CVE-2025-4599

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-base...

CVE-2025-54789

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

PT-2025-31868

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.61 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q4.1 through...

Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)

/ Author : Byte Reaper CVE : CVE-2025-54589 Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting XSS CVE-2025-54589 is a reflected cross-site scripting XSS vulnerability in Copyparty ≤ 1.18.6 where the filter parameter is inserted into the HTML response without proper sanitization, allowing ...

CVE-2025-50866

CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting XSS vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading t...

CVE-2025-51569

A cross-site scripting XSS vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U1406 router's web interface. The /goform/goformgetcmdprocess endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to...

CVE-2025-54789

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

Files 安全漏洞

Files is a single-file PHP application from the individual developer Karl Ward. It can be dragged and dropped into any directory, allowing browsing of the files and directories within. A security vulnerability exists in Files 0.16.9 and earlier versions, which stems from the file moving feature n...

CVE-2025-54789 Files is Vulnerable to Reflected Self-XSS through its File Move Functionality

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

CVE-2025-54789

The CVE-2025-54789 entry relates to the Files module, specifically the File Move functionality. Versions ≤ 0.16.9 allow injection of arbitrary JavaScript, enabling Browser JavaScript execution in the user’s session. This is the underlying issue described across multiple sources (NVD, Red Hat advi...

CVE-2025-54789 Files is Vulnerable to Reflected Self-XSS through its File Move Functionality

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

PT-2025-31659 · Unknown · Institute-Of-Current-Students

Name of the Vulnerable Software and Affected Versions: Institute-of-Current-Students version 1.0 Description: A stored Cross-Site Scripting XSS vulnerability exists in the qureydetails.php page. The input fields for Query and Answer do not properly sanitize user input, allowing authenticated user...

PT-2025-31708 · Files · Files

Name of the Vulnerable Software and Affected Versions: Files versions 0.16.9 and below Description: The File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, potentially leading to Browser JS code execution in the context of the user’s session...

CVE-2025-50866

CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting XSS vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading t...

CVE-2025-52203

A stored cross-site scripting XSS vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are...

GHSA-9QM3-6QRR-C76M @nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

CVE-2025-52358

A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's brows...

CVE-2025-51569

CVE-2025-51569 describes a cross-site scripting (XSS) vulnerability in the LB-Link BL-CPE300M web interface. The issue stems from the endpoint /goform/goform_get_cmd_process, where input in the cmd parameter is not properly sanitized before being reflected into a text/html response, enabling an a...

PT-2025-31550 · Lb Link · Lb-Link Bl-Cpe300M

Name of the Vulnerable Software and Affected Versions: LB-Link BL-CPE300M version 01.01.02P42U14 06 Description: A cross-site scripting XSS vulnerability exists in the web interface of the router. The /goform/goform get cmd process API endpoint fails to sanitize user input in the cmd parameter...

CVE-2025-52203

A stored cross-site scripting XSS vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are...