Laravel Starter Cross Site Scripting (XSS)

Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting XSS in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field...

CVE-2025-32961 CUBA JPA Web API Vulnerable to Cross-Site Scripting (XSS) in the /download Endpoint

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...

CVE-2025-32960 CUBA Generic REST API Vulnerable to Cross-Site Scripting (XSS) in the /files Endpoint

The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code ...

CVE-2025-32960 CUBA Generic REST API Vulnerable to Cross-Site Scripting (XSS) in the /files Endpoint

The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code ...

GHSA-HG25-W3VG-7279 XSS in the /download Endpoint of the JPA Web API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

XSS in the /files Endpoint of the Generic REST API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

Jmix 跨站脚本漏洞

Jmix is a set of libraries and tools from Jmix, Inc. for accelerating Spring Boot data-centric application development. A cross-site scripting vulnerability exists in Jmix versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4, which stems from improperly manipulated file paths and could lead to...

WonderCMS 3.4.2 - Remote Code Execution (RCE)

Exploit Title: WonderCMS 3.4.2 - Remote Code Execution RCE Date: 2025-04-16 Exploit Author: Milad Karimi Ex3ptionaL Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL MiRROR-H: https://mirror-h.org/search/hacker/49626/ CVE: CVE-2023-41425 import requests import...

CVE-2025-3760

A stored cross-site scripting XSS vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10...

CVE-2025-30292 ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...

CVE-2025-26653 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page,...

PT-2025-15661 · Adobe · Coldfusion

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.0 and earlier ColdFusion versions 2023.12 ColdFusion versions 2021.18 Description: The issue is a reflected Cross-Site Scripting XSS vulnerability. If an attacker convinces a victim to visit a URL referencing a...

CVE-2025-3189

Stored Cross-Site Scripting XSS in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it...

CVE-2025-3189 Stored Cross-Site Scripting (XSS) in DoWISP

Stored Cross-Site Scripting XSS in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it...

GHSA-V2RR-FHV8-MX74 wp-svg-upload WordPress plugin vulnerable to Stored Cross-site Scripting

The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks...

CVE-2024-11847

The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks...

Cross-site Scripting (XSS)

Overview org.webjars.bower:ContentTools is an A JS library for building WYSIWYG editors for HTML content Affected versions of this package are vulnerable to Cross-site Scripting XSS via the onload attribute in img that allows attackers to inject malicious Javascript code. Details Cross-site...

CVE-2025-2597 Reflected Cross-Site Scripting (XSS) vulnerability in ITIUM 6050

Reflected Cross-Site Scripting XSS in ITIUM 6050 version 5.5.5.2-b3526 from Impact Technologies. This vulnerability could allow an attacker to execute malicious Javascript code via GET and POST requests to the ‘/index.php’ endpoint and injecting code into the ‘idsession...

CVE-2025-2597

CVE-2025-2597 describes a reflected Cross-Site Scripting (XSS) vulnerability in Impact Technologies ITIUM 6050 (version 5.5.5.2-b3526 ). According to the sources, an attacker could execute arbitrary JavaScript by crafting GET/POST requests to the endpoint /index.php and injecting code via the par...

Impact Technologies ITIUM 6050 跨站脚本漏洞

The Impact Technologies ITIUM 6050 is a versatile thin client from Impact Technologies, Inc. that meets the needs of organizations that use multimedia and video solutions on a daily basis and are looking for robust functionality and image quality, such as videoconferencing, video surveillance,...