CVEs and Security Vulnerabilities CVEs and Security Vulnerabilities

Filtered by CWE-79

Filtered by vendor Subscriptions

Total 44797 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-60739	1 Ilevia	2 Eve X1 Server, Eve X1 Server Firmware	2025-12-30	9.6 Critical
Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component
CVE-2025-25939	1 Reprisesoftware	1 Reprise License Manager	2025-12-30	6.1 Medium
Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter.
CVE-2025-66021	1 Owasp	1 Java Html Sanitizer	2025-12-30	6.1 Medium
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
CVE-2024-58323	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder.
CVE-2024-58322	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers.
CVE-2024-58321	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users' browsers.
CVE-2024-58319	1 Kentico	1 Xperience	2025-12-30	6.1 Medium
A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers.
CVE-2024-58318	1 Kentico	1 Xperience	2025-12-30	6.1 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. Attackers can exploit this vulnerability by entering malicious URIs, potentially allowing malicious scripts to execute in users' browsers.
CVE-2023-53738	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview URLs. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers during page preview interactions.
CVE-2023-53737	1 Kentico	1 Xperience	2025-12-30	4.8 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the Localization application. Attackers can execute scripts that could affect multiple parts of the administration interface.
CVE-2023-53736	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context.
CVE-2022-50685	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute in users' browsers.
CVE-2022-50684	1 Kentico	1 Xperience	2025-12-30	6.1 Medium
An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email security.
CVE-2022-50683	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings.
CVE-2022-50681	1 Kentico	1 Xperience	2025-12-30	6.1 Medium
A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers.
CVE-2022-50680	1 Kentico	1 Xperience	2025-12-30	4.8 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information.
CVE-2020-36891	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute in users' browsers.
CVE-2020-36889	1 Kentico	1 Xperience	2025-12-30	5.4 Medium
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administrators view error messages in the administration interface.
CVE-2025-52552	1 Fastgpt	1 Fastgpt	2025-12-29	6.1 Medium
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.
CVE-2025-64030	1 Chinasystems	1 Eximbills Enterprise	2025-12-29	5.4 Medium
Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered to other users, enabling arbitrary JavaScript execution in their browsers.

« first previous Page 786 of 2240. next last »