CVE-2025-66500

A stored cross-site scripting XSS vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received...

CVE-2025-66500

CVE-2025-66500 describes a stored XSS in Foxit’s webplugins.foxit.com where a postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, enabling arbitrary JavaScript execution when a crafted postMessage is received. The description is consisten...

CVE-2025-66500 Foxit webplugins.foxit.com Stored Cross-Site Scripting via postMessage Vulnerability

A stored cross-site scripting XSS vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received...

CVE-2025-66500 Foxit webplugins.foxit.com Stored Cross-Site Scripting via postMessage Vulnerability

A stored cross-site scripting XSS vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received...

PT-2025-52428

A stored cross-site scripting XSS vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received...

Cross-site Scripting (XSS)

Overview Kentico.Xperience.AspNet.Mvc5.Libraries is an assemblies required to use the Kentico Xperience API in class libraries developed for ASP.NET MVC 5 applications. Does not include content items or other modifications intended for the MVC web application itself. Affected versions of this...

CVE-2023-53938

RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute...

CVE-2023-53887

Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser...

EUVD-2023-60192

Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers...

Cross-site Scripting (XSS)

Vuetify is vulnerable to Cross-site Scripting XSS. The vulnerability is due to unsanitized HTML being assigned to the innerHTML of the VDatePicker title via the title-date-format property, which allows an attacker to inject and execute arbitrary JavaScript in the victim’s browser...

PT-2025-51288

Name of the Vulnerable Software and Affected Versions Jorani version 1.0.3 Description The software contains a reflected cross-site scripting issue in the language parameter. An attacker can inject malicious scripts by crafting XSS payloads within this parameter, potentially enabling the executio...

PT-2025-51298

Name of the Vulnerable Software and Affected Versions Lucee version 5.4.2.17 Description An authenticated attacker can inject malicious scripts through parameters in the administrative interface. This allows for the execution of arbitrary JavaScript in a victim’s browser session via crafted...

EUVD-2025-203110

Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new...

PT-2025-50977

Name of the Vulnerable Software and Affected Versions Lightning Flow Scanner versions 6.10.5 and below Description Lightning Flow Scanner, a CLI plugin, VS Code Extension, and GitHub Action for Salesforce Flow analysis and optimization, is affected by an issue where maliciously crafted flow...

lightning-flow-scanner 代码注入漏洞

lightning-flow-scanner is an open source command line automation plugin for Lightning Flow Scanner. A code injection vulnerability exists in lightning-flow-scanner version 6.10.5 and earlier, which stems from a maliciously constructed flow metadata file that could lead to arbitrary JavaScript...

CE Phoenix 跨站脚本漏洞

CE Phoenix is a powerful e-commerce store from Phoenix Cart open source. A cross-site scripting vulnerability exists in CE Phoenix version v3.0.1, which stems from the presence of stored cross-site scripting in the Currency Management Panel that could lead to the execution of arbitrary JavaScript...

CVE-2025-34404

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...

Cross-site Scripting

webreinvent/vaahcms is vulnerable to Cross-Site Scripting. The vulnerability is due to improper sanitization in the storeAvatar upload method of UserBase.php, where crafted input can be stored and later executed in a user’s browser, allowing a remote attacker to run arbitrary JavaScript code...

PT-2025-49146

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.37 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A Stored Cross-Site Scripting XSS issue was identified in the Notes PDF download functionality. ...

ObjectPlanet Opinio 安全漏洞

ObjectPlanet Opinio is an online survey system from ObjectPlanet Norway. A security vulnerability exists in ObjectPlanet Opinio version 7.26 rev12562, which stems from the presence of stored cross-site scripting in the survey import function, which could allow an attacker to inject arbitrary...