CVE-2025-57203

MagicProject AI version 9.1 is affected by a Cross-Site Scripting XSS vulnerability within the chatbot generation feature available to authenticated admin users. The vulnerability resides in the prompt parameter submitted to the /dashboard/user/generator/generate-stream endpoint via a...

CVE-2025-50975

IPFire 2.29 web-based firewall interface firewall.cgi fails to sanitize several rule parameters such as PROT, SRCPORT, TGTPORT, dnatport, key, ruleremark, srcaddr, stdnettgt, and tgtaddr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed...

Linux Distros Unpatched Vulnerability : CVE-2021-26247

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - As an unauthenticated remote user, visit http:///authchangepassword.php?ref=alert1 to successfully execute the JavaScript payload present in the ref URL...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

CVE-2025-45314

A cross-site scripting XSS vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the add function...

CVE-2020-9322

The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATHINFO...

CVE-2020-9322

Statamic Core prior to 2.11.8 exposes a cross-site scripting (XSS) vulnerability via the /users endpoint. This can be exploited through CSRF to create an administrator user. Stored XSS is possible when a JavaScript payload is placed in the username during account registration, and reflected XSS c...

Exploit for CVE-2025-54589

CVE-2025-54589 – Copyparty Reflected XSS Author: Byte Rea...

CVE-2024-56916

In Netbox Community 4.1.7, once authenticated, Configuration History Addis vulnerable to cross-site scripting XSS due to the current value field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a...

CVE-2025-48993

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web applicatio...

CVE-2025-6050 Stored Cross-Site Scripting (XSS) in Mezzanine CMS Admin Interface

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting XSS vulnerability in the admin interface. The vulnerability exists in the "displayablelinksjs" function, which fails to properly sanitize blog post titles before including them in JSON responses served via...

CVE-2025-48993 Group-Office vulnerable to reflected XSS via Look and Feel Formatting input

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web applicatio...

CVE-2025-48992

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting XSS vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, whi...

CVE-2025-48992 Group-Office vulnerable to blind XSS

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting XSS vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, whi...

CVE-2025-41367

Stored Cross-Site Scripting XSS vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and...

CVE-2025-41367

Stored Cross-Site Scripting XSS vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and...