📄 Flowise JS Injection Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.6. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...

CVE-2025-62297

SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55...

CVE-2025-36153

IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-62731

SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges...

CVE-2025-62729

SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55...

CVE-2025-62295

SOPlanning is vulnerable to Stored XSS in /groupeform endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

EUVD-2025-198304

SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges...

CVE-2025-62296

SOPlanning is vulnerable to Stored XSS in the /taches endpoint. A malicious user with medium privileges can inject HTML/JS that is rendered when opening the editor. The issue has a fixed patch in version 1.55. No exploit details are provided beyond the public vulnerability description in the conn...

CVE-2025-62296 Stored XSS in SOPlanning

SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

CVE-2025-62296 Stored XSS in SOPlanning

SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

PT-2025-47635

Name of the Vulnerable Software and Affected Versions IBM Concert versions 1.0.0 through 2.0.0 Description IBM Concert is susceptible to cross-site scripting. An unauthenticated attacker can inject arbitrary JavaScript code into the Web UI, potentially modifying the intended functionality and...

PT-2025-47472

A reflected cross-site scripted XSS vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter...

CVE-2025-51662

A stored cross-site scripting XSS vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers o...

CVE-2025-63693

The comment editing template dzz/comment/template/editform.htm in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and...

CVE-2025-12869 aEnrich｜eHRD - Stored Cross-Site Scripting

The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load...

aEnrich a+HRD 跨站脚本漏洞

aEnrich a+HRD is a full-service human resources development solution from Acer China aEnrich. A cross-site scripting vulnerability exists in aEnrich a+HRD, which originates from stored cross-site scripting and could allow a remote attacker with administrator privileges to inject persistent...

CVE-2025-64187

OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully...

CVE-2025-10853

A reflected cross-site scripting XSS vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful...

CVE-2025-63640

CVE-2025-63640 affects SourceCodester Medicine Reminder App v1.0. The vulnerability is a Cross-Site Scripting (XSS) flaw in the Medicine Name and Notes (Optional) fields when creating an Upcoming Reminder . The root cause is improper input handling/filtration that allows injection of arbitrary HT...

PT-2025-45528

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.6.224 and prior Open WebUI versions 0.6.34 and prior Open WebUI version 0.6.33 and prior Description Open WebUI, a self-hosted artificial intelligence platform, contains a code injection vulnerability within the Direct...