CVE-2025-68461

Roundcube Webmail contains a Cross-Site Scripting XSS vulnerability in its SVG handling. The application fails to properly sanitize the tag within SVG documents, allowing attackers to inject malicious scripts, potentially enabling session hijacking, credential theft, or unauthorized actions on...

EUVD-2023-60204

PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections,...

EUVD-2023-60224

projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users loa...

PT-2025-51997

Name of the Vulnerable Software and Affected Versions The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress versions through 7.2.2.1 Description The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is susceptible to Stored Cross-Site Scriptin...

PT-2025-52210

The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openid connect generic auth url' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2025-52326

Name of the Vulnerable Software and Affected Versions Kentico Xperience affected versions not specified Description A reflected cross-site scripting issue exists in Kentico Xperience. This allows attackers to inject malicious scripts through the Pages dashboard widget configuration dialog...

PT-2025-52328

Name of the Vulnerable Software and Affected Versions Kentico Xperience affected versions not specified Description A stored cross-site scripting issue exists in Kentico Xperience. This allows attackers to inject malicious scripts through the configuration of form validation rules. Successful...

PT-2025-52403

The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site...

PT-2025-52406

Name of the Vulnerable Software and Affected Versions Mintlify Platform versions prior to 2025-11-15 Description A directory traversal issue exists in the Static Asset Proxy Endpoint. This allows remote attackers to inject arbitrary web script or HTML through a specially crafted URL containing pa...

CVE-2023-53910

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script...

CVE-2023-53911

Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users...

CVE-2023-53931 Revive Adserver 5.4.1 Cross-Site Scripting via Banner Advanced Settings

Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute...

CVE-2023-53915 Zenphoto 1.6 Stored Cross-Site Scripting via Album Description

Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the description field that execute when users vi...

CVE-2023-53910

WBCE CMS 1.6.1 has a stored XSS vulnerability in the WYSIWYG editor: authenticated attackers can inject JavaScript by sending malicious content to /wbce/modules/wysiwyg/save.php (content parameter), which executes when pages are viewed. Root cause: improper input handling in page content. Impact:...

CVE-2023-53906 ProjectSend r1605 Stored Cross-Site Scripting via Custom Assets Page

projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users loa...

EUVD-2025-203993

ChurchCRM is an open-source church management system. A stored cross-site scripting XSS vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in th...

CVE-2025-13217

The CVE CVE-2025-13217 is an authenticated Stored XSS in Ultimate Member for WordPress, triggered via the YouTube video URL field in profile-related input. The issue arises from insufficient input sanitization and output escaping in um_profile_field_filter_hook__youtube_video(), allowing Subscrib...

CVE-2025-66924

A Cross-site scripting XSS vulnerability in Create/Update Item Kits in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter...

CVE-2025-13977 Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event...

CVE-2025-66921

CVE-2025-66921 describes a Cross-site scripting (XSS) vulnerability in the Open Source Point of Sale (OSPOS) v3.4.1, specifically in the Create/Update Item(s) Module. The issue arises from improper handling of the name parameter, allowing remote attackers to inject arbitrary web script or HTML. M...