CVE-2025-32794 OpenEMR Stored XSS via Patient Name Field in Procedure Orders

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting XSS vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system ...

CVE-2025-32794 OpenEMR Stored XSS via Patient Name Field in Procedure Orders

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting XSS vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system ...

CVE-2025-32794 OpenEMR Stored XSS via Patient Name Field in Procedure Orders

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting XSS vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system ...

CVE-2025-22142

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff...

CVE-2024-47526

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Self Cross-Site Scripting Self-XSS vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not...

CVE-2024-46367

A Stored Cross-Site Scripting XSS vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within the username field. This can lead to privilege escalation when the payload is executed, granting the attacker elevated...

CVE-2024-45803

Wire UI is a library of components and resources to empower Laravel and Livewire application development. A potential Cross-Site Scripting XSS vulnerability has been identified in the /wireui/button endpoint, specifically through the label query parameter. Malicious actors could exploit this...

CVE-2024-45045

Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile Android/iOS device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in documents. Since the Android JavaScript interface allows access ...

CVE-2024-1976

The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update t...

CVE-2024-26471

A reflected cross-site scripting XSS vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in offer.php...

CVE-2024-5520

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field...

CVE-2024-41572

Learning with Texts LWT 2.0.3 is vulnerable to Cross Site Scripting XSS. The application has a specific function that does not filter special characters in URL parameters. Remote attackers can inject JavaScript code without authorization. Exploiting this vulnerability, attackers can steal user...

CVE-2024-32981

Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end o...

CVE-2024-50351

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Reflected Cross-Site Scripting XSS vulnerability in the "section" parameter of the "logs" tab of a device allows attackers to inject arbitrary JavaScript. This vulnerability results in the execution of malicious code wh...

CVE-2024-9051

The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-28794

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 286831...

CVE-2024-45046

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker...

CVE-2024-51380

Stored Cross-Site Scripting XSS vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the...

CVE-2024-51379

Stored Cross-Site Scripting XSS vulnerability discovered in JATOS v3.9.3. The vulnerability exists in the description component of the study section, where an attacker can inject JavaScript into the description field. This allows for the execution of malicious scripts when an admin views the...

CVE-2024-37783

A reflected cross-site scripting XSS vulnerability in Gladinet CentreStack v13.12.9934.54690 allows attackers to inject malicious JavaScript into the web browser of a victim via the sessionId parameter at /portal/ForgotPassword.aspx...