5968 matches found
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the showUploadForm method, any malicious unauthenticated user can create a link that can be clicked on in the victim context to perform arbitrary actions. An attacker can execute arbitrary JavaScript code by...
CVE-2025-3929
CVE-2025-3929 concerns the MDaemon Email Server (versions 25.0.1 and below). The issue is a stored XSS vulnerability where an attacker can send a specially crafted HTML email containing JavaScript in an img tag. When viewed in a webmail client, this could execute arbitrary JavaScript in the user’...
CVE-2025-46338 Audiobookshelf Vulnerable to Cross-Site-Scripting Reflected via POST Request in /api/upload
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the /api/upload endpoint allows an attacker to perform a reflected cross-site scripting XSS attack by submitting malicious payloads in the libraryId field. The...
CVE-2025-46338 Audiobookshelf Vulnerable to Cross-Site-Scripting Reflected via POST Request in /api/upload
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the /api/upload endpoint allows an attacker to perform a reflected cross-site scripting XSS attack by submitting malicious payloads in the libraryId field. The...
PT-2025-18174 · Bookgy · Bookgy
Name of the Vulnerable Software and Affected Versions: Bookgy affected versions not specified Description: A Reflected Cross-Site Scripting XSS issue exists, allowing an attacker to execute JavaScript code in a victim's browser. This is achieved by sending a malicious URL through the IDRESERVA...
CVE-2025-3706
The eHRMS from 104 Corporation has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks...
CVE-2025-3706
Summary: CVE-2025-3706 affects the eHRMS from 104 Corporation. The vulnerability is a Reflected Cross-Site Scripting flaw that enables unauthenticated remote attackers to execute arbitrary JavaScript in a user’s browser via phishing attacks. Affected software: eHRMS (V202412 and prior versions me...
CVE-2025-29526
A Cross-Site Scripting XSS vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm parameter...
CVE-2025-32951
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends...
CVE-2022-44760
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications...
CVE-2022-44760 HCL Leap is affected by an unrestricted upload of file with dangerous type vulnerability
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications...
CVE-2022-44760
CVE-2022-44760 concerns HCL Leap where an unsafe default file type filter policy in Leap permits execution of unsafe JavaScript in deployed applications. The root cause listed is the default file type filtering policy, leading to potential unsafe script execution. Documented impacts indicate unsa...
CVE-2025-29526
A Cross-Site Scripting XSS vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm parameter...
CVE-2025-2703
CVE-2025-2703 affects Grafana’s built-in XY Chart plugin through a DOM XSS flaw. The advisory text states that a user with Editor permissions can modify a panel to execute arbitrary JavaScript, indicating that the vulnerability stems from client-side script handling in the chart component and cou...
CVE-2025-2703
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...
CVE-2025-2703
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...
firefox: thunderbird: Use-after-free triggered by XSLTProcessor
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free...
CVE-2025-29526
A Cross-Site Scripting XSS vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm parameter...
CVE-2025-29526
A Cross-Site Scripting XSS vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm parameter...
CVE-2025-32960
The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code ...