5968 matches found
CVE-2025-32961
The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...
CVE-2025-32951
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends...
CVE-2025-32960 CUBA Generic REST API Vulnerable to Cross-Site Scripting (XSS) in the /files Endpoint
The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code ...
CVE-2025-32951 io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends...
CVE-2025-32951 io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends...
PT-2025-17576 · Unknown · Cuba Rest Api Add-On
Name of the Vulnerable Software and Affected Versions: CUBA REST API add-on versions prior to 7.2.7 Description: The issue allows malicious JavaScript code to be executed in the browser by manipulating the input parameter, which consists of a file path and name, to return the Content-Type header...
PT-2025-17577 · Cuba Jpa · Cuba Jpa
Name of the Vulnerable Software and Affected Versions: Cuba JPA versions prior to 1.1.1 Description: The Cuba JPA web API allows loading and saving entities defined in the application data model through simple HTTP requests. Prior to version 1.1.1, the input parameter, which includes a file path...
CUBA REST API Add-on 跨站脚本漏洞
CUBA REST API Add-on is a general-purpose REST API open-sourced by CUBA Platform. A cross-site scripting vulnerability exists in CUBA REST API Add-on versions prior to 7.2.7, which stems from improper file path manipulation and could lead to malicious JavaScript execution...
CVE-2025-32792
CVE-2025-32792 affects SES’s isolation in the Compartment API. Before 1.12.0, web pages/extensions that used top-level const/let/class bindings in scripts could leak those bindings into the lexical scope of evaluated third-party code. The issue is fixed in SES 1.12.0; mitigations include avoiding...
TP-LINK TL-WR841N 安全漏洞
TP-LINK TL-WR841N is a wireless router from China P&L TP-LINK. A security vulnerability exists in TP-LINK TL-WR841N v14/v14.6/v14.8 Build 241230 Rel. 50788n and prior versions, which originates from the presence of stored cross-site scripting on the upnp.htm page, which could lead to the executio...
RabbitMQ 3.8.x < 3.8.17 XSS
The version of RabbitMQ installed on the remote host is 3.8.x prior to 3.8.17. It is, therefore, affected by a cross-site scripting vulnerability: - In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation...
Arbitrary Code Execution (ACE)
Tarteaucitron.js is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to insufficient URL validation, allowing a user with high privileges to input a URL with an insecure scheme, such as javascript:alert, which could lead to arbitrary JavaScript execution when clicked...
The vulnerability of the E-Staff automated recruitment process system, related to errors in data filtering during object updates, allows a perpetrator to execute arbitrary JavaScript code.
The vulnerability of the E-Staff recruitment process automation system is related to errors in data filtering during object updates. Exploiting this vulnerability could allow a malicious actor to execute arbitrary JavaScript code remotely...
CVE-2025-30292
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...
📄 Roundcube 1.6.6 Cross Site Scripting
Roundcube mail server versions earlier than 1.5.6 and 1.6 through 1.6.6 suffer from a persistent cross site scripting vulnerability. Exploit Title: Roundcube mail server exploit for CVE-2024-37383 Stored XSS Google Dork: Exploit Author: AmirZargham Vendor Homepage: Roundcube - Free and Open Sourc...
CVE-2025-31476
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...
CVE-2025-32379
Koa is expressive middleware for Node.js using ES2017 async functions. In koa 2.16.1 and 3.0.0-alpha.5, passing untrusted user input to ctx.redirect even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5...
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function
Summary In koa 2.16.1 and 3.0.0-alpha.5, passing untrusted user input to ctx.redirect even after sanitizing it, may execute javascript code on the user who use the app. Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. PoC Coming soon... Impact 1. Redirect user to another phishing site 2...
PT-2025-15755
Name of the Vulnerable Software and Affected Versions: Koa versions prior to 2.16.1 Koa versions prior to 3.0.0-alpha.5 Description: The issue arises when passing untrusted user input to ctx.redirect, which can execute JavaScript code on the user's device, even after sanitizing the input...
CVE-2025-30292
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...