CVE-2025-3597 Firelight Lightbox < 2.3.15 - Contributor+ Stored XSS

The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free versi...

PT-2025-20681 · WordPress +1 · Firelight Lightbox +1

Name of the Vulnerable Software and Affected Versions: Firelight Lightbox plugin for WordPress versions prior to 2.3.15 Description: The issue allows users with post writing capabilities to execute arbitrary JavaScript when the jQuery Metadata library is enabled. This feature is intended for Pro...

PT-2025-20694 · Unknown · Abantecart

Name of the Vulnerable Software and Affected Versions: AbanteCart version 1.4.0 Description: A Reflected Cross-Site Scripting XSS issue allows an attacker to execute JavaScript code in a victim's browser by sending a malicious URL. This can be exploited to steal sensitive user data, such as sessi...

CVE-2025-46824

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin...

CVE-2025-1087

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript...

CVE-2025-1087

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript...

CVE-2025-1087 Arbitrary Code Execution in Kong Insomnia Desktop Application

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript...

CVE-2025-1087

CVE-2025-1087 : Kong Insomnia Desktop Application prior to 11.0.2 contains a template injection flaw that allows arbitrary code execution. The issue arises from insufficient validation of user-supplied input during template string processing, enabling arbitrary JavaScript execution within the app...

Kibana 7.17.6 < 7.17.24 / 8.4.x < 8.12.0 XSS (ESA-2024-20)

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim's browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. Note that Nessus has n...

PT-2025-20551

Name of the Vulnerable Software and Affected Versions Kong Insomnia Desktop Application versions prior to 11.0.2 Description The Kong Insomnia Desktop Application is susceptible to a template injection issue. This flaw stems from inadequate validation of user-provided input during template string...

CVE-2025-46812

CVE-2025-46812 affects the Trix rich-text editor. Versions before 2.1.15 are vulnerable to XSS when pasting malicious content, enabling execution of arbitrary JavaScript in the user session; this could lead to unauthorized actions or data disclosure. The issue is patched in version 2.1.15. Remedi...

CVE-2025-46812 Trix vulnerable to Cross-site Scripting on copy & paste

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the...

CVE-2025-46812 Trix vulnerable to Cross-site Scripting on copy & paste

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the...

BIT-OPENCART-2025-1746 Cross-Site Scripting vulnerability in OpenCart

Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal...

CVE-2025-4318

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build...

CVE-2025-46824

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin...

PT-2025-20284 · Discourse · Discourse Code Review Plugin

Name of the Vulnerable Software and Affected Versions: Discourse Code Review Plugin versions prior to commit eed3a80 Description: The issue allows an attacker to execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This is a problem with the Discourse Code...

league/commonmark contains a XSS vulnerability in Attributes extension

Summary Cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. Details The league/commonmark library provides configuration options such as htmlinput:...

CVE-2025-4318

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build...

CVE-2025-46719 Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be...