CVE-2025-2597

Reflected Cross-Site Scripting XSS in ITIUM 6050 version 5.5.5.2-b3526 from Impact Technologies. This vulnerability could allow an attacker to execute malicious Javascript code via GET and POST requests to the ‘/index.php’ endpoint and injecting code into the ‘idsession...

CVE-2024-6986

A Cross-site Scripting XSS vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'fulltemplate' variable directly as HTML. This allows an attacker to execute maliciou...

CVE-2024-8400

A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...

CVE-2024-9311 Cross-Site Request Forgery to XSS in haotian-liu/llava

A Cross-Site Request Forgery CSRF vulnerability in haotian-liu/llava v1.2.0 LLaVA-1.6 allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code...

CVE-2025-26626

The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue...

CVE-2025-26626 GLPI Inventory Plugin vulnerable to reflective Cross-site Scripting

The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue...

CVE-2025-26626

GLPI Inventory Plugin (for GLPI) is affected by a reflective cross-site scripting vulnerability in versions prior to 1.5.0. The issue allows execution of JavaScript code and is tracked as CVE-2025-26626. A fixed release is 1.5.0. The CVSSv3.1 base score is 6.5 (MEDIUM), with network attack vector...

CVE-2025-26260

Plenti = 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution...

Kibana 8.x < 8.7.1 Multiples Vulnerabilities

According to its self-reported version number, the Kibana application running on the remote host is 8.x prior to 8.7.1. It is, therefore, affected by multiple vulnerabilities. - An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05062)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05056)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05060)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05078)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

CVE-2024-51953

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

Linux Distros Unpatched Vulnerability : CVE-2021-37695

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The...

CVE-2024-51957

CVE-2024-51957 is a Stored XSS vulnerability in Esri ArcGIS Server versions 10.9.1 through 11.3. An authenticated attacker with publisher capabilities can create a specially crafted link that, when clicked by a victim, may execute arbitrary JavaScript in the browser. Impact is described as low to...

CVE-2025-25476

A stored cross-site scripting XSS vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a notification type or notification component...

CVE-2025-1746

Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal...

CVE-2025-25476

A stored cross-site scripting XSS vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a notification type or notification component...

CVE-2025-25476

CVE-2025-25476 describes a stored cross-site scripting (XSS) vulnerability in SysPass 3.2.x. A malicious user with elevated privileges can execute arbitrary JavaScript by injecting a payload into the notification type or notification component. The affected software/version is SysPass 3.2.x; the ...