CVE-2024-0640 Stored XSS in chatwoot/chatwoot

A stored cross-site scripting XSS vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard...

CVE-2024-6986 Cross-site Scripting (XSS) in parisneo/lollms-webui

A Cross-site Scripting XSS vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'fulltemplate' variable directly as HTML. This allows an attacker to execute maliciou...

Chatwoot 跨站脚本漏洞

Chatwoot is a Chatwoot open source application. Customer Engagement Suite, an open source alternative to Intercom, Zendesk, Salesforce Service Cloud, and more. A cross-site scripting vulnerability exists in Chatwoot versions 3.0.0 through 3.5.1. An attacker can exploit this vulnerability to injec...

CVE-2024-53970 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-25612

FS Inc S3150-8T2F prior to version S3150-8T2F2.2.0D135103 is vulnerable to Cross Site Scripting XSS in the Time Range Configuration functionality of the administration interface. An attacker can inject malicious JavaScript into the "Time Range Name" field, which is improperly sanitized. When this...

CVE-2025-25612

CVE-2025-25612 affects FS Inc S3150-8T2F: XS Scripting in the Time Range Configuration of the administration interface. The vulnerability stems from improper sanitization in the Time Range Name field, allowing an attacker to inject JavaScript that executes in any user browser (including admins) w...

MODX allows cross-site scripting (XSS) via an SVG file

A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...

CVE-2025-26659

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting XSS vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the...

CVE-2025-2150

The C&Cm@il from HGiga has a Stored Cross-Site Scripting XSS vulnerability, allowing remote attackers with regular privileges to send emails containing malicious JavaScript code, which will be executed in the recipient's browser when they view the email...

CVE-2025-2150

CVE-2025-2150 affects HGiga C&Cm@il. The vulnerability is a Stored Cross-Site Scripting (XSS) in the mail component, allowing remote attackers with regular privileges to send emails containing malicious JavaScript that executes in the recipient’s browser when viewed. Affected: C&Cm@il web app; ro...

HGiga C&Cm@il 跨站脚本漏洞

HGiga C&Cm@il is an email collaboration system from China Henderson HGiga. A cross-site scripting vulnerability exists in HGiga C&Cm@il, which originates from stored cross-site scripting and could result in malicious JavaScript code being executed in the recipient's browser...

CVE-2025-26202

Cross-Site Scripting XSS vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings 2.4GHz & 5GHz bands in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an...

TeamPasswordManager 安全漏洞

TeamPasswordManager is a password manager from the individual developer Ferran Barba. A security vulnerability exists in TeamPasswordManager version 12.162.284 and earlier, which stems from vulnerability to cross-site scripting attacks that allow execution of malicious JavaScript...

CVE-2024-5848

A reflected cross-site scripting XSS vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious...

CVE-2025-25477

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser...

CVE-2025-25477

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser...

sysPass 注入漏洞

SysPass is a system password manager by RubénD Individual Developers. An injection vulnerability exists in sysPass version 3.2x, which stems from host header injection and could lead to the execution of malicious JS files...

CVE-2024-5848 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation

A reflected cross-site scripting XSS vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious...

CVE-2025-25477

The CVE-2025-25477 entry concerns SysPass 3.2.x, where a host header injection flaw allows loading malicious JavaScript from an arbitrary domain that would execute in a victim’s browser. The root cause is host header injection in SysPass; impact is demonstrated as high confidentiality and integri...

LY Corporation: Stored XSS via SVG Upload in chat.line.biz

An SVG file containing malicious JavaScript was uploaded to the web application without proper filtering or disabling of embedded scripts. When another user opened the malicious SVG file in the management interface, the embedded script was executed in the browser, resulting in a stored cross-site...