5006 matches found
CVE-2025-4779
lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting XSS. An unauthenticated attacker can inject malicious JavaScript into the v1/runs/ingest endpoint by adding an empty citations field, triggering a code path where dangerouslySetInnerHTML is used to render...
CVE-2025-4779 Stored Cross-site Scripting (XSS) in lunary-ai/lunary
lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting XSS. An unauthenticated attacker can inject malicious JavaScript into the v1/runs/ingest endpoint by adding an empty citations field, triggering a code path where dangerouslySetInnerHTML is used to render...
CVE-2025-4779
CVE-2025-4779 affects lunary-ai/lunary prior to version 1.9.24. A stored XSS exists in the v1/runs/ingest endpoint: an unauthenticated attacker can inject JavaScript by sending an empty citations field, triggering a code path that uses dangerouslySetInnerHTML to render attacker-controlled text. I...
Medical Card Generation System Cross-Site Scripting Vulnerability
Medical Card Generation System is a medical card generation system. A cross-site scripting vulnerability exists in Medical Card Generation System, which stems from improper cleanup of the contact page name field and can be exploited by an attacker to inject malicious JavaScript...
CVE-2025-53484
User-controlled inputs are improperly escaped in: VotePage.php poll option input ResultPage::getPagesTab and getErrorsTab user-controllable page names This allows attackers to inject JavaScript and compromise user sessions under certain conditions. This issue affects Mediawiki - SecurePoll...
U.S. Dept Of Defense: Reflected XSS Vulnerability in SSL VPN Endpoint — CVE-2025-0133
A reflected Cross-Site Scripting XSS vulnerability was discovered in a SSL VPN endpoint. The vulnerability was assigned the CVE number CVE-2025-0133. The vulnerability allowed an unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of a victim who clicked on a...
CVE-2025-27447
The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code into the website. The code is executed in the victim’s browser when an authenticated administrator clicks the link...
CVE-2025-27448
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboards can inject JavaScript code into the dashboard name which will be executed when the website is loaded...
CVE-2025-53484
User-controlled inputs are improperly escaped in: VotePage.php poll option input ResultPage::getPagesTab and getErrorsTab user-controllable page names This allows attackers to inject JavaScript and compromise user sessions under certain conditions. This issue affects Mediawiki - SecurePoll...
CVE-2025-53484 SecurePoll: Multiple locations vulnerable to Cross-Site Scripting (XSS) via unescaped input
User-controlled inputs are improperly escaped in: VotePage.php poll option input ResultPage::getPagesTab and getErrorsTab user-controllable page names This allows attackers to inject JavaScript and compromise user sessions under certain conditions. This issue affects Mediawiki - SecurePoll...
CVE-2025-53484
The CVE-2025-53484 affects the MediaWiki SecurePoll extension. Affected versions are 1.39.x before 1.39.13, 1.42.x before 1.42.7, and 1.43.x before 1.43.2. The root cause is improper escaping of user-controlled inputs in VotePage.php (poll option input) and in ResultPage’s getPagesTab() and getEr...
PT-2025-28017 · Mediawiki · Securepoll Extension +1
Name of the Vulnerable Software and Affected Versions: Mediawiki - SecurePoll extension versions 1.39.0 through 1.39.12 Mediawiki - SecurePoll extension versions 1.42.0 through 1.42.6 Mediawiki - SecurePoll extension versions 1.43.0 through 1.43.1 Description: The issue arises from improper...
Wikimedia Mediawiki - SecurePoll extension 安全漏洞
Wikimedia Mediawiki - SecurePoll extension is a special page extension for elections, polls and surveys from the Wikimedia Foundation. A security vulnerability in the Mediawiki - SecurePoll extension versions prior to 1.39.13, prior to 1.42.7, and prior to 1.43.2, which stems from improperly...
CVE-2025-6563
A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the javascript protocol in the dst parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also...
CVE-2025-27447
The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code into the website. The code is executed in the victim’s browser when an authenticated administrator clicks the link...
CVE-2025-27447
The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code into the website. The code is executed in the victim’s browser when an authenticated administrator clicks the link...
CVE-2025-27448
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboards can inject JavaScript code into the dashboard name which will be executed when the website is loaded...
CVE-2025-27448 CVE-2025-27448
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboards can inject JavaScript code into the dashboard name which will be executed when the website is loaded...
CVE-2025-27448 CVE-2025-27448
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboards can inject JavaScript code into the dashboard name which will be executed when the website is loaded...
CVE-2025-27447 CVE-2025-27447
The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code into the website. The code is executed in the victim’s browser when an authenticated administrator clicks the link...