CVE-2025-41367 Stored Cross-Site Scripting (XSS) vulnerability in IDF and ZLF

Stored Cross-Site Scripting XSS vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and...

CVE-2025-41367

The CVE-2025-41367 entry affects IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. The issue is a Stored Cross-Site Scripting (XSS) vulnerability that lets an attacker store malicious JavaScript payloads to run in a victim’s browser. Exploitation requires authenticating to the device and executing com...

MainWP: Reflected XSS in "Create Category" Functionality of Post Creation Module

A reflected Cross-Site Scripting XSS vulnerability was identified in the "Create Category" feature of the post creation functionality. When a user entered a malicious JavaScript payload in the Category Name field, the input was reflected and executed immediately after submission. However, this XS...

CVE-2025-20297

In Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint th...

📄 Adapt CMS 3.0.3 Cross Site Scripting

Adapt CMS version 3.0.3 suffers from a persistent cross site scripting vulnerability in the Send Message functionality. Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 Date: 06/2025 Exploit Author: Andrey Stoykov Version: 3.0.3 Tested on: Debian 12 Blog:...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ██████

A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the conte...

CVE-2024-4026

Cross-Site Scripting XSS vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session takeover...

CVE-2024-23821

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2024-23819

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2024-23642

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2024-45986

A stored Cross-Site Scripting XSS vulnerability was identified in Projectworld Online Voting System 1.0 that occurs when an account is registered with a malicious javascript payload. The payload is stored and subsequently executed in the voter.php and profile.php pages whenever the account...

CVE-2023-27494

Streamlit, software for turning data scripts into web applications, had a cross-site scripting XSS vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit apps were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to ...

CVE-2023-51445

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2023-3196

This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel...

CVE-2022-37429

Silverstripe silverstripe/framework through 4.11 allows XSS issue 1 of 2 via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters...

CVE-2025-45754

A stored cross-site scripting XSS vulnerability exists in SeedDMS 6.0.32. This vulnerability allows an attacker to inject malicious JavaScript payloads by creating a document with an XSS payload as the document name...

CVE-2021-24444

The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfilteredhtml capability is disallowed, leading to an authenticated Store...

CVE-2021-37504

A cross-site scripting XSS vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name...

CVE-2021-24423

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraftservice settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue...

CVE-2021-20112

A stored cross-site scripting vulnerability exists in TCExam = 14.8.1. Valid files uploaded via tceselectmediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tceselectmediafile.php could upload a malicious javascript payload which would b...