CVE-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

CVE-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

XSS in Grafana XY Chart Plugin

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. This vulnerability first appeared in Grafana v11.1.0, and is fixed in 11.6.0+security-01, 11.5.3+security-01,...

CVE-2025-29526

The CVE-2025-29526 entry affects Q4 Inc Investor Relations Platform v5.147.1.2, where an unfiltered input in the SearchTerm parameter of the search function enables Cross-Site Scripting (XSS), allowing arbitrary Javascript execution. Affected component: Search feature; root cause: insufficient in...

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

Exploit Title: Firefox ESR 115.11 - Arbitrary JavaScript execution in PDF.js Date: 2025-04-16 Exploit Author: Milad Karimi Ex3ptionaL Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL MiRROR-H: https://mirror-h.org/search/hacker/49626/ Vendor Homepage:...

The vulnerability of the SafeInspect system for privileged users relates to the lack of measures taken to protect the structure of the web page, allowing a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the SafeInspect privilege control system is related to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code during the user creation process...

The vulnerability of the SafeInspect system for privileged users relates to the lack of measures taken to protect the structure of the web page, allowing a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the SafeInspect privilege-controlled user control system is related to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability could allow a malicious actor, operating remotely, to execute arbitrary JavaScript code...

The vulnerability of the SafeInspect system for privileged users relates to the lack of measures taken to protect the structure of the web page, allowing a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the SafeInspect privilege-controlled user control system is related to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability could allow a malicious actor, operating remotely, to execute arbitrary JavaScript code...

CVE-2025-22465

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required...

CVE-2025-31476

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-22465

Ivanti Endpoint Manager is affected by CVE-2025-22465 (Reflected XSS) in versions older than 2024 SU1 or older than 2022 SU7. An unauthenticated remote attacker can cause the victim’s browser to execute arbitrary JavaScript. The issue arises from insufficient input handling in the web interface. ...

CVE-2025-22465

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required...

GHSA-P5G4-V748-6FH8 tarteaucitron.js allows url scheme injection via unfiltered inputs

A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript...

tarteaucitron.js allows url scheme injection via unfiltered inputs

A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript...

CVE-2025-31476 tarteaucitron.js allows url scheme injection via unfiltered inputs

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-31476 tarteaucitron.js allows url scheme injection via unfiltered inputs

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

tarteaucitron.js 跨站脚本漏洞

tarteaucitron.js is a cookie manager for the Amauri CHAMPEAUX individual developer. A cross-site scripting vulnerability exists in tarteaucitron.js that stems from insufficient URL validation and could lead to arbitrary JavaScript execution...

Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Summary Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. Impact A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser...

GHSA-CQ88-842X-2JHP Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Summary Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. Impact A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser...

CVE-2025-2946 Cross-Site Vulnerability(XSS) due to arbitrary HTML/JavaScript gets executed while query result rendering in Query Tool and View/Edit Data Tool of pgAdmin 4

pgAdmin = 9.1 is affected by a security vulnerability with Cross-Site ScriptingXSS. If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser...