CVE-2025-47943

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting XSS vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated componen...

CVE-2024-47095

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the expiredSupportMessage parameter of handleloginform.do...

CVE-2023-47314

Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting XSS. The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download...

CVE-2021-32853

Erxes, an experience operating system XOS with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches...

CVE-2019-15652

The web interface for NSSLGlobal SatLink VSAT Modem Unit VMU devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code...

CVE-2025-24338

A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated lowprivileged attacker to execute arbitrary client-side code in the context of another user's browser via multiple crafted HTTP requests...

CVE-2025-24344

A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request...

CVE-2025-24344

A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request...

CVE-2025-24338

CVE-2025-24338 affects the web application of ctrlX OS, specifically the "Manages app data" functionality. A remote authenticated (low privilege) attacker can execute arbitrary client-side code in another user’s browser by sending multiple crafted HTTP requests. Evidence from multiple sources con...

PT-2025-18258 · Ctrlx Os · Ctrlx Os

Name of the Vulnerable Software and Affected Versions: ctrlX OS affected versions not specified Description: A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrar...

CVE-2025-27633

The TRMTracker web application is vulnerable to reflected Cross-site scripting attack. The application allows client-side code injection that might be used to compromise the confidentiality and integrity of the system...

CVE-2025-27633

Summary: CVE-2025-27633 affects the Hitachi Energy TRMTracker web application, with a reflected cross-site scripting (XSS) vulnerability due to client-side code injection. The issue could compromise confidentiality and integrity and is described across multiple sources as a reflected XSS risk. CV...

CVE-2025-27633

The TRMTracker web application is vulnerable to reflected Cross-site scripting attack. The application allows client-side code injection that might be used to compromise the confidentiality and integrity of the system...

Loaded Commerce 6.6 - Client-Side Template Injection(CSTI)

Exploit Title: Loaded Commerce 6.6 Client-Side Template InjectionCSTI Date: 03/13/2025 Exploit Author: tmrswrr Vendor Homepage: https://loadedcommerce.com/ Version: 6.6 Tested on: https://www.softaculous.com/apps/ecommerce/LoadedCommerce Injecting 77 into the search parameter...

GHSA-WPHC-5F2J-JHVG Unauthenticated DOM Based XSS in YesWiki

Unauthenticated DOM Based XSS in YesWiki ' . "\n"; if $nbtotal 1 $output .= t'TAGSTOTALNBPAGES', 'nbtotal' = $nbtotal; elseif $nbtotal == 1 $output .= t'TAGSONEPAGEFOUND'; else $output .= t'TAGSNOPAGE'; $output .= !empty$tabselectedtags ? ' ' . t'TAGSWITHKEYWORD' . ' ' . implode' '...

Unauthenticated DOM Based XSS in YesWiki

Unauthenticated DOM Based XSS in YesWiki ' . "\n"; if $nbtotal 1 $output .= t'TAGSTOTALNBPAGES', 'nbtotal' = $nbtotal; elseif $nbtotal == 1 $output .= t'TAGSONEPAGEFOUND'; else $output .= t'TAGSNOPAGE'; $output .= !empty$tabselectedtags ? ' ' . t'TAGSWITHKEYWORD' . ' ' . implode' '...

Follet School Solutions Destiny 安全漏洞

Follet School Solutions Destiny is a school solution from Follet, Inc. A security vulnerability exists in Follet School Solutions Destiny prior to version v22.0.1 AU1, which stems from arbitrary client-side code that can be run via the handleloginform.do's expiredSupportMessage parameter...

CVE-2024-46366

A Client-side Template Injection CSTI vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is executed, granting the...

PT-2024-21776 · Ibm · Ibm Openpages

Name of the Vulnerable Software and Affected Versions: IBM OpenPages versions 8.3 through 9.0 Description: The issue potentially exposes information about client-side source code to unauthorized users through the use of JavaScript source maps. Recommendations: For IBM OpenPages versions 8.3 and...

CVE-2024-38493

A reflected cross-site scripting XSS vulnerability exists in the PAM UI web interface. A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI...