CVE-2019-16126

Grav through 1.6.15 allows Stored Cross-Site Scripting due to JavaScript execution in SVG images...

CVE-2019-12398

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected...

CVE-2025-1484

A vulnerability exists in the media upload component of the Asset Suite versions listed below. If successfully exploited an attacker could impact the confidentiality or integrity of the system. An attacker can use this vulnerability to construct a request that will cause JavaScript code supplied ...

CVE-2019-16151

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's...

EUVD-2025-206234

Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope...

PT-2026-1339

Name of the Vulnerable Software and Affected Versions Vega versions prior to 6.1.2 Vega versions prior to 5.6.3 Description Vega is a visualization grammar used for creating and sharing interactive visualization designs. Applications using Vega prior to versions 6.1.2 and 5.6.3 are susceptible to...

Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. A cross-site scripting vulnerability exists in Vega versions prio...

PT-2026-1131

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10 Description Bagisto, an open source laravel eCommerce platform, contains a stored Cross-Site Scripting XSS issue within the CMS page editor. The platform’s attempt to sanitize tags can be bypassed by manipulati...

CVE-2025-69210

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting XSS vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These...

novel 安全漏洞

novel is an open source novel system by xxyopen open source. A security vulnerability exists in novel version V3.5.0, which stems from insufficient validation and coding of user-controllable data, and may result in the execution of arbitrary JavaScript code or the disclosure of sensitive...

CVE-2018-25131 Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Stored XSS via Config Upload

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed...

CVE-2018-25131

CVE-2018-25131 concerns Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063. The vulnerability is a stored cross-site scripting (XSS) flaw in the configuration file upload functionality, allowing an uploaded HTML file to execute arbitrary JavaScript in a user’s browser session when viewed. Affecte...

Leica Geosystems GNSS 安全漏洞

Leica Geosystems GNSS is a line of mapping equipment from Leica Germany. A security vulnerability exists in Leica Geosystems GNSS version 4.30.063, which stems from the presence of stored cross-site scripting in the configuration file upload function that could lead to the execution of arbitrary...

CVE-2021-47716 Orangescrum 1.8.0 Cross-Site Scripting via Authenticated Endpoints

Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CSmessage', and 'name' to execute arbitrary JavaScript code in victim's browse...

CVE-2025-66845

A reflected Cross-Site Scripting XSS vulnerability has been identified in TechStore version 1.0. The username endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser...

CVE-2025-65790

A reflected cross-site scripting XSS vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline element, the browser executes...

CVE-2025-65270

Reflected cross-site scripting XSS vulnerability in ClinCapture EDC 3.0 and 2.2.3, allowing an unauthenticated remote attacker to execute JavaScript code in the context of the victim's browser...

Exploit for CVE-2025-65790

CVE-2025-65790 - FuguHub 8.1 Reflected SVG XSS Reflecte...

EUVD-2025-204585

Orejime has executable code in HTML attributes...

CVE-2025-66580

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary...