CVE-2024-46226

A stored cross site scripting XSS vulnerability in HelpDeskZ v2.0.2 allows remote attackers to execute arbitrary JavaScript in the administration panel by including a malicious payload into the file name and upload file function when creating a new ticket...

CVE-2025-27145 copyparty renders unsanitized filenames as HTML when user uploads empty files

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execu...

Copyparty 安全漏洞

Copyparty is a portable file server for ed individual developers. A security vulnerability exists in Copyparty versions prior to 1.16.15. An attacker exploiting this vulnerability could execute arbitrary javascript with the same privileges as the user...

CVE-2025-1024

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to...

BIT-DISCOURSE-2025-22602 Stored DOM-based XSS (without CSP) via video placeholders in Discourse

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...

CVE-2025-1024

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to...

Cross-site Scripting (XSS)

Vega and vega-selections are vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper function invocation due to the vlSelectionTuples function allowing attacker-controlled input to execute arbitrary JavaScript via Function, leading to potential code execution...

IBM Sterling B2B Integrator Cross-Site Scripting Vulnerability (CNVD-2025-04978)

IBM Sterling B2B Integrator is a suite of software from International Business Machines IBM that integrates critical B2B processes, transactions and relationships. The software supports secure integration of complex B2B processes with diverse partner communities. A cross-site scripting...

Exploit for Cross-site Scripting in Phpgurukul Student_Study_Center_Management_System

Published-CVE This repository contains descriptions and explo...

UBUNTU-CVE-2025-25304

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the vlSelectionTuples function, allowing the usage of Function with arbitrary JavaScript code. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious...

CVE-2025-25304

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...

GHSA-MP7W-MHCV-673J Vega allows Cross-site Scripting via the vlSelectionTuples function

Summary The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS. Details vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: vlSelectionTuplesdatum:, fields:getter:...

SUSE CVE-2024-49505

A Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the REGEX and P parameters. This issue affects MirrorCache before 1.083...

Cross-Site Scripting (XSS)

@nuxtjs/mdc is vulnerable to cross-site scripting XSS. The vulnerability is due to a deny-list approach in URL parsing that fails to properly filter encoded HTML entities, allowing an attacker to bypass security checks and execute arbitrary JavaScript...

NetVision Information ISOinsight 跨站脚本漏洞

NetVision Information ISOinsight is an operations and maintenance management platform from China's Zhengbang Information NetVision Information. A cross-site scripting vulnerability exists in NetVision Information ISOinsight. An attacker can exploit this vulnerability to execute arbitrary JavaScri...

CVE-2025-24981

MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the javascript: protocol scheme in the URL. Th...

CVE-2025-25187

CVE-2025-25187 (Joplin) is a cross-site scripting vulnerability in Joplin prior to version 3.1.24. The issue arises from inserting note titles with React dangerouslySetInnerHTML without escaping HTML entities, and the app’s lack of a restrictive Content-Security-Policy for script-src. Combined wi...

CVE-2025-25187 Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities. Joplin lacks a...

CVE-2025-22602

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...