employee Management System | 2025-11-06 | 6.1 Medium |
| Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.' | ||||
| CVE-2023-52292 | 1 Ibm | 1 Sterling File Gateway | 2025-11-06 | 6.4 Medium |
| IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-11956 | 1 Proliz Software | 1 Obs | 2025-11-06 | 8.9 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Stored XSS.This issue affects OBS (Student Affairs Information System): before 25.0401. | ||||
| CVE-2025-11268 | 2 Wordpress, Wpchill | 2 Wordpress, Strong Testimonials | 2025-11-06 | 4.3 Medium |
| The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing users to submit a testimonial in which a value is not properly validated or sanitized prior to being passed to a do_shortcode call. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes if an administrator previews or publishes a crafted testimonial. | ||||
| CVE-2025-12471 | 1 Wordpress | 1 Wordpress | 2025-11-06 | 6.1 Medium |
| The Hubbub Lite – Fast, free social sharing and follow buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dpsp_list_attention_search' parameter in all versions up to, and including, 1.36.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-46786 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-11-06 | 4.3 Medium |
| Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access. | ||||
| CVE-2025-11820 | 3 Elementor, Iqonicdesign, Wordpress | 3 Elementor, Graphina, Wordpress | 2025-11-06 | 6.4 Medium |
| The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affects multiple chart widgets including Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart, and Advance Data Table widgets. | ||||