Total
40069 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64745 | 1 Astro | 1 Astro | 2025-11-25 | N/A | 2.7 LOW |
| Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue. | |||||
| CVE-2025-65019 | 1 Astro | 1 Astro | 2025-11-25 | N/A | 5.4 MEDIUM |
| Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9. | |||||
| CVE-2025-5411 | 1 Mist | 1 Mist | 2025-11-25 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Mist Community Edition up to 4.7.1. It has been rated as problematic. This issue affects the function tag_resources of the file src/mist/api/tag/views.py. The manipulation of the argument tag leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is named db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5412 | 1 Mist | 1 Mist | 2025-11-25 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in Mist Community Edition up to 4.7.1. Affected is the function Login of the file src/mist/api/views.py of the component Authentication Endpoint. The manipulation of the argument return_to leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The name of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | |||||
| CVE-2025-55303 | 1 Astro | 1 Astro | 2025-11-25 | N/A | 6.1 MEDIUM |
| Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18. | |||||
| CVE-2022-2685 | 1 Janobe | 1 Interview Management System | 2025-11-25 | N/A | 3.5 LOW |
| A vulnerability was found in SourceCodester Interview Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /addQuestion.php. The manipulation of the argument question with the input <script>alert(1)</script> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-205673 was assigned to this vulnerability. | |||||
| CVE-2024-47885 | 1 Astro | 1 Astro | 2025-11-25 | N/A | 5.9 MEDIUM |
| The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue. | |||||
| CVE-2024-36625 | 1 Zulip | 1 Zulip | 2025-11-25 | N/A | 5.4 MEDIUM |
| Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. | |||||
| CVE-2024-36624 | 1 Zulip | 1 Zulip | 2025-11-25 | N/A | 5.4 MEDIUM |
| Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. | |||||
| CVE-2025-5092 | 2025-11-24 | N/A | 6.4 MEDIUM | ||
| Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-51662 | 1 Lanol | 1 Filecodebox | 2025-11-24 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code. | |||||
| CVE-2025-13484 | 1 Campcodes | 1 Online Beauty Parlor Management System | 2025-11-24 | 3.3 LOW | 2.4 LOW |
| A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-13412 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2025-11-24 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. Executing manipulation of the argument product_name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-55059 | 1 Maxum | 1 Rumpus | 2025-11-24 | N/A | 4.8 MEDIUM |
| CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | |||||
| CVE-2025-26391 | 1 Solarwinds | 1 Observability Self-hosted | 2025-11-24 | N/A | 5.4 MEDIUM |
| SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | |||||
| CVE-2025-55056 | 1 Maxum | 1 Rumpus | 2025-11-24 | N/A | 4.8 MEDIUM |
| Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | |||||
| CVE-2025-7633 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-24 | N/A | 7.3 HIGH |
| Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report. | |||||
| CVE-2025-13178 | 1 Bdtask | 1 Saleserp | 2025-11-24 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-62731 | 1 Soplanning | 1 Soplanning | 2025-11-24 | N/A | 4.8 MEDIUM |
| SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | |||||
| CVE-2025-62729 | 1 Soplanning | 1 Soplanning | 2025-11-24 | N/A | 5.4 MEDIUM |
| SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | |||||