CVE-2024-12870 Stored Cross-site Scripting (XSS) in infiniflow/ragflow

A stored cross-site scripting XSS vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch cec2080. The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' conten...

CVE-2025-25460

A stored Cross-Site Scripting XSS vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to...

CVE-2024-28277

In Sourcecodester School Task Manager v1.0, a vulnerability was identified within the subjectname= parameter, enabling Stored Cross-Site Scripting XSS attacks. This vulnerability allows attackers to manipulate the subject's name, potentially leading to the execution of malicious JavaScript payloa...

CVE-2025-0054

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web...

CVE-2024-57278

A reflected Cross-Site Scripting XSS vulnerability exists in /webscan/sqlmap/index.html in QingScan =v1.8.0. The vulnerability is caused by improper input sanitization of the query parameter, allowing an attacker to inject malicious JavaScript payloads. When a victim accesses a crafted URL...

CVE-2024-57278

A reflected Cross-Site Scripting XSS vulnerability exists in /webscan/sqlmap/index.html in QingScan =v1.8.0. The vulnerability is caused by improper input sanitization of the query parameter, allowing an attacker to inject malicious JavaScript payloads. When a victim accesses a crafted URL...

CVE-2024-57278

The CVE-2024-57278 entry concerns QingScan versions <= 1.8.0 with a reflected Cross-Site Scripting (XSS) vulnerability in /webscan/sqlmap/index.html. The root cause is improper input sanitization of the query parameter, enabling an attacker to inject malicious JavaScript that executes in the v...

CVE-2024-57329

HortusFox v3.9 contains a stored XSS vulnerability in the "Add Plant" function. The name input field does not sanitize or escape user inputs, allowing attackers to inject and execute arbitrary JavaScript payloads...

CVE-2024-56508 File Upload Vulnerability Leading to XSS in LinkAce v1.15.5

LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a file upload vulnerability exists in the LinkAce. This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads...

CVE-2024-56508

The CVE-2024-56508 entry describes a file upload vulnerability in LinkAce prior to v1.15.6 within the Import Bookmarks function. Malicious HTML files can be uploaded containing JavaScript payloads that execute when the uploaded links are accessed, enabling potential reflected or persistent XSS. T...

CVE-2024-9672

A reflected cross-site scripting XSS vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur...

CVE-2024-9672 Reflected XSS in PaperCut MF

A reflected cross-site scripting XSS vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur...

CVE-2024-9672

CVE-2024-9672 describes a reflected XSS in PaperCut NG/MF. The vulnerability arises in the product where a user must click a malicious link, enabling JavaScript payload execution in the victim’s browser. Concrete details available in the connected documents show the affected software (PaperCut NG...

CVE-2022-1226 Cross-site Scripting (XSS) in phpipam/phpipam

A Cross-Site Scripting XSS vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include...

Cross-Site Scripting (XSS)

quivr is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of URL uploads, allowing users to insert malicious JavaScript payloads. Attackers can use this to execute JavaScript whenever any user clicks on a link containing the payload...

Cross Site Scripting (XSS)

Silverstripe framework is vulnerable to Cross Site Scripting XSS. The vulnerability is due to inadequate server-side sanitization of encoded payloads within the file HTMLEditorSanitiser.php, allowing attackers with CMS content editing access to inject JavaScript payloads onto the site's front end...

CVE-2024-6229 Stored XSS in stangirard/quivr

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

CVE-2024-6229 Stored XSS in stangirard/quivr

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

CVE-2023-49573

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14 that could allow an attacker to execute persistent XSS through /addcommandaction in actionvalue. This vulnerability could allow an attacker to store malicious JavaScript payloads on the system to be triggered wh...

CVE-2023-49575 XSS vulnerability in VX Search Enterprise

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14, in Sync Breeze Enterprise Server 10.4.18 version, and in Disk Pulse Enterprise 10.4.18 version, that could allow an attacker to execute persistent XSS through /setupsmtp in smtpserver, smtpuser, smtppassword an...