CVE-2025-61999 OPEXUS FOIAXpress stored XSS via logo image

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perfo...

EUVD-2021-11341

Malware in sbrugna...

CVE-2025-8726

CVE-2025-8726 affects the WordPress plugin WP Photo Album Plus (versions up to and including 9.0.11.006). The vulnerability is a stored XSS in the wppa_user_upload function, exploitable by authenticated users with Subscriber+ privileges, allowing injection of scripts that run in victims’ browsers...

EUVD-2025-17927

Malicious code in bioql PyPI...

EUVD-2024-52252

Malicious code in bioql PyPI...

EUVD-2025-29168

Malicious code in bioql PyPI...

EUVD-2025-27128

Malicious code in bioql PyPI...

EUVD-2025-30536

Malicious code in bioql PyPI...

EUVD-2025-30575

Malicious code in bioql PyPI...

EUVD-2025-26056

Malicious code in bioql PyPI...

EUVD-2025-26908

Malicious code in bioql PyPI...

EUVD-2025-26971

Malicious code in bioql PyPI...

EUVD-2025-28467

Malicious code in bioql PyPI...

EUVD-2025-30313

Malicious code in bioql PyPI...

EUVD-2025-28748

Malicious code in bioql PyPI...

EUVD-2025-31693

Malicious code in bioql PyPI...

CVE-2025-9884 Mobile Site Redirect <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious w...

CVE-2025-61599 Emlog is Vulnerable to Stored Cross-Site Scripting (XSS) in "Twitter" Feature via Markdown Input

Emlog is an open source website building system. A stored Cross-Site Scripting XSS vulnerability exists in the "Twitter"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a "Twitter" message can inject arbitrary JavaScript code. The malicious script is stored on...

CVE-2025-34182

In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfacesassign.php, which can result in stored cross-site...

ERPNext 跨站脚本漏洞

ERPNext is an open source enterprise resource planning solution from ERPNext India. A cross-site scripting vulnerability exists in ERPNext version v15.67.0, which stems from improper cleanup of content field inputs by the blog post feature and can be exploited by an attacker to cause a stored...