Export limit exceeded: 44794 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44794 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9734 | 1 Zoneland | 1 O2oa | 2025-09-05 | 3.5 Low |
| A security flaw has been discovered in O2OA up to 10.0-410. The impacted element is an unknown function of the file /x_query_assemble_designer/jaxrs/stat of the component Personal Profile Page. The manipulation of the argument name/alias/description/applicationName results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | ||||
| CVE-2025-9735 | 1 Zoneland | 1 O2oa | 2025-09-05 | 3.5 Low |
| A weakness has been identified in O2OA up to 10.0-410. This affects an unknown function of the file /x_query_assemble_designer/jaxrs/table of the component Personal Profile Page. This manipulation of the argument description/applicationName/queryName causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | ||||
| CVE-2025-9736 | 1 Zoneland | 1 O2oa | 2025-09-05 | 3.5 Low |
| A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | ||||
| CVE-2025-9737 | 1 Zoneland | 1 O2oa | 2025-09-05 | 3.5 Low |
| A vulnerability was detected in O2OA up to 10.0-410. Affected is an unknown function of the file /x_query_assemble_designer/jaxrs/importmodel of the component Personal Profile Page. Performing manipulation of the argument description/applicationName/queryName results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | ||||
| CVE-2025-9755 | 1 Khanakag-17 | 1 Library Management System | 2025-09-05 | 4.3 Medium |
| A vulnerability has been found in Khanakag-17 Library Management System up to 60ed174506094dcd166e34904a54288e5d10ff24. This affects an unknown function of the file /index.php. The manipulation of the argument msg leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | ||||
| CVE-2025-51966 | 1 U-tools | 1 Utools | 2025-09-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in the PDF preview functionality of uTools thru 7.1.1. When a user previews a specially crafted PDF file, embedded JavaScript code executes within the application's privileged context, potentially allowing attackers to steal sensitive data or perform unauthorized actions. | ||||
| CVE-2025-55474 | 1 Brufdev | 1 Many Notes | 2025-09-05 | 6.1 Medium |
| Many Notes 0.10.1 is vulnerable to Cross Site Scripting (XSS), which allows malicious Markdown files to execute JavaScript when viewed. | ||||
| CVE-2025-8695 | 2025-09-05 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad NetGIS Server allows Reflected XSS.This issue affects NetGIS Server: from 5.2.4 through 22.08.2025. | ||||
| CVE-2025-8684 | 2 Uxthemes, Wordpress | 2 Flatsome, Wordpress | 2025-09-05 | 6.4 Medium |
| The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-58361 | 1 Promptcraft-forge-studio Project | 1 Promptcraft-forge-studio | 2025-09-05 | 9.3 Critical |
| Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips `javascript:` and a few patterns. `data:` URLs (for example data:image/svg+xml,…) still pass. If a sanitized value is used in href/src, an attacker can execute a script. There is currently no fix for this issue. | ||||
| CVE-2025-58353 | 1 Promptcraft-forge-studio Project | 1 Promptcraft-forge-studio | 2025-09-05 | 8.2 High |
| Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions of Promptcraft Forge Studio sanitize user input using regex blacklists such as r`eplace(/javascript:/gi, '')`. Because the package uses multi-character tokens and each replacement is applied only once, removing one occurrence can create a new dangerous token due to overlap. The “sanitized” value may still contain an executable payload when used in href/src (or injected into the DOM). There is currently no fix for this issue. | ||||
| CVE-2025-9834 | 1 Phpgurukul | 1 Small Crm | 2025-09-05 | 3.5 Low |
| A flaw has been found in PHPGurukul Small CRM 4.0. Affected by this issue is some unknown functionality of the file /registration.php. Executing manipulation of the argument Username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2024-39272 | 1 Clear | 1 Clearml Enterprise Server | 2025-09-05 | 9 Critical |
| A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this vulnerability. | ||||
| CVE-2025-9434 | 1 1000projects | 2 Online Project Report Submission And Evaluation System, Online Student Project Report Submission And Evaluation System | 2025-09-05 | 4.3 Medium |
| A vulnerability was determined in 1000projects Online Project Report Submission and Evaluation System 1.0. This affects an unknown function of the file /admin/edit_title.php?id=1. Executing manipulation of the argument desc can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2024-39923 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.1 Medium |
| An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person. | ||||
| CVE-2024-45753 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.1 Medium |
| In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute. | ||||
| CVE-2024-35203 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.1 Medium |
| Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system. | ||||
| CVE-2024-13308 | 1 Browser Back Button Project | 1 Browser Back Button | 2025-09-05 | 3.8 Low |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Browser Back Button allows Cross-Site Scripting (XSS).This issue affects Browser Back Button: from 1.0.0 before 2.0.2. | ||||
| CVE-2024-54138 | 2 Microsoft, Nuget | 2 Nugetgallery, Nugetgallery | 2025-09-05 | 6.1 Medium |
| NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06. | ||||
| CVE-2025-55106 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | 4.8 Medium |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | ||||