EUVD-2025-198317

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-62296

SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55...

CVE-2025-62729

SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55...

CVE-2025-63243

A reflected cross-site scripting XSS vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 01. The slesSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be...

CVE-2025-63879

A reflected cross-site scripted XSS vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter...

Snipe-IT 安全漏洞

Snipe-IT is an open source IT asset/license management system from Grokability Open Source. A security vulnerability exists in Snipe-IT version v8.3.4, which stems from the presence of reflective cross-site scripting in the CSV import workflow, which could lead to the execution of arbitrary...

PT-2025-47597

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.55 Description SOPlanning is susceptible to a Stored Cross-Site Scripting XSS issue in the /projets API endpoint. An attacker with medium privileges can inject arbitrary HTML and JavaScript code into the website...

PT-2025-47581

phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting XSS vulnerabilities across various components. User-supplied input from $ REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php,...

PT-2025-47598

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.55 Description SOPlanning is susceptible to a Stored Cross-Site Scripting XSS issue within the /status endpoint. An attacker possessing an account can inject arbitrary HTML and JavaScript code into the website...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the CSS-to-JavaScript module conversion feature. An attacker can execute arbitrary JavaScript code by injecting $... expressions into CSS files, which are then evaluated when the resulting JavaScript module i...

CVE-2025-51662

A stored cross-site scripting XSS vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers o...

CVE-2025-63243

A reflected cross-site scripting XSS vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 01. The slesSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be...

PT-2025-47458

A reflected cross-site scripting XSS vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 01. The sle sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be...

CVE-2025-51662

A stored cross-site scripting XSS vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers o...

VulnCheck KEV: CVE-2025-55346

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request...

CVE-2025-63693

The comment editing template dzz/comment/template/editform.htm in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and...

CVE-2025-64758

@dependencytrack/frontend is a Single Page Application SPA used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEMCONFIGURATION permission...

CVE-2025-63693

CVE-2025-63693 affects DzzOffice 2.3.x. The vulnerability resides in the comment editing template (dzz/comment/template/edit_form.htm), which does not adequately escape user-controllable data across HTML and JavaScript contexts. This can allow low-privilege attackers to craft comment content or r...