TencentOS Server 4: alertmanager (TSSA-2024:0822)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:0822 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

CVE-2025-4417

A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit...

CVE-2025-4417

A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit...

PT-2025-25349 · Aveva · Aveva Pi Web Api

Name of the Vulnerable Software and Affected Versions: AVEVA PI Web API versions 2023 SP1 and prior Description: A cross-site scripting issue exists that could allow an authenticated attacker with privileges to create or update annotations, or upload media files, to persist arbitrary JavaScript...

CVE-2025-49137

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

Cross-Site Scripting (XSS)

elmsln/haxcms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization in the saveNode and saveManifest endpoints, allowing arbitrary JavaScript execution through non-script HTML tags stored in the site's JSON schema...

CVE-2025-49137 Hax CMS Stored Cross-Site Scripting vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

CVE-2025-49137

HAX CMS PHP prior to 11.0.0 is vulnerable to stored XSS via the saveNode and saveManifest endpoints, where unsanitized user input is stored in the site JSON schema and rendered in the generated microsite. The issue allows execution of arbitrary JavaScript through HTML tags (notably without using ...

CVE-2025-48877

Summary: CVE-2025-48877 affects Discourse. Before the patched releases, Codepen could be present in the default allowed_iframes site setting, potentially auto-running arbitrary JS in the iframe scope. Affected versions (as stated): Discourse < 3.4.4 (stable), < 3.5.0.beta5 (beta), and

PT-2025-24562 · Hax Cms · Hax Cms

Name of the Vulnerable Software and Affected Versions: HAX CMS PHP versions prior to 11.0.0 Description: The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

CVE-2025-31136

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting XSS issue that occurs in f.php when SVG favicons are downloaded from an attacker-controlled feed containing...

CVE-2025-31136

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting XSS issue that occurs in f.php when SVG favicons are downloaded from an attacker-controlled feed containing tags...

CVE-2025-31136 FreshRSS vulnerable to Cross-site Scripting by <iframe>'ing a vulnerable same-origin page in a feed entry

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting XSS issue that occurs in f.php when SVG favicons are downloaded from an attacker-controlled feed containing tags...

CVE-2025-31136

FreshRSS before 1.26.2 is vulnerable to a cross-site scripting (XSS) issue in f.php triggered by SVG favicons downloaded from attacker-controlled feeds. The XSS occurs when the favicon contains unsanitized [removed] tags and the page lacks a Content Security Policy; an attacker can embed a malici...

PT-2025-23847 · Freshrss · Freshrss

Name of the Vulnerable Software and Affected Versions: FreshRSS versions prior to 1.26.2 Description: The issue allows an attacker to run arbitrary JavaScript on the feeds page by combining a cross-site scripting XSS issue in f.php with the lack of Content Security Policy CSP when SVG favicons ar...

CVE-2024-8008 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation

A reflected cross-site scripting XSS vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser ...

📄 Motivian Content Management System 41.0.0 Cross Site Scripting

Motivian Content Management System version 41.0.0 suffers from multiple cross site scripting vulnerabilities. CVE-2025-29094-Multiple-Stored-Cross-Site-Scripting-XSS This repository reveals a security vulnerability discovered in Motivian Content Management System v.41.0.0. - CVE-2025-29094:...

CVE-2025-48875

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...

CVE-2025-23393

A Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in spacewalk-java allows execution of arbitrary Javascript code on users machines.This issue affects Container suse/manager/5.0/x8664/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager...

CVE-2025-23393

CVE-2025-23393 is a reflected XSS in spacewalk-java. Affected: SUSE Manager 5.0 (Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1) and SUSE Manager Server Module 4.3 (before 4.3.85-150400.3.105.3). Root cause: improper sanitization of user input in the systems list page. Impact: potential ex...