Reflected Cross-site Scripting (XSS)

com.liferay.portal, com.liferay.portal.impl are vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper input validation in the googlegadget component, which allows a remote unauthenticated attacker to inject and execute malicious JavaScript in a victim’s browser...

CVE-2025-67734 Frappe Authenticated Users can Execute JavaScript through its Job Form

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed i...

CVE-2025-67730

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0...

EUVD-2025-203016

The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flowflowsocialauth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2025-13866

The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flowflowsocialauth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

PT-2025-50902

Name of the Vulnerable Software and Affected Versions Frappe Learning Management System LMS versions prior to 2.42.0 Description Frappe Learning Management System LMS allows authenticated users to inject malicious HTML and JavaScript code through description fields within the Job, Course, and Bat...

PT-2025-50826

The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow flow social auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

CVE-2024-58297

PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page...

EUVD-2025-202470

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-64615

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-64556

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-64593 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-65300

A stored Cross-Site Scripting XSS vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 2025-10-28 in the Account Settings module, where unsanitized user input in Address fields City, State, Country/Region is rendered back to the page. Attackers can inject arbitrary JavaScript...

CVE-2025-34425 MailEnable < 10.54 Reflected XSS in WindowContext Parameter of MAI/compose.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. The WindowContext value is not properly sanitized when processed via a GET request and is reflected within a context in the...

CVE-2025-65300

A stored Cross-Site Scripting XSS vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 2025-10-28 in the Account Settings module, where unsanitized user input in Address fields City, State, Country/Region is rendered back to the page. Attackers can inject arbitrary JavaScript...

EUVD-2025-202195

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...

CVE-2025-34403

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value is not properly sanitized when processed via a GET request and is reflected inside a block in the JavaScript variable...

EUVD-2025-202186

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a block in the JavaScrip...

CVE-2025-34402 MailEnable < 10.54 Reflected XSS in FieldCc Parameter of AddressBook.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the FieldCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldCc value is not properly sanitized when processed via a GET request and is reflected inside a block in the JavaScript variable...

Cross-site Scripting

Apache SkyWalking is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of script-related HTML tags, allowing attackers to inject malicious JavaScript into web pages...