PT-2025-32385 · Ehcp · Ehcp

Name of the Vulnerable Software and Affected Versions: EHCP version 20.04.1.b Description: A reflected cross-site scripting XSS vulnerability exists in the List All FTP User Function. Authenticated attackers can execute arbitrary JavaScript by injecting a crafted payload into the ftpusername...

CVE-2025-46958

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-51541

A stored cross-site scripting XSS vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The cdatabaseschema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious...

Liferay Portal 7.4.3.61 <= 7.4.3.131 XSS

The fragment preview functionality in Liferay Portal and Liferay DXP was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL. Note that Nessus has not tested for this issue but has instead relied...

CVE-2025-4599

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-base...

CVE-2025-51053

A Cross-site scripting XSS vulnerability in /apivedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser...

CVE-2025-51531

A reflected cross-site scripting XSS vulnerability in Sage DPW 202412004 and earlier allows attackers to execute arbitrary JavaScript in the context of a victim's browser via injecting a crafted payload into the tabfields parameter at /dpw/scripts/cgiip.exe/WService. The vendor has stated that th...

CVE-2025-51053

A Cross-site scripting XSS vulnerability in /apivedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser...

PT-2025-32192 · Sage Dpw · Sage Dpw

Name of the Vulnerable Software and Affected Versions: Sage DPW versions 2024.12.003 Description: A reflected cross-site scripting XSS vulnerability exists in Sage DPW version 2024.12.003. This allows attackers to execute arbitrary JavaScript in the context of a victim’s browser by injecting a...

CVE-2025-51053

CVE-2025-51053 is a Cross-Site Scripting (XSS) vulnerability affecting Vedo Suite 2024.17, exploitable via the /api_vedo/ endpoint. The affected software and context are described across multiple sources as injecting arbitrary JavaScript/HTML that could lead to browser-level code execution. Publi...

CVE-2025-46958

Adobe Experience Manager (AEM) 6.5.22 and earlier is affected by a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-46958) in vulnerable form fields. A low-privileged attacker can inject malicious scripts, with JavaScript potentially executing in a victim’s browser when visiting a page c...

CVE-2025-51541

A stored cross-site scripting XSS vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The cdatabaseschema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious...

CVE-2025-4599

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-base...

CVE-2025-4599

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-base...

CVE-2025-4599

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-base...

CVE-2025-54789

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

PT-2025-31868

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.61 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.1 through...

Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)

/ Author : Byte Reaper CVE : CVE-2025-54589 Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting XSS CVE-2025-54589 is a reflected cross-site scripting XSS vulnerability in Copyparty ≤ 1.18.6 where the filter parameter is inserted into the HTML response without proper sanitization, allowing ...

CVE-2025-50866

CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting XSS vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading t...

CVE-2025-51569

A cross-site scripting XSS vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U1406 router's web interface. The /goform/goformgetcmdprocess endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to...