Export limit exceeded: 45467 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45467 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-51962 | 1 Microstudio | 1 Microstudio | 2026-01-02 | 6.1 Medium |
| A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML via the text parameter of add_project_comment function. | ||||
| CVE-2025-68927 | 2 Abhinavxd, Libredesk | 2 Libredesk, Libredesk | 2026-01-02 | 6.1 Medium |
| Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta. | ||||
| CVE-2024-25814 | 1 Airc | 1 Mynet | 2026-01-02 | 6.1 Medium |
| MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the msg parameter. | ||||
| CVE-2024-25812 | 1 Airc | 1 Mynet | 2026-01-02 | 6.1 Medium |
| MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the src parameter. | ||||
| CVE-2023-36337 | 1 Inventory Management System Project | 1 Inventory Management System | 2026-01-02 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2025-15107 | 2 Actionsky, Actiontech | 2 Sqle, Sqle | 2025-12-31 | 3.7 Low |
| A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. | ||||
| CVE-2025-68946 | 1 Gitea | 1 Gitea | 2025-12-31 | 5.4 Medium |
| In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | ||||
| CVE-2025-67349 | 1 Fluentcms | 1 Fluentcms | 2025-12-31 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags. | ||||
| CVE-2025-61914 | 1 N8n | 1 N8n | 2025-12-31 | 7.3 High |
| n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts. | ||||
| CVE-2025-57462 | 1 Machsol | 1 Machpanel | 2025-12-31 | 6.1 Medium |
| Stored cross-site scripting (xss) in machsol machpanel 8.0.32 allows attackers to execute arbitrary web scripts or HTML via a crafted PDF file. | ||||
| CVE-2025-65442 | 1 Xxyopen | 1 Novel | 2025-12-31 | 6.1 Medium |
| DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3's v-html directive without sanitization. Even if modern browsers' built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm. | ||||
| CVE-2025-67163 | 1 Simplemachines | 3 Simple Machine Forum, Simple Machines Forum, Smf | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter. | ||||
| CVE-2025-44998 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter. | ||||
| CVE-2022-40490 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 4.8 Medium |
| Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file. | ||||
| CVE-2021-40966 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 5.4 Medium |
| A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server. | ||||
| CVE-2025-63949 | 1 Yohanawi | 1 Hotel Management System | 2025-12-31 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php. | ||||
| CVE-2025-15105 | 2 Getmaxun, Maxun | 2 Maxun, Maxun | 2025-12-31 | 3.7 Low |
| A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-35322 | 1 Airc | 1 Mynet | 2025-12-31 | 6.1 Medium |
| MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter. | ||||
| CVE-2024-40317 | 1 Airc | 1 Mynet | 2025-12-31 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP. | ||||
| CVE-2025-64338 | 2 Clipbucket, Oxygenz | 2 Clipbucket, Clipbucket | 2025-12-31 | 9.0 Critical |
| ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator’s browser, therefore allowing an attacker to target administrators and perform actions with elevated privileges. This issue is fixed in version 5.5.2 - #157. | ||||