Total
40069 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9981 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | N/A | 4.8 MEDIUM |
| QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-58465 | 1 Qnap | 3 Download Station, Qts, Quts Hero | 2025-11-17 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later | |||||
| CVE-2025-41101 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'. | |||||
| CVE-2025-41102 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'. | |||||
| CVE-2025-41103 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/reply'. | |||||
| CVE-2025-41104 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'. | |||||
| CVE-2025-41105 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'. | |||||
| CVE-2025-41106 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 5.4 MEDIUM |
| HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_contact/'. | |||||
| CVE-2025-11189 | 1 Synchroweb | 1 Kiwire | 2025-11-17 | N/A | 7.3 HIGH |
| The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution. | |||||
| CVE-2025-60378 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-17 | N/A | 8.1 HIGH |
| Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients. | |||||
| CVE-2025-13097 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-17 | N/A | 5.4 MEDIUM |
| Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-14 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-54168 | 1 Qnap | 1 Qulog Center | 2025-11-14 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.923 ( 2025/08/27 ) and later | |||||
| CVE-2025-57706 | 1 Qnap | 1 File Station | 2025-11-14 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later | |||||
| CVE-2020-0656 | 1 Microsoft | 1 Dynamics 365 | 2025-11-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. | |||||
| CVE-2025-24297 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
| Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal. | |||||
| CVE-2025-41107 | 1 Qdocs | 1 Smart School | 2025-11-14 | N/A | 5.4 MEDIUM |
| Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details. | |||||
| CVE-2025-59491 | 2025-11-14 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields. | |||||
| CVE-2025-63419 | 2025-11-14 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. | |||||
| CVE-2025-60646 | 2025-11-14 | N/A | 6.1 MEDIUM | ||
| A stored cross-site scripting (XSS) in the Business Line Management module of Xxl-api v1.3.0 attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | |||||