CVE-2024-8101

A stored cross-site scripting XSS vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use of dangerouslySetInnerHTML without proper sanitization, allowing arbitrary JavaScript execution when rendering tracked texts. This can be...

CVE-2024-4023

A stored cross-site scripting XSS vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a .xsig extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML fil...

CVE-2024-12374

A stored cross-site scripting XSS vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript...

CVE-2024-10727

A reflected cross-site scripting XSS vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute...

CVE-2024-8556

CVE-2024-8556 affects modelscope/agentscope with a stored XSS in the run-details view where a user-controllable run ID is appended and rendered as HTML, enabling arbitrary JavaScript in the victim’s browser. The issue is tied to dashboard.js rendering logic; PoC in Snyk shows a crafted run_id, co...

CVE-2024-8400 Stored XSS in gaizhenbiao/chuanhuchatgpt

A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...

CVE-2024-10727 Cross-Site Scripting (XSS) in phpipam/phpipam

A reflected cross-site scripting XSS vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute...

CVE-2024-9311 Cross-Site Request Forgery to XSS in haotian-liu/llava

A Cross-Site Request Forgery CSRF vulnerability in haotian-liu/llava v1.2.0 LLaVA-1.6 allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code...

CVE-2024-9107 Stored XSS in gaizhenbiao/chuanhuchatgpt

A stored cross-site scripting XSS vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, affecting version git 20b2e02. The vulnerability arises from improper sanitization of HTML tags in chat history uploads. Specifically, the sanitization logic fails to handle HTML tags within code...

CVE-2024-12374 Stored XSS in automatic1111/stable-diffusion-webui

A stored cross-site scripting XSS vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript...

CVE-2024-12374

CVE-2024-12374 : Stored XSS in automatic1111/stable-diffusion-webui (git 82a973c). An attacker can upload an HTML file that the app treats as content-type application/html; when a victim visits the malicious link, arbitrary JavaScript runs in the browser. Connected documents confirm the vulnerabi...

FlatPress 跨站脚本漏洞

FlatPress is a lightweight, easy to set up flat file blogging engine from FlatPress open source. A cross-site scripting vulnerability exists in FlatPress version 1.3. An attacker can exploit this vulnerability to upload malicious files and execute arbitrary JavaScript code...

CVE-2024-55009

CVE-2024-55009 refers to a reflected XSS in AutoBib - Bibliographic collection management system (versions 3.1.140 and earlier). The vulnerability allows an attacker to cause arbitrary JavaScript execution in a victim’s browser by injecting a crafted payload into the WCE=topFrame&WCU= parameter. ...

CVE-2024-48761

Reflected XSS vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to inject arbitrary JavaScript code via the "erro" parameter...

CVE-2025-25929

A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...

CVE-2025-27915

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A stored cross-site scripting XSS vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its...

CVE-2025-27914

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting XSS vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token...

CVE-2025-27914

CVE-2025-27914 affects Zimbra Collaboration (ZCS) 9.0, 10.0, and 10.1. It is a Reflected Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint that allows an authenticated attacker with a valid auth token to craft a URL which, when visited by a victim, can inject and execute arbitrary ...

CVE-2025-25929

A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...

CVE-2025-25929

CVE-2025-25929 describes a reflected cross-site scripting (XSS) vulnerability in OpenMRS 2.4.3 Build 0ff0ed, affecting the component /legacyui/quickReportServlet. The issue allows an attacker to inject arbitrary JavaScript that executes in the context of a user’s browser via a crafted payload in ...