CVE-2025-51462

CVE-2025-51462 describes a stored XSS in RAGFlow 0.17.2, via api.apps.dialog_app.set_dialog: crafted input to the assistant greeting field is stored unsanitised and rendered by a markdown component with rehype-raw, enabling execution of arbitrary JavaScript. The vulnerability affects RAGFlow 0.17...

Mozilla Firefox ESR < 128.13

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 128.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-58 advisory. - Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbir...

Security Vulnerabilities fixed in Firefox 141 — Mozilla

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...

Mozilla Thunderbird < 128.13

The version of Thunderbird installed on the remote Windows host is prior to 128.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-62 advisory. - Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140....

LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages

Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting XSS via Personal Canned Messages Date: 09/06/2025 Exploit Author: Manojkumar J TheWhiteEvil Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ Software...

CVE-2025-51464

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

Mozilla Firefox ESR < 140.1

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 140.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-59 advisory. - Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140...

Mozilla Firefox ESR < 140.1

The version of Firefox ESR installed on the remote Windows host is prior to 140.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-59 advisory. - Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of...

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function

Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting XSS via the Chat Transfer Function Date: 09/06/2025 Exploit Author: Manojkumar J TheWhiteEvil Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ Software...

Mozilla Thunderbird < 128.13

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 128.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-62 advisory. - Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbir...

Cross-site Scripting (XSS)

Overview cadwyn is a Production-ready community-driven modern Stripe-like API versioning in FastAPI Affected versions of this package are vulnerable to Cross-site Scripting XSS via the version parameter of the /docs endpoint. An attacker can execute arbitrary JavaScript code in a user's browser b...

CVE-2025-53528 Cadwyn is vulnerable to an XSS attack through its docs page

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...

GHSA-2GXP-6R36-M97R Cadwyn vulnerable to XSS on the docs page

Summary The version parameter of the /docs endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. PoC 1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/ 2. Click on the following PoC link:...

Cadwyn vulnerable to XSS on the docs page

Summary The version parameter of the /docs endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. PoC 1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/ 2. Click on the following PoC link:...

IBM Engineering Requirements Management DOORS 9.7.2.9 < 9.7.2.10 Multiple Vulnerabilities (7238992)

The version of IBM Engineering Requirements Management DOORS formerly IBM Rational DOORS installed on the remote host is 9.7.2.9 prior to 9.7.2.10. It is, therefore, affected by multiple vulnerabilities as referenced in the 7238992 advisory. - CKEditor4 is an open source WYSIWYG HTML editor. In...

Cross-Site Scripting (XSS)

ag-grid is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of grid contents, which allows an attacker to execute arbitrary JavaScript when user input is rendered in the grid...

CVE-2025-53925 Emlog has Stored Cross-site Scripting vulnerability in file upload functionality

Emlog is an open source website building system. A cross-site scripting XSS vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is possible to upload an .s...

PT-2025-29543 · Unknown · Pharmacy Pos Php Script

Name of the Vulnerable Software and Affected Versions: Pharmacy POS PHP Script affected versions not specified Description: A stored Cross-Site Scripting XSS issue exists in Pharmacy POS PHP Script. Successful exploitation allows an attacker to execute JavaScript code in a victim’s browser. This ...