CVE-2024-56328

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...

CVE-2021-39885

A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious...

CVE-2021-39887

A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf...

CVE-2024-49793

IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2022-47197

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this...

Nuxt MDC 跨站脚本漏洞

Nuxt MDC is a Nuxt open source application that enhances regular Markdown. A cross-site scripting vulnerability exists in Nuxt MDC that stems from insecure parsing logic for URLs in Markdown, leading to arbitrary JavaScript code execution...

CVE-2022-1940

A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues...

CVE-2020-13564

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template aclid parameter...

CVE-2020-13562

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter...

CVE-2020-13563

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template groupid parameter...

CVE-2024-47525

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

Checkmk 2.3.0p2 / NagVis 1.9.40 Cross Site Scripting Vulnerability

Title: Checkmk NagVis Reflected Cross-site Scripting Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt 1. Vulnerability Details Affected Vendor: Checkmk Affected Product: Checkmk/NagVis Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40 Platform: GNU/Linux CWE...

PT-2025-5786 · Ibm · Ibm Applinx

Name of the Vulnerable Software and Affected Versions: IBM ApplinX version 11.1 Description: This issue allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session...

CVE-2025-22602

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...

CVE-2024-56328

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...

CVE-2025-22602 Stored DOM-based XSS (without CSP) via video placeholders in Discourse

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...

CVE-2025-22602 Stored DOM-based XSS (without CSP) via video placeholders in Discourse

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...

Discourse 跨站脚本漏洞

Discourse is an open source community discussion platform from Discourse Open Source. The platform includes community, email, and chat room features. Discourse suffers from a cross-site scripting vulnerability that originates from an attacker being able to execute arbitrary JavaScript code on a...

DevDojo Voyager vulnerable to reflected Cross-site Scripting

DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed...