PT-2025-17576 · Unknown · Cuba Rest Api Add-On

Name of the Vulnerable Software and Affected Versions: CUBA REST API add-on versions prior to 7.2.7 Description: The issue allows malicious JavaScript code to be executed in the browser by manipulating the input parameter, which consists of a file path and name, to return the Content-Type header...

CUBA REST API Add-on 跨站脚本漏洞

CUBA REST API Add-on is a general-purpose REST API open-sourced by CUBA Platform. A cross-site scripting vulnerability exists in CUBA REST API Add-on versions prior to 7.2.7, which stems from improper file path manipulation and could lead to malicious JavaScript execution...

CVE-2025-32792

CVE-2025-32792 affects SES’s isolation in the Compartment API. Before 1.12.0, web pages/extensions that used top-level const/let/class bindings in scripts could leak those bindings into the lexical scope of evaluated third-party code. The issue is fixed in SES 1.12.0; mitigations include avoiding...

TP-LINK TL-WR841N 安全漏洞

TP-LINK TL-WR841N is a wireless router from China P&L TP-LINK. A security vulnerability exists in TP-LINK TL-WR841N v14/v14.6/v14.8 Build 241230 Rel. 50788n and prior versions, which originates from the presence of stored cross-site scripting on the upnp.htm page, which could lead to the executio...

RabbitMQ 3.8.x < 3.8.17 XSS

The version of RabbitMQ installed on the remote host is 3.8.x prior to 3.8.17. It is, therefore, affected by a cross-site scripting vulnerability: - In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation...

Arbitrary Code Execution (ACE)

Tarteaucitron.js is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to insufficient URL validation, allowing a user with high privileges to input a URL with an insecure scheme, such as javascript:alert, which could lead to arbitrary JavaScript execution when clicked...

The vulnerability of the E-Staff automated recruitment process system, related to errors in data filtering during object updates, allows a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the E-Staff recruitment process automation system is related to errors in data filtering during object updates. Exploiting this vulnerability could allow a malicious actor to execute arbitrary JavaScript code remotely...

CVE-2025-30292

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...

📄 Roundcube 1.6.6 Cross Site Scripting

Roundcube mail server versions earlier than 1.5.6 and 1.6 through 1.6.6 suffer from a persistent cross site scripting vulnerability. Exploit Title: Roundcube mail server exploit for CVE-2024-37383 Stored XSS Google Dork: Exploit Author: AmirZargham Vendor Homepage: Roundcube - Free and Open Sourc...

CVE-2025-31476

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-32379

Koa is expressive middleware for Node.js using ES2017 async functions. In koa 2.16.1 and 3.0.0-alpha.5, passing untrusted user input to ctx.redirect even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5...

Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function

Summary In koa 2.16.1 and 3.0.0-alpha.5, passing untrusted user input to ctx.redirect even after sanitizing it, may execute javascript code on the user who use the app. Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. PoC Coming soon... Impact 1. Redirect user to another phishing site 2...

PT-2025-15755

Name of the Vulnerable Software and Affected Versions: Koa versions prior to 2.16.1 Koa versions prior to 3.0.0-alpha.5 Description: The issue arises when passing untrusted user input to ctx.redirect, which can execute JavaScript code on the user's device, even after sanitizing the input...

CVE-2025-30292

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...

CVE-2025-30292 ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...

CVE-2025-22465

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required...

tarteaucitron.js allows url scheme injection via unfiltered inputs

A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript...

CVE-2025-31476 tarteaucitron.js allows url scheme injection via unfiltered inputs

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-31476 tarteaucitron.js allows url scheme injection via unfiltered inputs

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-31476

Summary: CVE-2025-31476 affects tarteaucitron.js. A vulnerability caused by insufficient URL validation allowed a user with high privileges to insert URLs with insecure schemes (e.g., javascript:alert()) that could lead to arbitrary JavaScript execution when a link is clicked. The issue enables e...