CVE-2025-46571

CVE-2025-46571 affects Open WebUI prior to version 0.6.6. Low-privileged users could upload HTML files containing JavaScript via the backend endpoint /api/v1/files/, which returns a file id. An attacker could lure an admin to click a link to such a file, causing the JavaScript to execute in the a...

CVE-2024-41753

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2024-41753

CVE-2024-41753 : IBM Cloud Pak for Business Automation exposures in 24.0.0 (up to IF004) and 24.0.1 (up to IF001) allow unauthenticated attackers to inject arbitrary JavaScript into the Web UI (reflected XSS), potentially altering UI behavior and disclosing credentials within a session. Affected ...

CVE-2024-41753 IBM Cloud Pak for Business Automation cross-site scripting

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2025-40615

Reflected Cross-Site Scripting XSS vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/apiajustes.php...

CVE-2025-1551

IBM Operational Decision Manager (ODM) versions 8.11.0.1, 8.11.1.0, 8.12.0.1, and 9.0.0.1 are affected by a cross-site scripting vulnerability. An unauthenticated attacker can embed arbitrary JavaScript in the Web UI, potentially exposing credentials within a trusted session. IBM’s bulletin lists...

CVE-2025-1551 IBM Operational Decision Manager cross-site scripting

IBM Operational Decision Manager 8.11.0.1, 8.11.1.0, 8.12.0.1, and 9.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials...

CVE-2025-3929

An XSS issue was discovered in MDaemon Email Server version 25.0.1 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and...

CVE-2025-2986

IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

Exploit for CVE-2025-32965

This is a PoC exploit for CVE-2025-32965, a supply chain attack...

The server for managing Fortinet FortiClient Enterprise Management Server is vulnerable. This vulnerability stems from the lack of security measures taken to protect the website structure, allowing attackers to send messages containing JavaScript code.

The vulnerability of the Fortinet FortiClient Enterprise Management Server EMS server exists due to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to send messages containing JavaScript code via a specially created link...

CVE-2025-32960

The CVE-2025-32960 vulnerability affects the CUBA REST API add-on prior to 7.2.7, where the input parameter (file path and name) can be manipulated to cause the server to return Content-Type: text/html for names ending in .html, enabling execution of malicious JavaScript in the browser after an a...

GHSA-88H5-34XW-2Q56 XSS in the /files Endpoint of the Generic REST API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

CVE-2025-25427

Stored XSS vulnerability CVE-2025-25427 in TP-Link WR841N web interface (upnp.htm) allows injection of arbitrary JavaScript via the port mapping description. Impact: payload executes when the upnp page loads. Affected: WR841N v14/v14.6/v14.8

CVE-2025-3423

IBM Aspera Faspex 5.0.0 through 5.0.11 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2022-43850

IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-3423

IBM Aspera Faspex 5.0.0 through 5.0.11 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-3423

IBM Aspera Faspex 5.x (versions 5.0.0–5.0.11) is affected by a DOM-based cross-site scripting vulnerability that lets an authenticated user embed arbitrary JavaScript in the Web UI, potentially leading to credential disclosure within a trusted session. The issue stems from inadequate input handli...

CVE-2025-3423 IBM Aspera Faspex 5 cross-site scripting

IBM Aspera Faspex 5.0.0 through 5.0.11 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2023-42007

IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...