CVE-2024-51953

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51953 Stored XSS in ArcGIS Server Rest services

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

Linux Distros Unpatched Vulnerability : CVE-2010-1585

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14,...

CVE-2025-22491 Improper Input Validation in Foreseer Reporting Software (FRS)

The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software FRS application which could lead into execution of arbitrary JavaScript in a browser context for all the interacting users. This security issue has been patched in the latest version 1.5.100 of...

copyparty renders unsanitized filenames as HTML when user uploads empty files

Summary A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk. Details By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the...

CVE-2025-27145 copyparty renders unsanitized filenames as HTML when user uploads empty files

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execu...

Copyparty 安全漏洞

Copyparty is a portable file server for ed individual developers. A security vulnerability exists in Copyparty versions prior to 1.16.15. An attacker exploiting this vulnerability could execute arbitrary javascript with the same privileges as the user...

CVE-2025-1024

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to...

GHSA-MP7W-MHCV-673J Vega allows Cross-site Scripting via the vlSelectionTuples function

Summary The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS. Details vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: vlSelectionTuplesdatum:, fields:getter:...

CVE-2025-25187

CVE-2025-25187 (Joplin) is a cross-site scripting vulnerability in Joplin prior to version 3.1.24. The issue arises from inserting note titles with React dangerouslySetInnerHTML without escaping HTML entities, and the app’s lack of a restrictive Content-Security-Policy for script-src. Combined wi...

Nuxt MDC 跨站脚本漏洞

Nuxt MDC is a Nuxt open source application that enhances regular Markdown. A cross-site scripting vulnerability exists in Nuxt MDC that stems from insecure parsing logic for URLs in Markdown, leading to arbitrary JavaScript code execution...

CVE-2020-13564

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template aclid parameter...

CVE-2020-13562

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter...

CVE-2020-13563

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template groupid parameter...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2025-22602

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...

Cross-Site Scripting (XSS)

phpmyadmin/phpmyadmin is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-supplied input in table or database names within the check tables feature, allowing an attacker to execute arbitrary JavaScript in the victim's browser...

CVE-2024-57514

The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting XSS due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL...

CVE-2024-46073

CVE-2024-46073 describes a reflected Cross‑Site Scripting (XSS) in IceHRM v32.4.0.OS login page. The root cause is improper sanitization of the user-controlled yet echoed “next” parameter, which is included in the response without proper escaping. This enables an attacker to lure a user to a craf...

CVE-2024-56364

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in 1.0.12 and ending in 1.1.13, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. This vulnerability is fixed in 1.1.13...