ReportizFlow
Filtered by vendor
Subscriptions
Total
44797 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35321 | 1 Airc | 1 Mynet | 2026-01-05 | 4.3 Medium |
| MyNET up to v26.08 was discovered to contain a Reflected cross-site scripting (XSS) vulnerability via the msgtipo parameter. | ||||
| CVE-2025-65790 | 1 Realtimelogic | 1 Fuguhub | 2026-01-05 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline <script> element, the browser executes the attacker-controlled JavaScript. | ||||
| CVE-2025-65837 | 2 Publiccms, Sanluan | 2 Publiccms, Publiccms | 2026-01-05 | 5.4 Medium |
| PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. | ||||
| CVE-2025-9550 | 2 Drupal, Facets Project | 2 Drupal, Facets | 2026-01-05 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1. | ||||
| CVE-2024-20534 | 1 Cisco | 46 Desk Phone 9841, Desk Phone 9841 With Multiplatform Firmware, Desk Phone 9851 and 43 more | 2026-01-05 | 4.8 Medium |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. | ||||
| CVE-2024-20533 | 1 Cisco | 46 Desk Phone 9841, Desk Phone 9841 With Multiplatform Firmware, Desk Phone 9851 and 43 more | 2026-01-05 | 4.8 Medium |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. | ||||
| CVE-2025-65233 | 2 Slims, Slims Project | 2 Slims 9 Bulian, Slims | 2026-01-05 | 6.1 Medium |
| Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | ||||
| CVE-2024-6797 | 2 Dyadyalesha, Wordpress | 2 Dl Robots.txt, Wordpress | 2026-01-03 | 4.8 Medium |
| The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-65237 | 2 Opencode, Opencode Systems | 2 Ussd Gateway, Ussd Gateway | 2026-01-02 | 6.1 Medium |
| A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2025-35034 | 2 Medical Informatics Engineering, Mieweb | 2 Enterprise Health, Enterprise Health | 2026-01-02 | 4.3 Medium |
| Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portlet_user_id' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14. | ||||
| CVE-2025-68935 | 1 Onlyoffice | 1 Document Server | 2026-01-02 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | ||||
| CVE-2025-68936 | 1 Onlyoffice | 1 Document Server | 2026-01-02 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | ||||
| CVE-2025-68942 | 1 Gitea | 1 Gitea | 2026-01-02 | 5.4 Medium |
| Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | ||||
| CVE-2025-66580 | 1 Openagentplatform | 1 Dive | 2026-01-02 | 9.7 Critical |
| Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue. | ||||
| CVE-2025-68614 | 1 Librenms | 1 Librenms | 2026-01-02 | 4.3 Medium |
| LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. | ||||
| CVE-2025-68915 | 1 Riello-ups | 1 Netman 208 | 2026-01-02 | 5.5 Medium |
| Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. | ||||
| CVE-2025-67289 | 1 Frappe | 2 Erpnext, Frappe | 2026-01-02 | 9.6 Critical |
| An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | ||||
| CVE-2025-67290 | 1 Dotnetfoundation | 1 Piranha Cms | 2026-01-02 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. | ||||
| CVE-2025-67291 | 1 Dotnetfoundation | 1 Piranha Cms | 2026-01-02 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | ||||
| CVE-2025-67443 | 1 Schlix | 1 Cms | 2026-01-02 | 6.1 Medium |
| Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | ||||