CVE-2025-57874

The CVE describes a reflected cross-site scripting (XSS) vulnerability in Esri Portal for ArcGIS, affecting version 11.4 and earlier. A remote authenticated attacker with administrative access can supply a crafted string that executes arbitrary JavaScript in the victim’s browser. Affected compone...

CVE-2025-57875

CVE-2025-57875 affects Esri Portal for ArcGIS

CVE-2025-57877 Reflected XSS vulnerability in Portal for ArcGIS.

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser...

PT-2025-39861

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 11.4 and below Description A reflected cross site scripting issue exists in Esri Portal for ArcGIS. A remote attacker with administrative access can potentially execute arbitrary JavaScript code in the browser b...

FreshRSS 安全漏洞

FreshRSS is a free, self-hosted RSS aggregator from FreshRSS Open Source. A security vulnerability exists in FreshRSS 1.26.3 and earlier versions, which stems from a specially crafted page that may trick a user into executing arbitrary JS code or elevating a user's privileges, potentially leading...

PT-2025-39858

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 11.4 and below Description A reflected cross site scripting issue exists in Esri Portal for ArcGIS. A remote attacker with administrative access can inject a crafted string to execute arbitrary JavaScript code i...

CVE-2025-57483

A reflected cross-site scripting XSS vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the vulnerable parameter...

PT-2025-39864

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 11.4 and below Description A reflected cross site scripting issue exists in Esri Portal for ArcGIS that could allow a remote attacker with administrative access to execute arbitrary JavaScript code in a user's...

CVE-2025-57483

A reflected cross-site scripting XSS vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the vulnerable parameter...

CVE-2025-57692

PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-iframeconfig attribute. An attacker can execute arbitrary JavaScript in the context of the affected site by injecting malicious attributes such as onload or onmouseenter through wikitext. Details...

CVE-2025-59430

Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically...

DRUPAL-CONTRIB-2025-109

This module enables you to add Umami Analytics web statistics tracking system to your website. The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should...

PT-2025-39033

Name of the Vulnerable Software and Affected Versions Mesh Connect JS SDK versions prior to 3.3.2 Description Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. A lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrar...

CVE-2025-36248

IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-37122

A vulnerability in the web-based management interface of network access control services could allow an unauthenticated remote attacker to conduct a Reflected Cross-Site Scripting XSS attack. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in a victim's browse...

Prototype Pollution

Overview expr-eval-fork is a Mathematical expression evaluator fork with prototype pollution fix Affected versions of this package are vulnerable to Prototype Pollution via the evaluation process, which accesses global values by searching for item.value in expr.functions. An attacker can access...

CVE-2025-37122 Unauthenticated Reflected Cross-Site Scripting

A vulnerability in the web-based management interface of network access control services could allow an unauthenticated remote attacker to conduct a Reflected Cross-Site Scripting XSS attack. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in a victim's browse...

CVE-2025-57520

A Cross Site Scripting XSS vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user vie...

CVE-2025-57520

A Cross Site Scripting XSS vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user vie...