ReportizFlow
Filtered by vendor
Subscriptions
Total
42864 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-58465 | 1 Qnap | 3 Download Station, Qts, Quts Hero | 2025-11-17 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later | ||||
| CVE-2025-41101 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'. | ||||
| CVE-2025-41102 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'. | ||||
| CVE-2025-41103 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/reply'. | ||||
| CVE-2025-41104 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'. | ||||
| CVE-2025-41105 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'. | ||||
| CVE-2025-41106 | 1 Fairsketch | 2 Rise Crm Framework, Rise Ultimate Project Manager | 2025-11-17 | 5.4 Medium |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_contact/'. | ||||
| CVE-2025-11189 | 1 Synchroweb | 1 Kiwire | 2025-11-17 | 7.3 High |
| The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution. | ||||
| CVE-2025-60378 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | 8.1 High |
| Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients. | ||||
| CVE-2025-13097 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-17 | 5.4 Medium |
| Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-15 | 4.3 Medium |
| A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-54168 | 1 Qnap | 1 Qulog Center | 2025-11-14 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.923 ( 2025/08/27 ) and later | ||||
| CVE-2025-57706 | 1 Qnap | 1 File Station | 2025-11-14 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later | ||||
| CVE-2020-0656 | 1 Microsoft | 1 Dynamics 365 | 2025-11-14 | 5.4 Medium |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. | ||||
| CVE-2025-11960 | 1 Aryom | 1 Kvknet | 2025-11-14 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aryom Software High Technology Systems Inc. KVKNET allows Reflected XSS.This issue affects KVKNET: before 2.1.8. | ||||
| CVE-2025-24297 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 9.8 Critical |
| Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal. | ||||
| CVE-2025-41107 | 1 Qdocs | 1 Smart School | 2025-11-14 | 5.4 Medium |
| Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details. | ||||
| CVE-2025-64744 | 1 Openobserve | 1 Openobserve | 2025-11-14 | 3.5 Low |
| OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available. | ||||
| CVE-2025-10295 | 2 Kayapati, Wordpress | 2 Angel, Wordpress | 2025-11-14 | 6.4 Medium |
| The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option. | ||||
| CVE-2025-12904 | 1 Wordpress | 1 Wordpress | 2025-11-14 | 7.2 High |
| The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||