Files 安全漏洞

Files is a single-file PHP application from the individual developer Karl Ward. It can be dragged and dropped into any directory, allowing browsing of the files and directories within. A security vulnerability exists in Files 0.16.9 and earlier versions, which stems from the file moving feature n...

CVE-2025-54789

The CVE-2025-54789 entry relates to the Files module, specifically the File Move functionality. Versions ≤ 0.16.9 allow injection of arbitrary JavaScript, enabling Browser JavaScript execution in the user’s session. This is the underlying issue described across multiple sources (NVD, Red Hat advi...

CVE-2025-54789 Files is Vulnerable to Reflected Self-XSS through its File Move Functionality

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

CVE-2025-54789 Files is Vulnerable to Reflected Self-XSS through its File Move Functionality

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...

PT-2025-31659 · Unknown · Institute-Of-Current-Students

Name of the Vulnerable Software and Affected Versions: Institute-of-Current-Students version 1.0 Description: A stored Cross-Site Scripting XSS vulnerability exists in the qureydetails.php page. The input fields for Query and Answer do not properly sanitize user input, allowing authenticated user...

PT-2025-31708 · Files · Files

Name of the Vulnerable Software and Affected Versions: Files versions 0.16.9 and below Description: The File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, potentially leading to Browser JS code execution in the context of the user’s session...

CVE-2025-50866

CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting XSS vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading t...

CVE-2025-52203

A stored cross-site scripting XSS vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are...

GHSA-9QM3-6QRR-C76M @nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions = 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service DoS condition or, under certain conditions, escape the sandboxed environme...

CVE-2025-52358

A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's brows...

CVE-2025-52203

A stored cross-site scripting XSS vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are...

CVE-2025-50866

CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting XSS vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading t...

CVE-2025-51569

CVE-2025-51569 describes a cross-site scripting (XSS) vulnerability in the LB-Link BL-CPE300M web interface. The issue stems from the endpoint /goform/goform_get_cmd_process, where input in the cmd parameter is not properly sanitized before being reflected into a text/html response, enabling an a...

PT-2025-31550 · Lb Link · Lb-Link Bl-Cpe300M

Name of the Vulnerable Software and Affected Versions: LB-Link BL-CPE300M version 01.01.02P42U14 06 Description: A cross-site scripting XSS vulnerability exists in the web interface of the router. The /goform/goform get cmd process API endpoint fails to sanitize user input in the cmd parameter...

CVE-2025-47001 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-8319

the BMA login interface allows arbitrary JavaScript or HTML to be written straight into the page’s Document Object Model via the error= URL parameter...

CVE-2025-8319

the BMA login interface allows arbitrary JavaScript or HTML to be written straight into the page’s Document Object Model via the error= URL parameter...

CVE-2025-52358

A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's brows...

CVE-2025-52358

A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's brows...

Why React Didn't Kill XSS: The New JavaScript Injection Playbook

React conquered XSS? Think again. That's the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure. Full...