CVE-2024-25814

CVE-2024-25814 affects MyNET up to v26.05. The issue is a reflected cross-site scripting (XSS) vulnerability exploitable via the msg parameter. The Red Hat/EU ENISA/CNNVD and CVE entries corroborate the same description: vulnerable version range is prior to 26.05, with the root cause being reflec...

CVE-2025-13624 Overstock Affiliate Links <= 1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Overstock Affiliate Links plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2025-14125

The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

PT-2025-50900

The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2025-34400

Summary: CVE-2025-34400 affects MailEnable versions prior to 10.54, exposing a reflected XSS in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The vulnerability stems from inadequate sanitization when the parameter is processed via GET, with the value reflected inside a [rem...

CVE-2025-34406

CVE-2025-34406 affects MailEnable versions prior to 10.54. A reflected XSS flaw exists in the Id parameter of /Mobile/ContactDetails.aspx where the Id value is not properly sanitized in a GET request and is reflected within a script block. Exploitation involves injecting a crafted payload to term...

CVE-2025-34404

MailEnable (Windows, prior to 10.54) is affected by a reflected XSS in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized for GET requests and is reflected inside a [removed] block as the JavaScript variable gInstanceScope. An ...

CVE-2025-66469 NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.addcss, ui.addscss, and ui.addsass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or...

WordPress CSV Sumotto plugin <= 1.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin CSV Sumotto versions = 1.0...

CVE-2025-13894

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-13626

The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

EUVD-2025-201142

The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

EUVD-2025-199792

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'orderby' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

CVE-2025-11885

The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

CVE-2025-11885 EchBay Admin Security <= 1.3.0 - Reflected Cross-Site Scripting

The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

CVE-2025-64764

Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component templates. This issue has been patched in version 5.15.8...

CVE-2025-20304

Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the...

EUVD-2025-37504

A cross-site scripting XSS vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated...

CVE-2025-53883 spacewalk-java has various XSS issues on search page

A Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x8664/server:latest: from ? before 5.0.28-150600.3.36.8; SUSE Manag...

PT-2025-43599

Name of the Vulnerable Software and Affected Versions VNPAY Payment gateway plugin for WordPress versions up to and including 1.0.0 Description The VNPAY Payment gateway plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping...