CVE-2019-16751

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

CVE-2019-14432

Incorrect authentication of application WebSocket connections in Loom Desktop for Mac up to 0.16.0 allows remote code execution from either malicious JavaScript in a browser or hosts on the same network, during periods in which a user is recording a video with the application. The same attack...

CVE-2019-13070

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/actionrecipient Event Action/Recipient page, the embedded code will be...

CVE-2019-10049

It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code that is executed in the context of the victim use...

CVE-2019-7940

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with...

CVE-2017-1000223

A stored web content injection vulnerability WCI, a.k.a XSS is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an...

CVE-2025-40633

A Stored Cross-Site Scripting XSS vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint...

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2025-10674)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2025-10676)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2025-10675)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...

Koibox 跨站脚本漏洞

Koibox is a beauty center management software from Koibox, Inc. A cross-site scripting vulnerability exists in versions prior to Koibox e8cbce2, which stems from allowing the upload of images containing malicious JavaScript, which could lead to a stored cross-site scripting attack...

CVE-2025-44108

FlatPress CMS ≤ 1.3.1/1.4-rc1 shows a stored XSS through the gallery captions component. The vulnerability (CVE-2025-44108) allows an admin-privilged user to inject JavaScript that is then stored persistently, with impacts limited to confidentiality and integrity per sources, and no explicit expl...

CVE-2025-47786

Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...

CVE-2025-40632

IceWarp Mail Server (v11.4.0) contains a Cross-Site Scripting (XSS) vulnerability where an attacker can modify the lastLogin cookie to inject JavaScript that executes when the page renders. Affected component is the web-facing handling of user data; the root cause is lack of proper filtering/esca...

CVE-2024-8673

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript...

CVE-2024-8673

CVE-2024-8673 affects the WordPress plugin Z-Downloads prior to version 1.11.7. The root cause is improper validation of uploaded files, allowing SVGs containing malicious JavaScript . This enables authenticated attackers to upload SVGs that execute when other users view the uploaded files, poten...

CVE-2025-47786 Emlog vulnerable to Stored Cross-site Scripting

Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...

CVE-2025-47786 Emlog vulnerable to Stored Cross-site Scripting

Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...

WordPress plugin Z-Downloads 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2025-21366 · Emlog · Emlog

Name of the Vulnerable Software and Affected Versions: Emlog version 2.5.13 Description: Emlog is an open source website building system with a stored cross-site scripting issue. This allows any registered user to construct malicious JavaScript, inducing all website users to click. The...