Lucene search
K

59106 matches found

Redos
Redos
added 2025/10/20 12:0 a.m.7 views

ROS-20251020-08

A vulnerability in the JavaScript JSS web application styling tool is related to a memory leak in a non-standard configuration. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

5.9CVSS6.7AI score0.00695EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/10/19 3:44 a.m.32 views

CVE-2020-36854

The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the ajsteps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it...

6.4CVSS4.8AI score0.00238EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/10/18 8:46 p.m.9 views

CVE-2025-11925

Incorrect Content-Type header in one of the APIs text/html instead of application/json replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

10CVSS7.3AI score0.00233EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/10/18 4:43 p.m.11 views

CVE-2025-58747

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...

6.1CVSS6.6AI score0.05233EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2025/10/18 3:18 p.m.196 views

Exploit for CVE-2025-56800

CVE-2025-56800 Local Authentication Bypass Vulnerability i...

7.2AI score0.00242EPSS
Exploits2
NVD
NVD
added 2025/10/18 4:16 a.m.3 views

CVE-2020-36854

The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the ajsteps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it...

6.4CVSS0.00238EPSS
Exploits0References2
CVE
CVE
added 2025/10/18 3:33 a.m.13 views

CVE-2020-36854

The CVE-2020-36854 case concerns the WordPress Async JavaScript plugin (versions up to and including 2.19.07.14). The root cause is missing authorization checks on the aj_steps AJAX action and insufficient sanitization of saved settings, enabling an stored XSS for authenticated users with subscri...

6.4CVSS4.5AI score0.00238EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/10/18 12:0 a.m.2 views

WordPress plugin Async JavaScript 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin.... A cross-site...

6.4CVSS5.9AI score0.00238EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/17 9:31 p.m.5 views

EUVD-2025-34907

ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...

5.1CVSS5.3AI score0.00345EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/10/17 6:44 p.m.11 views

CVE-2025-62415

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

6.9CVSS6.9AI score0.00255EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/10/17 6:44 p.m.14 views

CVE-2025-62418

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

6.9CVSS7AI score0.00255EPSS
Exploits1References1
CVE
CVE
added 2025/10/17 6:33 p.m.11 views

CVE-2025-34281

ThingsBoard vulnerability CVE-2025-34281 affects pre-4.2.1 releases. An authenticated user can upload malicious SVGs via the Image Gallery, enabling Stored XSS when the image is loaded by a browser (e.g., through public API access or iframe embedding during widget creation/deployment on dashboard...

6.2CVSS5.4AI score0.00345EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2025/10/17 5:11 p.m.6 views

CVE-2025-62421 DataEase vulnerable to stored cross-site scripting via file upload bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

6.9CVSS0.0026EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/10/17 5:11 p.m.3 views

CVE-2025-62421 DataEase vulnerable to stored cross-site scripting via file upload bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

6.9CVSS5.9AI score0.0026EPSS
Exploits0References1
OSV
OSV
added 2025/10/17 5:8 p.m.4 views

GHSA-G46H-2RQ9-GW5M OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests

Summary JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage similar to a zip bomb. While reproducing the issue, we could reach a factor of about 35. This...

7.5CVSS6.8AI score0.00697EPSS
Exploits0References8
Snyk
Snyk
added 2025/10/17 4:43 p.m.3 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the processing of malicious JSON payloads in the request handling process. An attacker can exhaust system memory and CPU resources by sending specially crafted JSON objects that, when deserialized, consume...

8.7CVSS7AI score0.00655EPSS
Exploits0References2
NVD
NVD
added 2025/10/17 4:15 p.m.4 views

CVE-2025-58747

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...

6.1CVSS0.05233EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/10/17 3:48 p.m.10 views

CVE-2025-58747 Dify MCP OAuth Flow Vulnerable to XSS

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...

5.1CVSS0.05233EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/17 3:48 p.m.5 views

EUVD-2025-34897

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...

5.1CVSS6.1AI score0.05233EPSS
Exploits1References2
CVE
CVE
added 2025/10/17 3:48 p.m.25 views

CVE-2025-58747

CVE-2025-58747 affects Dify up to version 1.9.1, where the MCP OAuth flow passes the remote server’s authorization_url directly to window.open without validation, enabling arbitrary JavaScript execution (XSS) when a victim connects to a malicious MCP server. Affected component: MCP OAuth in Dify....

6.1CVSS6.3AI score0.05233EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder