ReportizFlow
Filtered by vendor
Subscriptions
Total
42879 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3789 | 1 Jsite | 1 Jsite | 2025-10-15 | 3.5 Low |
| A vulnerability was found in baseweb JSite 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /a/sys/area/save. The manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-60447 | 2 Emlog, Emlog Pro Project | 2 Emlog, Emlog Pro | 2025-10-15 | 5.9 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution. | ||||
| CVE-2025-40615 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/api_ajustes.php. | ||||
| CVE-2025-40616 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php. | ||||
| CVE-2025-59839 | 2 Mediawiki, Star-citizen | 2 Mediawiki, Embedvideo | 2025-10-14 | 8.6 High |
| The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3. | ||||
| CVE-2025-55888 | 1 Ard | 2 Ard, Gec En Ligne | 2025-10-14 | 7.3 High |
| Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountName field. This input is not properly sanitized or encoded when rendered, allowing script execution in the context of users browsers. This flaw could lead to session hijacking, cookie theft, and other malicious actions. | ||||
| CVE-2025-55887 | 1 Ard | 2 Ard, Gec En Ligne | 2025-10-14 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability was discovered in the meal reservation service ARD. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that is executed in the context of a user s browser. This can lead to session hijacking, theft of cookies, and other malicious actions performed on behalf of the victim. | ||||
| CVE-2025-29156 | 1 Smartbear | 1 Swagger Petstore | 2025-10-14 | 6.1 Medium |
| Cross Site Scripting vulnerability in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via a crafted script to the /api/v3/pet | ||||
| CVE-2025-2364 | 1 Lenve | 1 Vblog | 2025-10-14 | 3.5 Low |
| A vulnerability classified as problematic was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function addNewArticle of the file blogserver/src/main/java/org/sang/service/ArticleService.java. The manipulation of the argument mdContent/htmlContent leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11570 | 2025-10-14 | 4.6 Medium | ||
| Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. **Note:** This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of [drupal/unified_twig_ext](https://www.drupal.org/project/unified_twig_ext) | ||||
| CVE-2025-11450 | 1 Servicenow | 1 Servicenow | 2025-10-14 | N/A |
| ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link. ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so. | ||||
| CVE-2025-11449 | 1 Servicenow | 1 Servicenow | 2025-10-14 | N/A |
| ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link. ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configuration. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so. | ||||
| CVE-2025-61532 | 1 Meeco | 1 Svx Portal | 2025-10-14 | 6.1 Medium |
| Cross Site Scripting vulnerability in SVX Portal v.2.7A to execute arbitrary code via the TG parameter on last_heard_page.php component | ||||
| CVE-2025-61773 | 1 Pyload | 1 Pyload | 2025-10-14 | 8.1 High |
| pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue. | ||||
| CVE-2025-60869 | 2025-10-14 | 7.3 High | ||
| Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visitors viewing the generated static site. | ||||
| CVE-2025-11184 | 2025-10-14 | N/A | ||
| Cross-site scripting vulnerability in QGIS QWC2 Registration GUI <=v2025.03.31 allows an authorized attacker to plant arbitrary JavaScript code in the page | ||||
| CVE-2025-11183 | 2025-10-14 | N/A | ||
| Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 <2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page | ||||
| CVE-2025-58177 | 1 N8n | 1 N8n | 2025-10-14 | 5.4 Medium |
| n8n is an open source workflow automation platform. From 1.24.0 to before 1.107.0, there is a stored cross-site scripting (XSS) vulnerability in @n8n/n8n-nodes-langchain.chatTrigger. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access so that the payload is executed in the browser of any user who visits the resulting public chat URL. This can be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link. The issue is fixed in version 1.107.0. Updating to 1.107.0 or later is recommended. As a workaround, the affected chatTrigger node can be disabled. No other workarounds are known. | ||||
| CVE-2024-5532 | 1 Microfocus | 1 Operations Agent | 2025-10-14 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Operations Agent. The XSS vulnerability could allow an attacker with local admin permissions to manipulate the content of the internal status page of the Agent on the local system. This issue affects Operations Agent: 12.20, 12.21, 12.22, 12.23, 12.24, 12.25, 12.26. | ||||
| CVE-2024-28804 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | 7.1 High |
| An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Stored Cross-site scripting (XSS) can occur via POST. | ||||