Export limit exceeded: 44185 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44185 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67163 | 1 Simplemachines | 3 Simple Machine Forum, Simple Machines Forum, Smf | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter. | ||||
| CVE-2025-44998 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter. | ||||
| CVE-2021-40966 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 5.4 Medium |
| A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server. | ||||
| CVE-2022-40490 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 4.8 Medium |
| Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file. | ||||
| CVE-2025-63949 | 1 Yohanawi | 1 Hotel Management System | 2025-12-31 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php. | ||||
| CVE-2025-15105 | 2 Getmaxun, Maxun | 2 Maxun, Maxun | 2025-12-31 | 3.7 Low |
| A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-35322 | 1 Airc | 1 Mynet | 2025-12-31 | 6.1 Medium |
| MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter. | ||||
| CVE-2024-40317 | 1 Airc | 1 Mynet | 2025-12-31 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP. | ||||
| CVE-2025-64338 | 2 Clipbucket, Oxygenz | 2 Clipbucket, Clipbucket | 2025-12-31 | 9.0 Critical |
| ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator’s browser, therefore allowing an attacker to target administrators and perform actions with elevated privileges. This issue is fixed in version 5.5.2 - #157. | ||||
| CVE-2023-53900 | 1 Spip | 1 Spip | 2025-12-31 | 8.8 High |
| Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering. | ||||
| CVE-2025-62780 | 2 Changedetection, Dgtlmoon | 2 Changedetection, Changedetection.io | 2025-12-31 | 3.5 Low |
| changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue. | ||||
| CVE-2025-52331 | 1 Rarlab | 1 Winrar | 2025-12-31 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report. | ||||
| CVE-2025-59491 | 1 Centralsquare | 1 Community Development | 2025-12-31 | 6.1 Medium |
| Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields. | ||||
| CVE-2025-63419 | 1 Crushftp | 1 Crushftp | 2025-12-31 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. | ||||
| CVE-2025-32951 | 1 Haulmont | 4 Cuba Platform, Cuba Rest Api, Jmix Framework and 1 more | 2025-12-31 | 6.4 Medium |
| Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website. | ||||
| CVE-2024-55488 | 1 Umbraco | 1 Umbraco Cms | 2025-12-31 | 6.5 Medium |
| A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level. | ||||
| CVE-2019-25241 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2025-12-31 | 7.5 High |
| FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication. | ||||
| CVE-2025-35029 | 2 Medical Informatics Engineering, Mieweb | 2 Enterprise Health, Enterprise Health | 2025-12-31 | 3.5 Low |
| Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14. | ||||
| CVE-2025-61413 | 1 Dotnetfoundation | 1 Piranha Cms | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks. | ||||
| CVE-2024-38963 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-31 | 6.1 Medium |
| Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review. | ||||