CVE-2025-36548

A cross-site scripting xss vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigg...

CVE-2025-36548

WWBN AVideo 14.4 and dev master commit 8a8954ff are vulnerable to a reflected XSS via the loginForm cancelUri parameter. A crafted HTTP request can cause arbitrary JavaScript execution when a user visits a malicious page. TALOS reports the vulnerability and notes vendor patches were released; rem...

CVE-2025-41420

A cross-site scripting xss vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this...

CVE-2025-41420

CVE-2025-41420 concerns WWBN AVideo 14.4 and the dev master commit 8a8954ff, where the PHP file view/userLogin.php mishandles the cancelUri parameter. This causes a reflected cross-site scripting (XSS) vulnerability: a specially crafted HTTP request can cause arbitrary Javascript execution when a...

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

PT-2025-30680 · Wwbn · Avideo

Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 14.4 WWBN AVideo dev master commit 8a8954ff Description: A cross-site scripting xss vulnerability exists due to the videoNotFound 404ErrorMsg parameter functionality. A specially crafted HTTP request can lead to arbitrary...

PT-2025-30683 · Wwbn · Avideo

Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 14.4 and dev master commit 8a8954ff Description: A cross-site scripting xss vulnerability exists in the videosList page parameter functionality. A specially crafted HTTP request can lead to arbitrary Javascript execution,...

WWBN AVideo videosList page parameter cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2025-2206 WWBN AVideo videosList page parameter cross-site scripting XSS vulnerability July 24, 2025 CVE Number CVE-2025-53084 SUMMARY A cross-site scripting xss vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master...

WWBN AVideo managerPlaylists PlaylistOwnerUsersId parameter cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2025-2205 WWBN AVideo managerPlaylists PlaylistOwnerUsersId parameter cross-site scripting XSS vulnerability July 24, 2025 CVE Number CVE-2025-46410 SUMMARY A cross-site scripting xss vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter...

PT-2025-30677 · Wwbn · Avideo

Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 14.4 and dev master commit 8a8954ff Description: A cross-site scripting xss vulnerability exists due to the improper handling of the cancelUri parameter within the userLogin functionality. A specially crafted HTTP request...

WWBN AVideo 跨站脚本漏洞

WWBN AVideo is a video platform builder written in PHP by the WWBN team. A cross-site scripting vulnerability exists in WWBN AVideo version 14.4, which stems from the videoNotFound 404ErrorMsg parameter that is vulnerable to cross-site scripting attacks and could lead to the execution of arbitrar...

WWBN AVideo LoginWordPress loginForm cancelUri parameter cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2025-2208 WWBN AVideo LoginWordPress loginForm cancelUri parameter cross-site scripting XSS vulnerability July 24, 2025 CVE Number CVE-2025-36548 SUMMARY A cross-site scripting xss vulnerability exists in the LoginWordPress loginForm cancelUri parameter...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the markdown field in the info tab page. An attacker can execute arbitrary JavaScript code in the context of a user's browser by injecting malicious content. Details Cross-site scripting or XSS is a code...

PT-2025-30594

Name of the Vulnerable Software and Affected Versions SMA100 series versions affected versions not specified Description A reflected cross-site scripting XSS vulnerability exists in the web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code...

SonicWall SMA 100 Series 跨站脚本漏洞

SonicWall SMA 100 Series is a series of remote access software from SonicWall Corporation. A cross-site scripting vulnerability exists in SonicWall SMA 100 Series that originates from reflective cross-site scripting and could lead to arbitrary JavaScript code execution...

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

CVE-2025-8029

CVE-2025-8029: Thunderbird and Firefox products are affected by a vulnerability where javascript: URLs are executed when used inside object and embed tags. The impact list states affected versions include Firefox < 141 and Thunderbird < 141 (and ESR branches

CVE-2025-8029 javascript: URLs executed on object and embed tags

Thunderbird executed javascript: URLs when used in object and embed tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...

CVE-2025-8029

Thunderbird executed javascript: URLs when used in object and embed tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...

CVE-2025-8029 javascript: URLs executed on object and embed tags

Thunderbird executed javascript: URLs when used in object and embed tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...