CVE-2025-66474

The CVE-2025-66474 entry concerns XWiki Rendering. Affected: XWiki Rendering versions 16.10.9 and earlier, 17.0.0-rc-1 through 17.4.2, and 17.5.0-rc-1 through 17.5.0. Root cause: insufficient protection against {{/html}} injection, enabling attackers who can edit a profile or any document to exec...

HTML Injection

librenms/librenms is vulnerable to HTML injection. The vulnerability is due to improper sanitization of the alert rule name in the Alerts Alert Rules page, which allows an attacker to inject and execute arbitrary HTML code...

XWiki Rendering 安全漏洞

XWiki Rendering is a general-purpose rendering system from the XWiki Foundation that converts text input from a given syntax wiki syntax, HTML, etc. to another syntax XHTML, etc.. A security vulnerability exists in XWiki Rendering versions 16.10.9 and earlier, 17.0.0-rc-1 through 17.4.2, and...

Gitlab -- vulnerabilities

Gitlab reports: Cross-site scripting issue in Wiki impacts GitLab CE/EE Improper encoding in vulnerability reports impacts GitLab CE/EE Cross-site scripting issue in Swagger UI impacts GitLab CE/EE Denial of service issue in GraphQL endpoints impacts GitLab CE/EE Authentication bypass issue for...

CVE-2025-66514

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

CVE-2025-65229

A stored cross-site scripting XSS vulnerability exists in the web interface of Lyrion Music Server = 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output...

CVE-2025-66514

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

CVE-2025-66514 Nextcloud Mail stored HTML injection in subject text

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

CVE-2025-66514 Nextcloud Mail stored HTML injection in subject text

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

CVE-2025-66514

Nextcloud Mail prior to version 5.5.3 contains a stored HTML injection issue in the message list that lets an authenticated user inject HTML into email subjects. The Nextcloud Server content security policy blocks Javascript, which mitigates some risk. The issue is addressed by upgrading to Nextc...

CVE-2025-66514 Nextcloud Mail stored HTML injection in subject text

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

Nextcloud Mail 跨站脚本漏洞

Nextcloud Mail is an email from Nextcloud Germany. A cross-site scripting vulnerability exists in versions of Nextcloud Mail prior to 5.5.3, which stems from the presence of stored HTML injection in mailing lists, which could lead to HTML injection attacks...

PT-2025-49283

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting XSS vulnerability in the /rmm/v1/devices/name/agent id endpoint. When an authenticated user renames a device, the new name value is stored and later rendered in device listings or detail views without prope...

Cross-site Scripting (XSS)

homeassistant is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of energy entity names containing HTML, which allows an authenticated attacker—or a malicious energy provider default name—to inject JavaScript that executes when users hover over graph...

CVE-2025-13742

CVE-2025-13742 affects pretix and describes a vulnerability in email template rendering where placeholders (e.g., {name}) can cause user-provided content to appear in emails with HTML/Markdown formatting. Although pretix uses a strict allow-list of HTML tags that prevents XSS, this can be exploit...

CVE-2025-13742 Limited HTML injection in emails

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

Exploit for CVE-2025-63420

CVE-2025-63420 CrushFTP11 before 11.3.757 is vulnerable to s...

CVE-2025-62296

SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

EUVD-2025-198308

SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...