CVE-2025-66563 Monkeytype vulnerable to stored XSS in approve quotes page

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted...

CVE-2025-66563

Monkeytype (versions prior to 25.49.0) is affected by a stored XSS due to improper handling of user input in quote.text and quote.source, which are inserted into the DOM and rendered if HTML tags are present. The vulnerability can allow an attacker to execute JavaScript for users viewing a malici...

CVE-2025-66561 SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)

SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting XSS vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This...

CVE-2025-66561 SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)

SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting XSS vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This...

CVE-2025-66561 SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)

SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting XSS vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This...

CVE-2025-66561

CVE-2025-66561 affects SysReptor (Syslifters) prior to version 2025.102, exposing an authenticated Stored Cross-Site Scripting (XSS) vulnerability. An attacker can upload malicious JavaScript in the web UI, and execute it in the context of other logged-in users. The issue is fixed in 2025.102. Ex...

EUVD-2025-201270

WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks...

CVE-2023-53735 WEBIGniter 28.7.23 Cross-Site Scripting (XSS) in User Creation Process

WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks...

CVE-2023-53735 WEBIGniter 28.7.23 Cross-Site Scripting (XSS) in User Creation Process

WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks...

CVE-2025-66468

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Polic...

CVE-2025-20385

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability adminallobjects could craft a malicious payload through the href attribute of an anch...

Exploit for CVE-2025-55182

CVE-2025-55182 some notes template: py !/usr/bin/env py...

Cross-site Scripting

webreinvent/vaahcms is vulnerable to Cross-Site Scripting. The vulnerability is due to improper sanitization in the storeAvatar upload method of UserBase.php, where crafted input can be stored and later executed in a user’s browser, allowing a remote attacker to run arbitrary JavaScript code...

PT-2025-49098

A stored cross-site scripting XSS vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the lin...

Seafile Community Edition 安全漏洞

Seafile Community Edition is a document collaboration platform from China's Haiwen Huzhi Seafile Company. A security vulnerability exists in Seafile Community Edition versions prior to 13.0.12, which stems from a stored cross-site scripting attack that could lead to malicious JavaScript execution...

Syslifters Sysreptor 跨站脚本漏洞

Syslifters Sysreptor is a penetration test reporting platform from Syslifters, Inc. A cross-site scripting vulnerability exists in Syslifters Sysreptor versions prior to 2025.102, which originates from an authenticated user being able to perform a stored cross-site scripting attack by uploading a...

Monkeytype 跨站脚本漏洞

Monkeytype is a minimalist and customizable typing test open-sourced by Monkeytype. A cross-site scripting vulnerability exists in Monkeytype version 25.49.0 and earlier, which stems from mishandling of user input and could lead to the execution of malicious JavaScript when viewing maliciously...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A cross-site scripting vulnerability exists in versions of Open WebUI prior to 0.6.37 that stems from a stored cross-site scripting attack that could lead to arbitrary JavaScript execution and...

PT-2025-49146

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.37 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A Stored Cross-Site Scripting XSS issue was identified in the Notes PDF download functionality. ...

PT-2025-49172

Name of the Vulnerable Software and Affected Versions SysReptor versions prior to 2025.102 Description A Stored Cross-Site Scripting XSS issue exists in SysReptor, a customizable pentest reporting platform. Authenticated users can execute malicious JavaScript code within the context of other...