CVE-2024-46226

CVE-2024-46226 describes a stored XSS in HelpDeskZ

HelpDeskZ 跨站脚本漏洞

HelpDeskZ is a free PHP-based software from HelpDeskZ Open Source. Allows the use of a web-based support ticket system to manage site support. A cross-site scripting vulnerability exists in versions prior to HelpDeskZ v2.0.2. A remote attacker can exploit this vulnerability to execute arbitrary...

Cross-Site Scripting (XSS)

@ckeditor/ckeditor5-real-time-collaboration is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user markers in the real-time collaboration package, which can allow unauthorized JavaScript execution in certain editor and token endpoint configurations...

CVE-2025-27145

The CVE-2025-27145 entry relates to copyparty, a portable file server, with a DOM-based XSS vulnerability in versions prior to 1.16.15. The issue is triggered during drag-and-drop of a maliciously named, empty file into the Web-UI, causing arbitrary JavaScript execution with the user’s privileges...

CVE-2025-27145 copyparty renders unsanitized filenames as HTML when user uploads empty files

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execu...

CVE-2024-57026

TawkTo Widget Version = 1.3.7 is vulnerable to Cross Site Scripting XSS due to processing user input in a way that allows JavaScript execution...

CVE-2024-57026

TawkTo Widget Version = 1.3.7 is vulnerable to Cross Site Scripting XSS due to processing user input in a way that allows JavaScript execution...

CVE-2024-57026

TawkTo Widget Version = 1.3.7 is vulnerable to Cross Site Scripting XSS due to processing user input in a way that allows JavaScript execution...

TawkTo Widget 安全漏洞

TawkTo Widget is a widget design program from TawkTo, Inc. A security vulnerability exists in TawkTo Widget version 1.3.7 and earlier, which stems from mishandling of user input, resulting in a cross-site scripting XSS vulnerability that allows JavaScript execution...

Copyparty 安全漏洞

Copyparty is a portable file server for ed individual developers. A security vulnerability exists in Copyparty versions prior to 1.16.15. An attacker exploiting this vulnerability could execute arbitrary javascript with the same privileges as the user...

CVE-2024-57026

The CVE-2024-57026 entry concerns the TawkTo Widget, affected versions prior to or equal to 1.3.7, which are vulnerable to Cross Site Scripting (XSS) due to how user input is processed. This is the stated root cause and impact across connected sources (e.g., Red Hat, CVE listings, and PT Security...

The vulnerability of the task and project management service WEEEK lies in the lack of measures taken to protect the website structure, allowing a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the WEEEK task and project management service is related to the lack of measures taken to protect the website structure, allowing a hacker to execute arbitrary JavaScript code...

The vulnerability of the task and project management service WEEEK lies in the lack of measures taken to protect the website structure, allowing a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the WEEEK task and project management service is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability could allow a remote attacker to execute arbitrary JavaScript code...

BIT-DISCOURSE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...

CVE-2025-1024

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to...

CVE-2025-1024

ChurchCRM 5.13.0 is affected by a Reflected Cross‑Site Scripting (XSS) in EditEventAttendees.php (EID parameter) that requires administrative privileges. The vulnerability enables an attacker to execute arbitrary JavaScript in a victim’s browser, potentially stealing session cookies, acting on be...

F5 BIG-IP Cross-Site Scripting Vulnerability (CNVD-2025-07327)

F5 BIG-IP is an application delivery platform from F5 USA that integrates network traffic management, application security management, load balancing and other functions. F5 BIG-IP suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and...

CVE-2025-25304

A flaw was found in Vega. In affected versions of Vega and Vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site scripting. This flaw allows an attacker to control multiple functions called byvlSelectionTuples, including one call with an...

CVE-2025-25296 Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's /projects/upload-example endpoint allows injection of arbitrary HTML through a GET request with an appropriately crafted labelconfig query parameter. By crafting a specially formatted XML label config with...

GHSA-MP7W-MHCV-673J Vega allows Cross-site Scripting via the vlSelectionTuples function

Summary The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS. Details vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: vlSelectionTuplesdatum:, fields:getter:...