Export limit exceeded: 45687 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45687 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4336 | 1 Adive | 1 Framework | 2025-10-15 | 7.6 High |
| Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details of an authenticated user. | ||||
| CVE-2025-5127 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-10-15 | 3.5 Low |
| A vulnerability was determined in Teledyne FLIR AX8 up to 1.46.16. This issue affects some unknown processing of the file /prod.php. Executing manipulation of the argument cmd can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.49.16 is capable of addressing this issue. It is recommended to upgrade the affected component. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities." | ||||
| CVE-2024-4337 | 1 Adive | 1 Framework | 2025-10-15 | 7.6 High |
| Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/nav/add, in multiple parameters. This vulnerability allows an attacker to retrieve the session details of an authenticated user. | ||||
| CVE-2025-3789 | 1 Jsite | 1 Jsite | 2025-10-15 | 3.5 Low |
| A vulnerability was found in baseweb JSite 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /a/sys/area/save. The manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-60447 | 2 Emlog, Emlog Pro Project | 2 Emlog, Emlog Pro | 2025-10-15 | 5.9 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution. | ||||
| CVE-2025-40615 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/api_ajustes.php. | ||||
| CVE-2025-40616 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php. | ||||
| CVE-2025-59839 | 2 Mediawiki, Star-citizen | 2 Mediawiki, Embedvideo | 2025-10-14 | 8.6 High |
| The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3. | ||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2025-10-14 | 8.8 High |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | ||||
| CVE-2025-55888 | 1 Ard | 2 Ard, Gec En Ligne | 2025-10-14 | 7.3 High |
| Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountName field. This input is not properly sanitized or encoded when rendered, allowing script execution in the context of users browsers. This flaw could lead to session hijacking, cookie theft, and other malicious actions. | ||||
| CVE-2025-55887 | 1 Ard | 2 Ard, Gec En Ligne | 2025-10-14 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability was discovered in the meal reservation service ARD. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that is executed in the context of a user s browser. This can lead to session hijacking, theft of cookies, and other malicious actions performed on behalf of the victim. | ||||
| CVE-2025-29156 | 1 Smartbear | 1 Swagger Petstore | 2025-10-14 | 6.1 Medium |
| Cross Site Scripting vulnerability in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via a crafted script to the /api/v3/pet | ||||
| CVE-2025-2364 | 1 Lenve | 1 Vblog | 2025-10-14 | 3.5 Low |
| A vulnerability classified as problematic was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function addNewArticle of the file blogserver/src/main/java/org/sang/service/ArticleService.java. The manipulation of the argument mdContent/htmlContent leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-58177 | 1 N8n | 1 N8n | 2025-10-14 | 5.4 Medium |
| n8n is an open source workflow automation platform. From 1.24.0 to before 1.107.0, there is a stored cross-site scripting (XSS) vulnerability in @n8n/n8n-nodes-langchain.chatTrigger. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access so that the payload is executed in the browser of any user who visits the resulting public chat URL. This can be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link. The issue is fixed in version 1.107.0. Updating to 1.107.0 or later is recommended. As a workaround, the affected chatTrigger node can be disabled. No other workarounds are known. | ||||
| CVE-2024-5532 | 1 Microfocus | 1 Operations Agent | 2025-10-14 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Operations Agent. The XSS vulnerability could allow an attacker with local admin permissions to manipulate the content of the internal status page of the Agent on the local system. This issue affects Operations Agent: 12.20, 12.21, 12.22, 12.23, 12.24, 12.25, 12.26. | ||||
| CVE-2024-28804 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | 7.1 High |
| An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Stored Cross-site scripting (XSS) can occur via POST. | ||||
| CVE-2024-28803 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in Italtel S.p.A. i-MCS NFV v.12.1.0-20211215 allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/POST parameter | ||||
| CVE-2025-1534 | 1 Payara | 1 Payara | 2025-10-14 | 5.4 Medium |
| CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2. | ||||
| CVE-2024-45389 | 2 Cloudcannon, Pagefind | 2 Pagefind, Pagefind | 2025-10-14 | 6.4 Medium |
| Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind. | ||||
| CVE-2025-46102 | 1 Beakon | 1 Learning Management System Sharable Content Object Reference Model | 2025-10-14 | 5.4 Medium |
| Cross Site Scripting vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version V.5.4.3 allows a remote attacker to obtain sensitive information via the URL parameter | ||||