Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5535 | 2025-06-26 | N/A | 6.4 MEDIUM | ||
| The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5588 | 2025-06-26 | N/A | 6.4 MEDIUM | ||
| The Image Editor by Pixo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘download’ parameter in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-6258 | 2025-06-26 | N/A | 6.4 MEDIUM | ||
| The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11847 | 1 Wp Svg Upload Project | 1 Wp Svg Upload | 2025-06-25 | N/A | N/A |
| The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. | |||||
| CVE-2025-52876 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | N/A |
| In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible | |||||
| CVE-2025-52875 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | N/A |
| In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible | |||||
| CVE-2025-52877 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | N/A |
| In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible | |||||
| CVE-2025-52879 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | N/A |
| In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible | |||||
| CVE-2025-6473 | 1 Fabian | 1 School Fees Payment System | 2025-06-25 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /fees.php. The manipulation of the argument transcation_remark leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6477 | 1 Razormist | 1 Student Result Management System | 2025-06-25 | N/A | 4.8 MEDIUM |
| A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /script/admin/system of the component System Settings Page. The manipulation of the argument School Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5015 | 2025-06-25 | N/A | N/A | ||
| A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one. | |||||
| CVE-2025-48954 | 2025-06-25 | N/A | N/A | ||
| Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled. | |||||
| CVE-2025-6126 | 1 Phpgurukul | 1 Rail Pass Management System | 2025-06-24 | N/A | 5.4 MEDIUM |
| A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /contact.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-6125 | 1 Phpgurukul | 1 Rail Pass Management System | 2025-06-24 | N/A | 5.4 MEDIUM |
| A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagedes leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6127 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2025-06-24 | N/A | 5.4 MEDIUM |
| A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search-report.php. The manipulation of the argument serachdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9699 | 1 Flatpress | 1 Flatpress | 2025-06-24 | N/A | 5.4 MEDIUM |
| A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev. | |||||
| CVE-2024-13209 | 1 Redaxo | 1 Redaxo | 2025-06-24 | N/A | 5.4 MEDIUM |
| A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The manipulation of the argument Article Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5258 | 2025-06-24 | N/A | 6.4 MEDIUM | ||
| The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-43877 | 2025-06-24 | N/A | N/A | ||
| WRC-1167GHBK2-S contains a stored cross-site scripting vulnerability in WebGUI. If exploited, an arbitrary script may be executed on the web browser of the user who accessed WebGUI of the product. | |||||
| CVE-2025-52561 | 2025-06-23 | N/A | N/A | ||
| HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually. | |||||