Export limit exceeded: 344258 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45351 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45351 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-56515 | 1 Suisuijiang | 1 Fiora | 2025-10-15 | 8.8 High |
| File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles. | ||||
| CVE-2025-56243 | 1 Puneethreddyhc | 2 Event Management, Event Management System | 2025-10-15 | 6.1 Medium |
| A Cross-Site Scripting (XSS) vulnerability was found in the register.php page of PuneethReddyHC Event Management System 1.0, where the event_id GET parameter is improperly handled. An attacker can craft a malicious URL to execute arbitrary JavaScript in the victim s browser by injecting code into this parameter. | ||||
| CVE-2025-56382 | 2 Lion-coders, Lioncoders | 2 Salepro Pos, Salepro Pos | 2025-10-15 | 6.1 Medium |
| A stored Cross-site scripting (XSS) vulnerability exists in the Customer Management Module of LionCoders SalePro POS 5.4.8. An authenticated attacker can inject arbitrary web script or HTML via the 'Customer Name' parameter when creating or editing customer profiles. This malicious input is improperly sanitized before storage and subsequent rendering, leading to script execution in the browsers of users who view the affected customer details. | ||||
| CVE-2025-46545 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | 4.4 Medium |
| In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires. | ||||
| CVE-2024-1146 | 2 Alma, Devklan | 2 Alma Blog, Alma Blog | 2025-10-15 | 5.8 Medium |
| Cross-Site Scripting vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an attacker to store a malicious JavaScript payload within the application by adding the payload to 'Community Description' or 'Community Rules'. | ||||
| CVE-2024-2726 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 6.1 Medium |
| Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration. | ||||
| CVE-2024-2727 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 6.1 Medium |
| HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message. | ||||
| CVE-2025-2868 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-10-15 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /index.php. | ||||
| CVE-2025-2869 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-10-15 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the id parameter in /manage_user.php. | ||||
| CVE-2025-2870 | 1 Oretnom23 | 1 Clinic Queuing System | 2025-10-15 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /patient_side.php. | ||||
| CVE-2025-1082 | 1 Mindskip | 1 Xzs-mysql | 2025-10-15 | 3.5 Low |
| A vulnerability classified as problematic has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected is an unknown function of the file /api/admin/question/edit of the component Exam Edit Handler. The manipulation of the argument title/content leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59525 | 1 Horilla | 1 Horilla | 2025-10-15 | 6.1 Medium |
| Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0. | ||||
| CVE-2024-4336 | 1 Adive | 1 Framework | 2025-10-15 | 7.6 High |
| Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details of an authenticated user. | ||||
| CVE-2025-5127 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-10-15 | 3.5 Low |
| A vulnerability was determined in Teledyne FLIR AX8 up to 1.46.16. This issue affects some unknown processing of the file /prod.php. Executing manipulation of the argument cmd can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.49.16 is capable of addressing this issue. It is recommended to upgrade the affected component. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities." | ||||
| CVE-2024-4337 | 1 Adive | 1 Framework | 2025-10-15 | 7.6 High |
| Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/nav/add, in multiple parameters. This vulnerability allows an attacker to retrieve the session details of an authenticated user. | ||||
| CVE-2025-3789 | 1 Jsite | 1 Jsite | 2025-10-15 | 3.5 Low |
| A vulnerability was found in baseweb JSite 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /a/sys/area/save. The manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-60447 | 2 Emlog, Emlog Pro Project | 2 Emlog, Emlog Pro | 2025-10-15 | 5.9 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution. | ||||
| CVE-2025-40615 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/api_ajustes.php. | ||||
| CVE-2025-40616 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php. | ||||
| CVE-2025-59839 | 2 Mediawiki, Star-citizen | 2 Mediawiki, Embedvideo | 2025-10-14 | 8.6 High |
| The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3. | ||||