Total
40069 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1648 | 1 Fraserxu | 1 Electron-pdf | 2025-12-03 | N/A | 7.5 HIGH |
| electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. | |||||
| CVE-2024-1647 | 1 Kumaf | 1 Pyhtml2pdf | 2025-12-03 | N/A | 7.5 HIGH |
| Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user. | |||||
| CVE-2024-27287 | 1 Esphome | 1 Esphome | 2025-12-03 | N/A | 6.5 MEDIUM |
| ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue. | |||||
| CVE-2025-65676 | 1 Classroomio | 1 Classroomio | 2025-12-03 | N/A | 5.4 MEDIUM |
| Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | |||||
| CVE-2025-4779 | 1 Lunary | 1 Lunary | 2025-12-03 | N/A | 6.1 MEDIUM |
| lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. | |||||
| CVE-2025-65956 | 1 Formwork Project | 1 Formwork | 2025-12-03 | N/A | 6.5 MEDIUM |
| Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0. | |||||
| CVE-2025-65027 | 2025-12-03 | N/A | 7.6 HIGH | ||
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | |||||
| CVE-2025-65186 | 1 Getgrav | 1 Grav | 2025-12-03 | N/A | 6.1 MEDIUM |
| Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface. | |||||
| CVE-2025-64070 | 1 Remyandrade | 1 Student Grades Management System | 2025-12-03 | N/A | 5.4 MEDIUM |
| Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. | |||||
| CVE-2025-10931 | 1 Umami | 1 Umami Analytics | 2025-12-03 | N/A | 3.8 LOW |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1. | |||||
| CVE-2025-12083 | 1 Salsa.digital | 1 Civictheme Design System | 2025-12-03 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | |||||
| CVE-2025-39663 | 1 Checkmk | 1 Checkmk | 2025-12-03 | N/A | 8.4 HIGH |
| Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol). | |||||
| CVE-2025-63401 | 2025-12-03 | N/A | 5.5 MEDIUM | ||
| Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives | |||||
| CVE-2025-66359 | 1 Logpoint | 1 Siem | 2025-12-03 | N/A | 8.5 HIGH |
| An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2025-12-03 | N/A | 5.4 MEDIUM |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | |||||
| CVE-2025-65961 | 1 Contao | 1 Contao | 2025-12-03 | N/A | 3.3 LOW |
| Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | |||||
| CVE-2025-57202 | 2025-12-03 | N/A | 6.1 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field. | |||||
| CVE-2025-20385 | 2025-12-03 | N/A | 2.4 LOW | ||
| In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. | |||||
| CVE-2025-64049 | 1 Redaxo | 1 Redaxo | 2025-12-03 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | |||||
| CVE-2025-66258 | 1 Dbbroadcast | 44 Mozart Dds Next 100, Mozart Dds Next 1000, Mozart Dds Next 1000 Firmware and 41 more | 2025-12-03 | N/A | 5.4 MEDIUM |
| Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | |||||