CVE-2025-50977

A template injection vulnerability leading to reflected cross-site scripting XSS has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute...

CVE-2025-50977

Gitblit (version 1.7.1) contains a template injection vulnerability that enables reflected XSS via the r parameter. Exploitation requires authenticated admin access and can be triggered through GET requests to the /summary endpoint or POST requests to certain Wicket interfaces, enabling injection...

8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services

The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...

Protect Client-Side Code and Certify the Authenticity of Data Collection

...

GHSA-XH32-CX6C-CP4V Gogs XSS allowed by stored call in PDF renderer

Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. Details Gogs Version: docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB Application version: 0.14.0+dev Local setup using: bash Pull image from Docker Hub...

CVE-2025-47943

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

CVE-2025-47943

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

CVE-2024-47095

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the expiredSupportMessage parameter of handleloginform.do...

CVE-2023-47314

Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting XSS. The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download...

CVE-2021-32853

Erxes, an experience operating system XOS with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches...

CVE-2019-15652

The web interface for NSSLGlobal SatLink VSAT Modem Unit VMU devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code...

CVE-2025-24338

A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated lowprivileged attacker to execute arbitrary client-side code in the context of another user's browser via multiple crafted HTTP requests...

CVE-2025-24344

A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request...

CVE-2025-24344

A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request...

CVE-2025-24338

CVE-2025-24338 affects the web application of ctrlX OS, specifically the "Manages app data" functionality. A remote authenticated (low privilege) attacker can execute arbitrary client-side code in another user’s browser by sending multiple crafted HTTP requests. Evidence from multiple sources con...

PT-2025-18258 · Ctrlx Os · Ctrlx Os

Name of the Vulnerable Software and Affected Versions: ctrlX OS affected versions not specified Description: A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrar...

CVE-2025-27633

Summary: CVE-2025-27633 affects the Hitachi Energy TRMTracker web application, with a reflected cross-site scripting (XSS) vulnerability due to client-side code injection. The issue could compromise confidentiality and integrity and is described across multiple sources as a reflected XSS risk. CV...

CVE-2025-27633

The TRMTracker web application is vulnerable to reflected Cross-site scripting attack. The application allows client-side code injection that might be used to compromise the confidentiality and integrity of the system...

CVE-2025-27633

The TRMTracker web application is vulnerable to reflected Cross-site scripting attack. The application allows client-side code injection that might be used to compromise the confidentiality and integrity of the system...

Loaded Commerce 6.6 - Client-Side Template Injection(CSTI)

Exploit Title: Loaded Commerce 6.6 Client-Side Template InjectionCSTI Date: 03/13/2025 Exploit Author: tmrswrr Vendor Homepage: https://loadedcommerce.com/ Version: 6.6 Tested on: https://www.softaculous.com/apps/ecommerce/LoadedCommerce Injecting 77 into the search parameter...