ReportizFlow
Filtered by vendor
Subscriptions
Total
44865 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10931 | 2 Drupal, Umami | 3 Drupal, Umami Analytics, Umami Analytics | 2025-12-03 | 3.8 Low |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1. | ||||
| CVE-2022-43984 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. | ||||
| CVE-2025-12083 | 2 Drupal, Salsa.digital | 3 Civictheme Design System, Drupal, Civictheme Design System | 2025-12-03 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | ||||
| CVE-2022-41706 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method. | ||||
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | 8.4 High |
| Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol). | ||||
| CVE-2022-43983 | 1 Spatie | 1 Browsershot | 2025-12-03 | 8.2 High |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. | ||||
| CVE-2025-66359 | 1 Logpoint | 1 Siem | 2025-12-03 | 8.5 High |
| An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2025-12-03 | 5.4 Medium |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | ||||
| CVE-2025-65961 | 1 Contao | 1 Contao | 2025-12-03 | 3.3 Low |
| Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | ||||
| CVE-2025-64049 | 1 Redaxo | 2 Redaxo, Redaxo Cms | 2025-12-03 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | ||||
| CVE-2025-66258 | 1 Dbbroadcast | 45 Mozart Dds Next 100, Mozart Dds Next 1000, Mozart Dds Next 1000 Firmware and 42 more | 2025-12-03 | 5.4 Medium |
| Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | ||||
| CVE-2025-21621 | 1 Geoserver | 1 Geoserver | 2025-12-03 | 6.1 Medium |
| GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0. | ||||
| CVE-2025-66026 | 1 Redaxo | 1 Redaxo | 2025-12-03 | 6.1 Medium |
| REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | ||||
| CVE-2025-51734 | 1 Hcltech | 1 Unica | 2025-12-02 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | ||||
| CVE-2025-52667 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-02 | 5.4 Medium |
| Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user. | ||||
| CVE-2025-52668 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-02 | 5.4 Medium |
| Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack. | ||||
| CVE-2025-56526 | 1 Cinnamon | 1 Kotaemon | 2025-12-02 | 6.1 Medium |
| Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | ||||
| CVE-2025-63526 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 8.5 High |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed. | ||||
| CVE-2025-63528 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 8.5 High |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed. | ||||
| CVE-2025-63527 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 8.5 High |
| A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim's browser when the page is viewed. | ||||