CVE-2025-28010

A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...

CVE-2025-27914

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting XSS vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token...

GLPI Inventory Plugin 跨站脚本漏洞

GLPI Inventory Plugin is an open source plugin for GLPI France. It is used to handle various types of tasks for GLPI agents. A cross-site scripting vulnerability exists in GLPI Inventory Plugin versions prior to 1.5.0, which stems from reflective cross-site scripting and could lead to the executi...

CVE-2025-25363

An authenticated stored cross-site scripting XSS vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center JEMH before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload int...

firefox: Unexpected GC during RegExp bailout processing

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it...

MODX Revolution 安全漏洞

MODX Revolution is an open source PHP-based content management system CMS from MODX USA. The system supports online collaboration, search engine optimization SEO and more. A security vulnerability exists in MODX Revolution versions prior to 3.1.0, which originates from the fact that an...

CVE-2025-27915

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A stored cross-site scripting XSS vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its...

CVE-2025-27915

The CVE-2025-27915 issue affects Zimbra Collaboration (ZCS) Classic Web Client, where insufficient sanitization of HTML in ICS files enables stored XSS when viewing an email with a crafted ICS entry. The underlying flaw allows embedded JavaScript to execute via an ontoggle event inside a tag, en...

The vulnerability of the pdf.js library on the MFlash secure data exchange platform, related to the lack of protective measures for website structures, allows attackers to execute arbitrary JavaScript code.

The vulnerability of the pdf.js library on the MFlash secure data exchange platform is related to the lack of protective measures for the web page structure. Exploiting this vulnerability could allow an attacker to execute arbitrary JavaScript code remotely...

CVE-2025-25929

A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...

CVE-2025-25929

A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...

CVE-2025-25929

A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...

CVE-2025-25929

A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...

CVE-2025-25929

CVE-2025-25929 describes a reflected cross-site scripting (XSS) vulnerability in OpenMRS 2.4.3 Build 0ff0ed, affecting the component /legacyui/quickReportServlet. The issue allows an attacker to inject arbitrary JavaScript that executes in the context of a user’s browser via a crafted payload in ...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05061)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05059)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05055)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05057)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

CVE-2025-26091

A Cross Site Scripting XSS vulnerability exists in TeamPasswordManager v12.162.284 and before that could allow a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'name' parameter when creating a new password in the "My...

CVE-2024-51948

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...