CVE-2025-33104 IBM WebSphere Application Server cross

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

PT-2025-20695 · Unknown · Abantecart

Name of the Vulnerable Software and Affected Versions: AbanteCart version 1.4.0 Description: A Reflected Cross-Site Scripting XSS issue allows an attacker to execute JavaScript code in a victim's browser by sending a malicious URL. This can be exploited to steal sensitive user data, such as sessi...

CVE-2025-46812

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the...

CVE-2025-28073

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting XSS via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized...

PT-2025-20399 · Trix · Trix

Name of the Vulnerable Software and Affected Versions: Trix versions prior to 2.1.15 Description: The issue allows an attacker to execute arbitrary JavaScript code within the context of a user's session by tricking the user into copying and pasting malicious code. This could potentially lead to...

CVE-2025-28073

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting XSS via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized...

Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser

Impact Two minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack. An attacker with the permission FILESCREATE can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server,...

CVE-2025-46719

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be...

CVE-2025-46571

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open t...

CVE-2025-46571

CVE-2025-46571 affects Open WebUI prior to version 0.6.6. Low-privileged users could upload HTML files containing JavaScript via the backend endpoint /api/v1/files/, which returns a file id. An attacker could lure an admin to click a link to such a file, causing the JavaScript to execute in the a...

CVE-2025-4318

CVE-2025-4318 affects the package aws-amplify/amplify-codegen-ui used with AWS Amplify Studio. The vulnerability is described as a lack of input validation in UI component property expressions, which could allow an authenticated user with access to create or modify components to execute arbitrary...

CVE-2025-4318 Input validation issue in AWS Amplify Studio UI component properties

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build...

CVE-2024-41753

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2025-47201

In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS...

CVE-2024-41753

CVE-2024-41753 : IBM Cloud Pak for Business Automation exposures in 24.0.0 (up to IF004) and 24.0.1 (up to IF001) allow unauthenticated attackers to inject arbitrary JavaScript into the Web UI (reflected XSS), potentially altering UI behavior and disclosing credentials within a session. Affected ...

CVE-2024-41753 IBM Cloud Pak for Business Automation cross-site scripting

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2025-45007

A Reflected Cross-Site Scripting XSS vulnerability was discovered in the profile.php file of PHPGurukul Timetable Generator System v1.0. This vulnerability allows remote attackers to execute arbitrary JavaScript code via the adminname POST request parameter...

PT-2025-18760 · United Planet · Intrexx Portal Server

Name of the Vulnerable Software and Affected Versions: Intrexx Portal Server versions prior to 12.0.4 Description: The issue allows for the execution of unrequested JavaScript code in HTML, also known as Cross-Site Scripting XSS. This occurs due to susceptible Velocity-Scripts in the affected...

CVE-2025-40615

Reflected Cross-Site Scripting XSS vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/apiajustes.php...

org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content

Impact The Markdown syntax is vulnerable to XSS through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that th...