CVE-2025-60503

A cross-site scripting XSS vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated...

CVE-2025-61431

CVE-2025-61431 is a reflected XSS in Zucchetti ZMaintenance Infinity (and Infinity Zucchetti) up to v4.1. The flaw arises from unvalidated input delivered to the /jsp/gsfr_feditorHTML.jsp endpoint, allowing an attacker to inject crafted payload into the pHtmlSource parameter and execute arbitrary...

📄 Hop.bg Cross Site Scripting

Hop.bg appears to suffer from a cross site scripting vulnerability. It is unclear what vulnerable code base is being used or if it's custom, however, the researcher has not heard a response from the vendor and they have not addressed the issue, putting their users at risk, so this is being...

CVE-2025-12460

An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window...

CVE-2025-12460

Summary: CVE-2025-12460 describes a Stored XSS vulnerability in Afterlogic Aurora webmail. Affected versions: 9.8.3 and earlier. ** vulnerability mechanism:** an attacker can embed JavaScript in an HTML email via an img tag, which may execute in the recipient’s webmail browser context. Impact (pe...

Revive Adserver 安全漏洞

Revive Adserver is an open source ad serving system that allows advertisers, publishers, and networks to place ads on multiple platforms e.g., websites, apps, video players and supports ad effectiveness tracking, campaign management, and placement rule definition. Revive Adserver suffers from a...

CVE-2024-13993

Nagios XI versions prior to 2024R1.1.2 are vulnerable to a reflected cross-site scripting XSS via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when...

CVE-2025-53883

A Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x8664/server:latest: from ? before 5.0.28-150600.3.36.8; SUSE Manag...

SUSE多款产品 安全漏洞

SUSE Manager and SUSE Manager Server are both products of SUSE Germany.SUSE Manager is a Linux server management system. The system provides automated software management, system configuration, and monitoring.SUSE Manager Server is an infrastructure management solution designed to simplify and...

CVE-2025-62800

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page oauthcallback.py where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScri...

DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload

Summary Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. Details DNN validates the contents of SVG's to ensure they are valid and do not contain any malicious code. These checks were introduced as part of CVE-2025-48378. However, the checks to ensure...

Cross-site Scripting (XSS)

Overview fastmcp is a The fast, Pythonic way to build MCP servers and clients. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the createcallbackhtml function. An attacker can execute arbitrary JavaScript in the context of the callback server's origin by supplying...

CVE-2025-41384

Cross-Site Scripting XSS vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary doma...

PT-2025-44217

Name of the Vulnerable Software and Affected Versions FastMCP versions prior to 2.13.0 Description FastMCP, a framework for building MCP applications, is affected by a reflected cross-site scripting issue. The problem exists in the OAuth client callback page oauth callback.py due to the insertion...

CVE-2025-41384

Cross-Site Scripting XSS vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary doma...

CVE-2025-5350 SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery SSRF. Additionally, the...

EUVD-2025-35713

MCMS reflected cross-site scripting XSS vulnerability...

MCMS reflected cross-site scripting (XSS) vulnerability

A reflected cross-site scripting XSS vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload...

CVE-2025-9980

CVE-2025-9980 describes a Stored XSS vulnerability in QuickCMS, specifically in the page editor (pages-form). The issue allows a malicious actor with admin privileges to inject arbitrary HTML/JavaScript that is rendered/executed when visiting the edited page. The public material notes that only v...

CVE-2025-11952

CVE-2025-11952 describes a stored XSS in Oct8ne Chatbot v2.3. The flaw arises from input validation failure when creating a mail transcript via /Records/SendSummaryMail, allowing injected JavaScript to run in a victim's browser. Impact stated: potential theft of sensitive data (e.g., session cook...