59102 matches found
Adobe Experience Manager cross-site scripting vulnerability (CNVD-2026-00678)
Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...
CVE-2025-65778
CVE-2025-65778 affects Wekan (The Open Source Kanban Board) up to version 18.15; fixed in 18.16. Vulnerability arises when uploaded attachments are served with attacker-controlled Content-Type (text/html), permitting execution of attacker-supplied HTML/JS within the application's origin and enabl...
From Obfuscated to Obvious: A Comprehensive JavaScript Deobfuscation Tool for Security Analysis
JavaScript's widespread adoption has made it an attractive target for malicious attackers who employ sophisticated obfuscation techniques to conceal harmful code. Current deobfuscation tools suffer from critical limitations that severely restrict their practical effectiveness. Existing tools...
PT-2025-51302
Name of the Vulnerable Software and Affected Versions Webedition CMS version 2.9.8.8 Description Webedition CMS version 2.9.8.8 contains a stored cross-site scripting issue. Authenticated users can upload malicious SVG files containing JavaScript through the media upload feature. When these craft...
CVE-2025-66843
grav before v1.7.49.5 has a Stored Cross-Site Scripting Stored XSS vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later...
Adobe Experience Manager cross-site scripting vulnerability (CNVD-2026-00682)
Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...
CVE-2025-67750
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new...
CVE-2025-66453
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed function, it might lead to high CPU consumption and a potential Denial of Service. Small...
CVE-2025-36748 Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X
ShineLan-X contains a stored cross site scripting XSS vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious...
CVE-2025-67731
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performanc...
Cross-site Scripting (XSS)
prosemirrortohtml is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of HTML attribute values, which allows an attacker to inject and execute arbitrary JavaScript code through crafted input...
Code Injection
Open WebUI is vulnerable to a code injection vulnerability. The vulnerability is due to improper handling of Server-Sent Event SSE execute events in the Direct Connections feature, which allows an attacker controlling a malicious external model server to inject and execute arbitrary JavaScript in...
Self Cross-Site Scripting (Self-XSS)
privatebin/privatebin is vulnerable to self cross-site scripting Self-XSS. The vulnerability is due to improper handling and reflection of HTML content in filenames via the drag-and-drop helper, which allows an attacker to trick a macOS or Linux user into attaching a maliciously crafted file and...
Stored Cross-Site Scripting (XSS)
Jenkins AnchorChain Plugin is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes when generating links from workspace content, allowing attackers to inject javascript: URLs that execute malicious scripts in the Jenkins user interface...
Reflected Cross-site Scripting (XSS)
com.liferay.portal, com.liferay.portal.impl are vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper input validation in the googlegadget component, which allows a remote unauthenticated attacker to inject and execute malicious JavaScript in a victim’s browser...
Cross-site Scripting (XSS)
Jenkins Coverage Plugin is vulnerable to a stored Cross-Site Scripting. The vulnerability is caused by missing validation of the coverage results ID when configured via the REST API, allowing attackers with Item/Configure permission to inject a javascript: URL that executes in users’ browsers...
CVE-2025-13866
The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flowflowsocialauth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...
PT-2025-51099
ShineLan-X contains a stored cross site scripting XSS vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code...
CVE-2024-58304
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary...
CVE-2025-67750
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new...