PT-2025-52495

Name of the Vulnerable Software and Affected Versions Orejime versions prior to 2.3.2 Description Orejime, a consent manager focusing on accessibility, had a flaw where malicious code could be executed on HTML elements it handled. This occurred because the software, prior to version 2.3.2, would...

PT-2025-52494

Name of the Vulnerable Software and Affected Versions Dive versions prior to 0.11.1 Description Dive is an open-source MCP Host Desktop Application that integrates with function-calling LLMs. A critical Stored Cross-Site Scripting XSS issue exists in the Mermaid diagram rendering component. The...

PT-2025-52428

A stored cross-site scripting XSS vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received...

Foxit Reader Text Widget Format Use-After-Free Vulnerability

Talos Vulnerability Report TALOS-2025-2278 Foxit Reader Text Widget Format Use-After-Free Vulnerability December 19, 2025 CVE Number CVE-2025-59488 SUMMARY A use-after-free vulnerability exists in the way Foxit Reader handles a Text Widget field object. A specially crafted JavaScript code inside ...

Foxit Reader Barcode Calculate CPDF_FormField Use-After-Free Vulnerability

Talos Vulnerability Report TALOS-2025-2277 Foxit Reader Barcode Calculate CPDFFormField Use-After-Free Vulnerability December 19, 2025 CVE Number CVE-2025-58085 SUMMARY A use-after-free vulnerability exists in the way Foxit Reader handles a Barcode field object. A specially crafted JavaScript cod...

CVE-2023-53932

Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post...

CVE-2023-53911

Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users...

Cross-site Scripting (XSS)

Overview Kentico.Xperience.AspNetCore.WebApp is an assemblies and content items required to integrate Kentico Xperience into ASP.NET Core applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper processing of page preview URLs. An authenticated...

Cross-site Scripting (XSS)

Overview Kentico.Xperience.AspNet.Mvc5.Libraries is an assemblies required to use the Kentico Xperience API in class libraries developed for ASP.NET MVC 5 applications. Does not include content items or other modifications intended for the MVC web application itself. Affected versions of this...

CVE-2023-53939

TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected...

CVE-2023-53938

RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute...

CVE-2023-53940 Codigo Markdown Editor 1.0.1 Electron Arbitrary Code Execution via Markdown File

Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js childprocess module when the fil...

CVE-2023-53940 Codigo Markdown Editor 1.0.1 Electron Arbitrary Code Execution via Markdown File

Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js childprocess module when the fil...

CVE-2025-40892

A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a...

EUVD-2025-204260

A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a...

EUVD-2023-60206

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users...

EUVD-2023-60203

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session...

EUVD-2023-60224

projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users loa...

Mozilla Firefox < 1.5.0.4

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 1.5.0.4. It is, therefore, affected by a vulnerability as referenced in the mfsa2006-31 advisory. - EvalInSandbox in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to gain privileges via...

CamaleonCMS 跨站脚本漏洞

CamaleonCMS is an advanced RubyonRails-based dynamic content management system CMS from the CamaleonCMS team. A cross-site scripting vulnerability exists in CamaleonCMS version 2.7.4, which stems from a persistent cross-site scripting vulnerability that could lead to the execution of arbitrary...