CVE-2024-5848 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation

A reflected cross-site scripting XSS vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious...

CVE-2025-25477

The CVE-2025-25477 entry concerns SysPass 3.2.x, where a host header injection flaw allows loading malicious JavaScript from an arbitrary domain that would execute in a victim’s browser. The root cause is host header injection in SysPass; impact is demonstrated as high confidentiality and integri...

LY Corporation: Stored XSS via SVG Upload in chat.line.biz

An SVG file containing malicious JavaScript was uploaded to the web application without proper filtering or disabling of embedded scripts. When another user opened the malicious SVG file in the management interface, the embedded script was executed in the browser, resulting in a stored cross-site...

CVE-2025-25460

A stored Cross-Site Scripting XSS vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to...

PT-2025-7772 · Flatpress · Flatpress

Name of the Vulnerable Software and Affected Versions: FlatPress version 1.3.1 Description: A stored Cross-Site Scripting issue was identified within the "Add Entry" feature, allowing authenticated attackers to inject malicious JavaScript payloads into blog posts. This is executed when other user...

Unauthenticated Stored XSS via dangerouslySetInnerHTML

An UNAUTHENTICATED attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript the v1/runs/ingest if he adds an empty citations field to trigger a code path where dangerouslySetInnerHTML is used to render the attacker controlled text. This vulnerability allows the...

Cross-Site Scripting (XSS)

labelstudio is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-provided HTML content in the /projects/upload-example endpoint, allowing attackers to inject malicious JavaScript via a specially crafted labelconfig query parameter in a GET request...

CVE-2025-25296

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's /projects/upload-example endpoint allows injection of arbitrary HTML through a GET request with an appropriately crafted labelconfig query parameter. By crafting a specially formatted XML label config with...

CVE-2025-0178 WatchGaurd Firebox Host Header Injection Vulnerability

Improper Input Validation vulnerability in WatchGuard Fireware OS allows an attacker to manipulate the value of the HTTP Host header in requests sent to the Web UI. An attacker could exploit this vulnerability to redirect users to malicious websites, poison the web cache, or inject malicious...

CVE-2025-0178 WatchGaurd Firebox Host Header Injection Vulnerability

Improper Input Validation vulnerability in WatchGuard Fireware OS allows an attacker to manipulate the value of the HTTP Host header in requests sent to the Web UI. An attacker could exploit this vulnerability to redirect users to malicious websites, poison the web cache, or inject malicious...

CVE-2025-24417

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed...

CVE-2025-22132

WeGIA is a web manager for charitable institutions. A Cross-Site Scripting XSS vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controlaxlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute...

CVE-2020-13641

An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The faroptionspage function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript,...

CVE-2020-26221

touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting XSS. The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser...

CVE-2024-29882

SRS is a simple, high-efficiency, real-time video server. SRS's /api/v1/vhosts/vid-?callback= endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS Cross-Site Scripting. This vulnerability is fixed in 5.0.210 and 6.0.121...

CVE-2024-1937

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...

CVE-2024-51989

Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting XSS vulnerability was identified in the PasswordPusher application, affecting versions v1.41.1 through and including v.1.48.0. The issue arises from an un-sanitized parameter...

CVE-2024-11680

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation...

CVE-2024-53962 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-0930

CVE-2025-0930: Reflected XSS in TeamCal Neo 3.8.2 via the abs parameter in /teamcal/src/index.php. An attacker can inject JavaScript code through this parameter. No exploit details are provided, and public patches are not confirmed in the supplied sources. PT Security notes that for TeamCal Neo 3...