EUVD-2023-60206

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users...

rockmongo 安全漏洞

rockmongo is a MongoDB management tool for Chaos Personal Developers. A security vulnerability exists in RockMongo version 1.1.7, which stems from a stored cross-site scripting vulnerability that could lead to the execution of arbitrary JavaScript...

PT-2025-52318

Name of the Vulnerable Software and Affected Versions TinyWebGallery version 2.5 Description TinyWebGallery version 2.5 has a stored cross-site scripting issue. Authenticated attackers can inject malicious scripts through the folder name parameter. Attackers can modify album folder names with...

CamaleonCMS 跨站脚本漏洞

CamaleonCMS is an advanced RubyonRails-based dynamic content management system CMS from the CamaleonCMS team. A cross-site scripting vulnerability exists in CamaleonCMS version 2.7.4, which stems from a persistent cross-site scripting vulnerability that could lead to the execution of arbitrary...

CVE-2023-53928

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session...

CVE-2023-53928

PHPFusion 9.10.30 is affected by a stored cross-site scripting vulnerability in the file manager, allowing attackers to upload SVGs with embedded JavaScript. When such SVGs are viewed, they can execute client-side code that may steal session information or perform other user-side actions. The vul...

CVE-2023-53928 PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session...

CVE-2025-65233

Reflected cross-site scripting XSS in SLiMS slims9bulian before 9.6.0 via improper handling of $SERVER'PHPSELF' in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path...

CVE-2025-14284

A flaw was found in @tiptap/extension-link. This vulnerability allows an attacker to execute arbitrary JavaScript JS code via unsanitized user input when setting or toggling links, by injecting a javascript: Uniform Resource Locator URL payload. Mitigation Mitigation for this issue is either not...

PT-2025-51981

Name of the Vulnerable Software and Affected Versions affected versions not specified Description A flaw exists in the file upload process within the bookmark and asset rendering pipeline. An attacker can upload a malicious SVG file containing JavaScript code. When an authenticated administrator...

Cross-site Scripting (XSS)

Overview org.lucee:core is a coer build of Lucee Affected versions of this package are vulnerable to Cross-site Scripting XSS via the admin interface parameters. An attacker can execute arbitrary JavaScript in a victim's browser session by injecting malicious scripts through crafted requests to...

CVE-2025-65778

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type text/html, allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token thef...

CVE-2025-65778

CVE-2025-65778 affects Wekan (The Open Source Kanban Board) up to version 18.15; fixed in 18.16. Vulnerability arises when uploaded attachments are served with attacker-controlled Content-Type (text/html), permitting execution of attacker-supplied HTML/JS within the application's origin and enabl...

Adobe Experience Manager cross-site scripting vulnerability (CNVD-2026-0494065)

Adobe Experience Manager is enterprise-grade content management software CMS from Adobe for building, managing, and deploying digital experiences such as websites, mobile apps, digital assets, and forms. Adobe Experience Manager suffers from a cross-site scripting vulnerability that stems from a...

Adobe Experience Manager cross-site scripting vulnerability (CNVD-2026-00679)

Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...

CVE-2025-65778

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type text/html, allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token thef...

CVE-2025-65778

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type text/html, allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token thef...

CVE-2025-67750

Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new...

Cross-site Scripting (XSS)

prosemirrortohtml is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of HTML attribute values, which allows an attacker to inject and execute arbitrary JavaScript code through crafted input...

Code Injection

Open WebUI is vulnerable to a code injection vulnerability. The vulnerability is due to improper handling of Server-Sent Event SSE execute events in the Direct Connections feature, which allows an attacker controlling a malicious external model server to inject and execute arbitrary JavaScript in...