PT-2025-40518

Name of the Vulnerable Software and Affected Versions XunRuiCMS version 4.7.1 Description A stored Cross-Site Scripting XSS issue exists because of inadequate validation of SVG file uploads within the dayrui/Fcms/Library/Upload.php component. This allows attackers to inject malicious JavaScript...

CVE-2025-60453

MetInfo CMS 8.0 is affected in the column management module (app\system\column\admin\index.class.php). The issue is a stored XSS vulnerability that allows attackers to upload SVG files containing JavaScript, which executes when the uploaded file is viewed or accessed by users. This aligns with mu...

CVE-2025-60448

A stored Cross-Site Scripting XSS vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code that executes when th...

PT-2025-40521

Name of the Vulnerable Software and Affected Versions MetInfo CMS version 8.0 Description A stored Cross-Site Scripting XSS issue exists in the download management module of the software. The vulnerability is located in the appsystemdownloadadmindownload admin.class.php component. Attackers can...

CVE-2025-60454

A stored Cross-Site Scripting XSS vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\imgadmin.class.php component. The vulnerability allows attackers to upload malicious SVG files containi...

CVE-2025-60450

MetInfo CMS 8.0 is affected by a stored XSS in file upload handling. The vulnerability arises from insufficient validation and sanitization of SVG uploads in app\system\include\module\editor\Uploader.class.php, allowing an attacker to upload SVG files containing JavaScript that executes when view...

CVE-2025-60447

CVE-2025-60447 describes a stored XSS in Emlog Pro 2.5.19, in the email template configuration page (/admin/setting.php?action=mail). User input HTML is not sanitized, allowing persistent JavaScript execution. Connected advisories (Red Hat, CVE listings, PT Security) corroborate the issue and sug...

CVE-2025-60454

A stored Cross-Site Scripting XSS vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\imgadmin.class.php component. The vulnerability allows attackers to upload malicious SVG files containi...

CVE-2025-60447

A stored Cross-Site Scripting XSS vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to...

CVE-2025-60991

A reflected cross-site scripted XSS vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter...

CVE-2025-57389

A reflected cross-site scripting XSS vulnerability in the /admin/system/packages endpoint of Luci OpenWRT v18.06.2 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. This vulnerability was fixed in OpenWRT v19.07.0...

CVE-2025-59772

Cross-site scripting XSS vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and...

CVE-2025-59769

AndSoft e-TMS is affected by a reflected XSS vulnerability (CVE-2025-59769) in v25.03. The issue arises from insufficient input filtering/escaping for user-supplied data in parameters l, demo, demo2, TNTLOGIN, UO, and SuppConn within /clt/LOGINFRM_MOL.ASP, enabling an attacker to trigger JavaScri...

CVE-2025-56514

Cross Site Scripting XSS vulnerability in Fiora chat application 1.0.0 allows executes arbitrary JavaScript when malicious SVG files are rendered by other users...

CVE-2025-56515

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers onmouseover to be uploaded...

AndSoft e-TMS 跨站脚本漏洞

AndSoft e-TMS is a logistics management software from AndSoft Spain. A cross-site scripting vulnerability exists in AndSoft e-TMS, which originates from the lack of effective filtering and escaping of user-supplied data by parameter m in file /lib/asp/alert.asp, and can be exploited by an attacke...

PT-2025-40371

Name of the Vulnerable Software and Affected Versions AndSoft e-TMS version 25.03 Description A cross-site scripting issue exists that allows an attacker to execute JavaScript code in a victim's browser. This is achieved by sending a malicious URL. The vulnerability is reflected in the...

AndSoft e-TMS 跨站脚本漏洞

AndSoft e-TMS is a logistics management software from AndSoft Spain. AndSoft e-TMS suffers from a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of user-supplied data in the parameters l, demo, demo2, TNTLOGIN, UO, and SuppConn in the file...

AndSoft e-TMS 跨站脚本漏洞

AndSoft e-TMS is a logistics management software from AndSoft Spain. AndSoft e-TMS suffers from a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of user-supplied data in the parameters l, demo, demo2, TNTLOGIN, UO, and SuppConn in the file...

Fiora chat user avatar is vulnerable to XSS via SVG files

Cross Site Scripting XSS vulnerability in Fiora chat application 1.0.0 allows arbitrary JavaScript execution when malicious SVG files are rendered by other users...