Export limit exceeded: 45336 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45336 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3384 | 1 Redhat | 1 Quay | 2025-11-07 | 5.4 Medium |
| A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). | ||||
| CVE-2025-26258 | 2 Remyandrade, Sourcecodester | 2 Employee Management System, Employee Management System | 2025-11-06 | 6.1 Medium |
| Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.' | ||||
| CVE-2023-52292 | 1 Ibm | 1 Sterling File Gateway | 2025-11-06 | 6.4 Medium |
| IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-11956 | 1 Proliz Software | 1 Obs | 2025-11-06 | 8.9 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Stored XSS.This issue affects OBS (Student Affairs Information System): before 25.0401. | ||||
| CVE-2025-46786 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-11-06 | 4.3 Medium |
| Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access. | ||||
| CVE-2025-61994 | 1 Growi | 1 Growi | 2025-11-06 | N/A |
| Cross-site scripting vulnerability exists in GROWI prior to v7.2.10. If a malicious user creates a page containing crafted contents, an arbitrary script may be executed on the web browser of a victim user who accesses the page. | ||||
| CVE-2025-2490 | 1 Ujcms | 1 Ujcms | 2025-11-06 | 2.4 Low |
| A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the component File Upload. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-36248 | 1 Ibm | 1 Copy Services Manager | 2025-11-06 | 6.1 Medium |
| IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-50574 | 2 Hiruna, Hirunaofficial | 2 Glamour Salon Management System, Glamour Salon Management System | 2025-11-06 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in blog-details.php in Hiruna Gallage's Glamour Salon Management System v1 allows remote attackers to inject arbitrary web script or HTML via the blog comment section parameter. | ||||
| CVE-2024-5764 | 1 Sonatype | 1 Nexus Repository Manager | 2025-11-06 | 6.5 Medium |
| Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated. This issue affects Nexus Repository: from 3.0.0 through 3.72.0. | ||||
| CVE-2025-41681 | 1 Mbconnectline | 2 Mbnet.mini, Mbnet.mini Firmware | 2025-11-06 | 4.8 Medium |
| A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content. | ||||
| CVE-2024-11491 | 1 115cms | 1 115cms | 2025-11-05 | 3.5 Low |
| A vulnerability was found in 115cms up to 20240807. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php/admin/web/useradmin.html. The manipulation of the argument ks leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-30406 | 1 Gladinet | 1 Centrestack | 2025-11-05 | 9 Critical |
| Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config. | ||||
| CVE-2025-36172 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-11-05 | 6.4 Medium |
| IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-63442 | 1 Nababur | 1 Simple-user-management-system | 2025-11-05 | 4.6 Medium |
| Simple User Management System with PHP-MySQL v1.0 is vulnerable to Cross-Site Scripting (XSS) via the Profile Section. The system fails to properly sanitize user input, allowing attackers to inject and execute arbitrary JavaScript when the input is displayed in the browser | ||||
| CVE-2025-50363 | 1 Phpgurukul | 1 Maid Hiring Management System | 2025-11-05 | 5.4 Medium |
| Phpgurukul Maid Hiring Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in /maid-hiring.php va the name field. | ||||
| CVE-2019-18860 | 5 Canonical, Debian, Opensuse and 2 more | 5 Ubuntu Linux, Debian Linux, Leap and 2 more | 2025-11-05 | 6.1 Medium |
| Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. | ||||
| CVE-2024-28045 | 1 Deltaww | 1 Diaenergie | 2025-11-05 | 4.6 Medium |
| Improper neutralization of input within the affected product could lead to cross-site scripting. | ||||
| CVE-2025-34501 | 1 Shuffle Master | 1 Deck Mate 2 | 2025-11-05 | N/A |
| Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds. | ||||
| CVE-2025-9225 | 1 Mobile-industrial-robots | 5 Mir100, Mir1000, Mir200 and 2 more | 2025-11-05 | 5.5 Medium |
| Stored cross-site scripting (XSS) in the web interface of MiR software versions prior to 3.0.0 on MiR Robots and MiR Fleet allows execution of arbitrary JavaScript code in a victim’s browser | ||||