ReportizFlow
Filtered by vendor
Subscriptions
Total
43807 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27800 | 1 Episerver | 2 Episerver, Episerver Cms | 2026-04-15 | 4.8 Medium |
| The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. The Admin dashboard offered the functionality to add gadgets to the dashboard. This included the "Notes" gadget. An authenticated attacker with the corresponding access rights (such as "WebAdmin") that was impersonating the victim could insert malicious JavaScript code in these notes that would be executed if the victim visited the dashboard. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3) | ||||
| CVE-2025-27801 | 1 Episerver | 2 Episerver, Episerver Cms | 2026-04-15 | 4.8 Medium |
| The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. ContentReference properties, which could be used in the "Edit" section of the CMS, offered an upload functionality for documents. These documents could later be used as displayed content on the page. It was possible to upload SVG files that include malicious JavaScript code that would be executed if a user visited the direct URL of the preview image. Attackers needed at least the role "WebEditor" in order to exploit this issue. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3) | ||||
| CVE-2025-27802 | 1 Episerver | 2 Episerver, Episerver Cms | 2026-04-15 | 4.8 Medium |
| The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. RTE properties (text fields), which could be used in the "Edit" section of the CMS, allowed the input of arbitrary text. It was possible to input malicious JavaScript code in these properties that would be executed if a user visits the previewed page. Attackers needed at least the role "WebEditor" in order to exploit this issue. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3) | ||||
| CVE-2025-24841 | 2026-04-15 | N/A | ||
| Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser. | ||||
| CVE-2024-28126 | 2026-04-15 | 6.1 Medium | ||
| Cross-site scripting vulnerability exists in 0ch BBS Script ver.4.00. An arbitrary script may be executed on the web browser of the user accessing the website that uses the product. Note that the developer was unreachable, therefore, users should consider stop using 0ch BBS Script ver.4.00. | ||||
| CVE-2025-51863 | 2026-04-15 | 6.1 Medium | ||
| Self Cross Site Scripting (XSS) vulnerability in ChatGPT Unli (ChatGPTUnli.com) thru 2025-05-26 allows attackers to execute arbitrary code via a crafted SVG file to the chat interface. | ||||
| CVE-2024-27162 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2026-04-15 | 6.1 Medium |
| Toshiba printers provide a web interface that will load the JavaScript file. The file contains insecure codes vulnerable to XSS and is loaded inside all the webpages provided by the printer. An attacker can steal the cookie of an admin user. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2025-12032 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vithanhlam_zsocial_save_messager’, 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact' parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-32548 | 1 Hideki Tanaka | 1 Whats New Generator | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hideki Tanaka What's New Generator allows Stored XSS.This issue affects What's New Generator: from n/a through 2.0.2. | ||||
| CVE-2024-32547 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.8 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Max Bond Code Insert Manager (Q2W3 Inc Manager) allows Reflected XSS.This issue affects Code Insert Manager (Q2W3 Inc Manager): from n/a through 2.5.3. | ||||
| CVE-2025-68012 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1. | ||||
| CVE-2025-9823 | 1 Mautic | 1 Mautic | 2026-04-15 | N/A |
| SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application. DetailsThe vulnerability resides in the “Tags” input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session. ImpactA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user's session within an application by executing malicious JavaScript code within the victim's browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user. References * Web Security Academy: Cross-site scripting https://portswigger.net/web-security/cross-site-scripting * Web Security Academy: Reflected cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected | ||||
| CVE-2024-31972 | 2026-04-15 | 4.3 Medium | ||
| EnGenius ESR580 A8J-EMR5000 devices allow a remote attacker to conduct stored XSS attacks that could lead to arbitrary JavaScript code execution (under the context of the user's session) via the Wi-Fi SSID input fields. Web scripts embedded into the vulnerable fields this way are executed immediately when a user logs into the admin page. This affects /admin/wifi/wlan1 and /admin/wifi/wlan_guest. | ||||
| CVE-2025-9158 | 1 Bestpractical | 1 Request Tracker | 2026-04-15 | N/A |
| The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1. | ||||
| CVE-2025-9226 | 1 Zohocorp | 3 Manageengine Netflow Analyzer, Manageengine Opmanager, Manageengine Oputils | 2026-04-15 | 4.6 Medium |
| Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. | ||||
| CVE-2025-7618 | 1 Asustor | 1 Adm | 2026-04-15 | N/A |
| A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier. | ||||
| CVE-2025-53482 | 2026-04-15 | 6.1 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-8695 | 2026-04-15 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad NetGIS Server allows Reflected XSS.This issue affects NetGIS Server: from 5.2.4 through 22.08.2025. | ||||
| CVE-2024-36064 | 1 Nllcom | 1 Acr Phone | 2026-04-15 | 6.2 Medium |
| The NLL com.nll.cb (aka ACR Phone) application through 0.330-playStore-NoAccessibility-arm8 for Android allows any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.nll.cb.dialer.dialer.DialerActivity component. | ||||
| CVE-2025-64112 | 1 Statamic | 1 Cms | 2026-04-15 | 8 High |
| Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1. | ||||