2179 matches found
CVE-2025-44108
FlatPress CMS ≤ 1.3.1/1.4-rc1 shows a stored XSS through the gallery captions component. The vulnerability (CVE-2025-44108) allows an admin-privilged user to inject JavaScript that is then stored persistently, with impacts limited to confidentiality and integrity per sources, and no explicit expl...
CVE-2025-47786
Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...
CVE-2025-40632
IceWarp Mail Server (v11.4.0) contains a Cross-Site Scripting (XSS) vulnerability where an attacker can modify the lastLogin cookie to inject JavaScript that executes when the page renders. Affected component is the web-facing handling of user data; the root cause is lack of proper filtering/esca...
CVE-2024-8673
The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript...
CVE-2024-8673
CVE-2024-8673 affects the WordPress plugin Z-Downloads prior to version 1.11.7. The root cause is improper validation of uploaded files, allowing SVGs containing malicious JavaScript . This enables authenticated attackers to upload SVGs that execute when other users view the uploaded files, poten...
CVE-2025-47786 Emlog vulnerable to Stored Cross-site Scripting
Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...
CVE-2025-47786 Emlog vulnerable to Stored Cross-site Scripting
Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...
PT-2025-21529 · WordPress · Z-Downloads
Name of the Vulnerable Software and Affected Versions: Z-Downloads versions prior to 1.11.7 Description: The issue concerns the Z-Downloads WordPress plugin, which does not properly validate uploaded files. This allows for the uploading of SVG files that contain malicious JavaScript...
WordPress plugin Z-Downloads 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
PT-2025-21366 · Emlog · Emlog
Name of the Vulnerable Software and Affected Versions: Emlog version 2.5.13 Description: Emlog is an open source website building system with a stored cross-site scripting issue. This allows any registered user to construct malicious JavaScript, inducing all website users to click. The...
Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058
This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...
Adobe Connect 跨站脚本漏洞
Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...
Adobe Connect 跨站脚本漏洞
Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...
Adobe Connect 跨站脚本漏洞
Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...
CVE-2025-28074
phpList before 3.6.15 is vulnerable to Cross-Site Scripting XSS due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious...
CVE-2025-28074
phpList before 3.6.15 is vulnerable to Cross-Site Scripting XSS due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious...
CVE-2025-46734 league/commonmark Cross-site Scripting vulnerability in Attributes extension
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
CVE-2025-46734
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
Mars: RXSS on ██████ via customerId parameter
A Reflected Cross-Site Scripting XSS vulnerability was identified on the Mars website at ██████. The vulnerability was located in the customerId parameter, which was inadequately sanitized before being reflected back to users in the HTTP response. When the parameter was manipulated with malicious...
HCL Domino Volt 安全漏洞
HCL Domino Volt is a low-code application development solution based on the Domino platform from HCL India. A security vulnerability exists in HCL Domino Volt, which stems from an insecure default file type filtering policy that could lead to the execution of malicious JavaScript...