CVE-2025-46571 Open WebUI vulnerable to limited stored XSS vila uploaded html file

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open t...

Amplify Codegen UI 安全漏洞

Amplify Codegen UI is an AWS Amplify open source React component generated for use in the AWS Amplify project. A security vulnerability exists in Amplify Codegen UI that stems from a lack of input validation for AWS Amplify Studio UI component property expressions, which could lead to the executi...

CVE-2024-11390

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

CVE-2022-27562

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2022-42449

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2025-46558

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting XSS through HTML. In particular, using Markdown syntax, it's possible for...

CVE-2025-47201

In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS...

CVE-2025-47201

In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS...

RabbitMQ < 3.13.8 / 4.0.x < 4.0.3 XSS (GHSA-g58g-82mw-9m3p)

RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable with other on disk file modifications can lead to arbitrary JavaScript code execution in the browsers of...

CVE-2025-47201

CVE-2025-47201 affects Intrexx Portal Server prior to 12.0.4. The issue stems from multiple Velocity-Scripts that may execute unrequested JavaScript in HTML, enabling a cross-site scripting (XSS) condition. Exploitation details are not provided in the documents. Remediation: update to version 12....

CVE-2025-40616

Reflected Cross-Site Scripting XSS vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkgimprimircomprobante.php...

CVE-2024-11390

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

CVE-2024-11390

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

CVE-2024-11390 Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

CVE-2024-11390

Kibana is affected by CVE-2024-11390: an Unrestricted Upload of a File with a Dangerous Type can lead to arbitrary JavaScript execution (XSS) in a victim’s browser via crafted HTML/JavaScript files. This requires access to the Synthetics app or write access to synthetics indices. Affected version...

CVE-2025-46338

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the /api/upload endpoint allows an attacker to perform a reflected cross-site scripting XSS attack by submitting malicious payloads in the libraryId field. The...

PT-2025-18389 · Elastic · Kibana

Name of the Vulnerable Software and Affected Versions: Kibana affected versions not specified Description: The issue allows for the unrestricted upload of files with dangerous types, potentially leading to arbitrary JavaScript execution in a victim's browser, resulting in a cross-site scripting X...

CVE-2022-42449

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2022-27562

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2022-27562

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...