Total
35306 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3806 | 2025-04-19 | 2.4 Low | ||
| A vulnerability, which was classified as problematic, has been found in dazhouda lecms up to 3.0.3. Affected by this issue is some unknown functionality of the file /admin of the component Edit Profile Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3801 | 2025-04-19 | 2.4 Low | ||
| A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3661 | 2025-04-19 | 6.4 Medium | ||
| The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3809 | 2025-04-19 | 7.2 High | ||
| The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3275 | 2025-04-19 | 6.4 Medium | ||
| The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-1457 | 2025-04-19 | 6.4 Medium | ||
| The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Link, Countdown and Gallery widgets in all versions up to, and including, 5.10.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-25427 | 2025-04-19 | N/A | ||
| A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded. | ||||
| CVE-2025-3795 | 2025-04-18 | 2.4 Low | ||
| A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-41447 | 2025-04-18 | 5.4 Medium | ||
| A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function. | ||||
| CVE-2025-29513 | 2025-04-18 | 6.1 Medium | ||
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator. | ||||
| CVE-2025-29512 | 2025-04-18 | 6.1 Medium | ||
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database. | ||||
| CVE-2024-31828 | 1 Lavalite | 1 Lavalite | 2025-04-18 | 6.1 Medium |
| Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | ||||
| CVE-2024-31741 | 1 1234n | 1 Minicms | 2025-04-18 | 6.1 Medium |
| Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login. | ||||
| CVE-2024-2603 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-18 | 6.3 Medium |
| The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin (or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-31609 | 1 Bosscms | 1 Bosscms | 2025-04-18 | 7.1 High |
| Cross Site Scripting (XSS) vulnerability in BOSSCMS v3.10 allows attackers to run arbitrary code via the header code and footer code fields in code configuration. | ||||
| CVE-2024-55342 | 1 Dotnetfoundation | 1 Piranha Cms | 2025-04-18 | 4.7 Medium |
| A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser, leading to a XSS vulnerability. | ||||
| CVE-2020-22540 | 1 Codologic | 1 Codoforum | 2025-04-18 | 5.4 Medium |
| Stored Cross-Site Scripting (XSS) vulnerability in Codoforum v4.9, allows attackers to execute arbitrary code and obtain sensitive information via crafted payload to Category name component. | ||||
| CVE-2024-32505 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2025-04-18 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wpmet Elements kit Elementor addons allows Stored XSS.This issue affects Elements kit Elementor addons: from n/a through 3.0.6. | ||||
| CVE-2024-4061 | 1 Ays-pro | 1 Survey Maker | 2025-04-18 | 4.8 Medium |
| The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-40124 | 2025-04-18 | 5.4 Medium | ||
| Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature. | ||||