Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the argstypes parameter, which is rendered into an info banner without proper HTML escaping. An attacker can execute arbitrary JavaScript code in the backend context by tricking an authenticated user into...

GHSA-X6VR-Q3VF-VQGQ REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

Summary A reflected Cross-Site Scripting XSS vulnerability exists in the Mediapool view where the request parameter argstypes is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link...

CVE-2025-13589 Otsuka Information Technology｜FMS - Reflected Cross-site Scripting

FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks...

PT-2025-47877

FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks...

EUVD-2025-198317

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-62296

SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

CVE-2025-62729

SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55...

CVE-2025-63243

A reflected cross-site scripting XSS vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 01. The slesSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be...

CVE-2025-63879

A reflected cross-site scripted XSS vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter...

Snipe-IT 安全漏洞

Snipe-IT is an open source IT asset/license management system from Grokability Open Source. A security vulnerability exists in Snipe-IT version v8.3.4, which stems from the presence of reflective cross-site scripting in the CSV import workflow, which could lead to the execution of arbitrary...

PT-2025-47598

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.55 Description SOPlanning is susceptible to a Stored Cross-Site Scripting XSS issue within the /status endpoint. An attacker possessing an account can inject arbitrary HTML and JavaScript code into the website...

PT-2025-47597

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.55 Description SOPlanning is susceptible to a Stored Cross-Site Scripting XSS issue in the /projets API endpoint. An attacker with medium privileges can inject arbitrary HTML and JavaScript code into the website...

PT-2025-47581

phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $ REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php,...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the CSS-to-JavaScript module conversion feature. An attacker can execute arbitrary JavaScript code by injecting $... expressions into CSS files, which are then evaluated when the resulting JavaScript module i...

CVE-2025-51662

A stored cross-site scripting XSS vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers o...

CVE-2025-63243

A reflected cross-site scripting XSS vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 01. The slesSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be...

PT-2025-47458

A reflected cross-site scripting XSS vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 01. The sle sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be...