CVE-2025-60991

A reflected cross-site scripted XSS vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter...

CVE-2025-20367

In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the dataset.command parameter of t...

CVE-2025-56515

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers onmouseover to be uploaded...

CVE-2025-60991

Codazon Magento Themes (v1.1.0.0–v2.4.7) contains a reflected XSS that allows an attacker to execute arbitrary JavaScript in a user’s browser via a crafted payload in the cat parameter. Root cause described across multiple sources as insufficient input handling/escaping in the cat parameter leadi...

CVE-2025-56515

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers onmouseover to be uploaded...

CVE-2025-57389

A reflected cross-site scripting XSS vulnerability in the /admin/system/packages endpoint of Luci OpenWRT v18.06.2 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. This vulnerability was fixed in OpenWRT v19.07.0...

CVE-2025-57389

CVE-2025-57389 affects OpenWRT Luci 18.06.2 via a reflected XSS in the /admin/system/packages API. The vulnerability allows arbitrary Javascript execution in a user’s browser when processing a crafted payload. The available connected documents confirm a fix in OpenWRT v19.07.0; no additional expl...

PT-2025-40270

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 9.4.4 Splunk Enterprise versions prior to 9.3.6 Splunk Enterprise versions prior to 9.2.8 Splunk Cloud Platform versions prior to 9.3.2411.109 Splunk Cloud Platform versions prior to 9.3.2408.119 Splunk Clou...

PT-2025-40300

Name of the Vulnerable Software and Affected Versions Luci OpenWRT version 18.06.2 Description A reflected cross-site scripting XSS issue exists in the /admin/system/packages API endpoint of Luci OpenWRT. An attacker can execute arbitrary Javascript in a user's browser by providing a crafted...

OpenWRT Luci LTS 安全漏洞

OpenWRT Luci LTS is an OpenWRT open source web management interface for Linux distributions. A security vulnerability exists in OpenWRT Luci LTS version v18.06.2, which originates from the presence of reflective cross-site scripting in the /admin/system/packages endpoint, which could lead to the...

Fiora 安全漏洞

Fiora - is a chat application by yinxin630 individual developer. A security vulnerability exists in Fiora version 1.0.0, which stems from the user avatar upload feature not validating the content of SVG files, which could lead to the execution of arbitrary JavaScript code...

CVE-2025-8116 Reflected XSS in PAD CMS

PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Malicious attacker can craft special URL, which will result in arbitrary JavaScript execution in victim's browser, when opened. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life a...

PT-2025-39965

Name of the Vulnerable Software and Affected Versions PAD CMS affected versions not specified Description PAD CMS is susceptible to Reflected Cross-Site Scripting XSS in the printing and save to PDF features. An attacker can create a specially crafted URL that, when opened by a user, leads to the...

VulnCheck KEV: CVE-2025-27915

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A stored cross-site scripting XSS vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its...

CVE-2025-35034

Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portletuserid' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14...

CVE-2025-35034

Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portletuserid' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14...

CVE-2025-35034 Medical Informatics Engineering Enterprise Health reflected cross site scripting via portlet_user_id

Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portletuserid' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14...

CVE-2025-57877

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser...

CVE-2025-57873

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser...

CVE-2025-57877

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser...