5092 matches found
CVE-2025-4388
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
CVE-2025-40846 HaloITSM open redirect via the returnUrl
Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites Open Redirect and inject JavaScript code to perform cross site scripting attack. The vulnerability affects Halo versions up to...
PT-2025-20365 · Halo · Halo
Name of the Vulnerable Software and Affected Versions: Halo versions up to 2.174.101 Halo versions 2.175.1 through 2.184.21 Description: The issue is related to improper input validation, specifically with the returnUrl parameter in Account Security Settings. This lack of validation allows...
CVE-2025-28074
phpList is vulnerable to Cross-Site Scripting (XSS) in lt.php across versions prior to 3.6.15 due to improper input sanitization and dynamic referencing of internal paths. The issue allows an attacker to inject malicious JavaScript when untrusted input is processed without proper escaping, with p...
CVE-2025-28073
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting XSS via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized...
CVE-2025-46719
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be...
Exploit for Cross-site Scripting in Phplist
CVE-2025-28074 Suggested description phpList prior to 3.6.3...
GHSA-P2F8-VQ4R-GQG3 Liferay Portal Reflected XSS in marketplace-app-manager-web
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
Liferay Portal Reflected XSS in marketplace-app-manager-web
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
CVE-2025-4388
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
CVE-2025-4388
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
CVE-2025-4388
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
CVE-2025-4388
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
CVE-2025-4388
Liferay Portal/DXP CVE-2025-4388 is a reflected XSS affecting Portal 7.4.0–7.4.3.131 and DXP 2024.Q1.1–Q4.5 across multiple 2024 releases up to 7.4 GA with update 92. The vulnerability allows a remote, unauthenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app...
Cross-Site Scripting (XSS)
org.opencms, opencms-core is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper input sanitization in the Create/Modify article function, allowing JavaScript injection via the image title sub-field...
CVE-2025-46734
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
CVE-2025-46719
Open WebUI vulnerability CVE-2025-46719 affects versions prior to 0.6.6. A flaw in rendering certain HTML tags in chat messages allows stored cross-site scripting (XSS) in chat transcripts, which are accessible by other users on the same server or via Open WebUI community sharing. In the user’s b...
PT-2025-19787 · Unknown · Open-Webui
Name of the Vulnerable Software and Affected Versions: Open WebUI versions prior to 0.6.6 Description: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A vulnerability in the way certain html tags in chat messages are rendered allows attackers to...
PT-2025-19795 · Unknown +1 · League/Commonmark +1
Name of the Vulnerable Software and Affected Versions: league/commonmark versions 1.5.0 through 2.6.x Description: A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library allows remote attackers to insert malicious JavaScript calls into HTML. The...
CVE-2025-45015
A Cross-Site Scripting XSS vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. The vulnerability allows remote attackers to inject arbitrary JavaScript code via the fromdate and todate parameters...