MODX allows cross-site scripting (XSS) via an SVG file

A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...

CVE-2025-26659

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting XSS vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the...

CVE-2025-2150

The C&Cm@il from HGiga has a Stored Cross-Site Scripting XSS vulnerability, allowing remote attackers with regular privileges to send emails containing malicious JavaScript code, which will be executed in the recipient's browser when they view the email...

CVE-2025-2150

CVE-2025-2150 affects HGiga C&Cm@il. The vulnerability is a Stored Cross-Site Scripting (XSS) in the mail component, allowing remote attackers with regular privileges to send emails containing malicious JavaScript that executes in the recipient’s browser when viewed. Affected: C&Cm@il web app; ro...

HGiga C&Cm@il 跨站脚本漏洞

HGiga C&Cm@il is an email collaboration system from China Henderson HGiga. A cross-site scripting vulnerability exists in HGiga C&Cm@il, which originates from stored cross-site scripting and could result in malicious JavaScript code being executed in the recipient's browser...

CVE-2025-26202

Cross-Site Scripting XSS vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings 2.4GHz & 5GHz bands in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an...

TeamPasswordManager 安全漏洞

TeamPasswordManager is a password manager from the individual developer Ferran Barba. A security vulnerability exists in TeamPasswordManager version 12.162.284 and earlier, which stems from vulnerability to cross-site scripting attacks that allow execution of malicious JavaScript...

CVE-2024-5848

A reflected cross-site scripting XSS vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious...

CVE-2025-25477

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser...

CVE-2025-25477

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser...

sysPass 注入漏洞

SysPass is a system password manager by RubénD Individual Developers. An injection vulnerability exists in sysPass version 3.2x, which stems from host header injection and could lead to the execution of malicious JS files...

CVE-2024-5848 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation

A reflected cross-site scripting XSS vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious...

CVE-2025-25477

The CVE-2025-25477 entry concerns SysPass 3.2.x, where a host header injection flaw allows loading malicious JavaScript from an arbitrary domain that would execute in a victim’s browser. The root cause is host header injection in SysPass; impact is demonstrated as high confidentiality and integri...

LY Corporation: Stored XSS via SVG Upload in chat.line.biz

An SVG file containing malicious JavaScript was uploaded to the web application without proper filtering or disabling of embedded scripts. When another user opened the malicious SVG file in the management interface, the embedded script was executed in the browser, resulting in a stored cross-site...

CVE-2025-25460

A stored Cross-Site Scripting XSS vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to...

PT-2025-7772 · Flatpress · Flatpress

Name of the Vulnerable Software and Affected Versions: FlatPress version 1.3.1 Description: A stored Cross-Site Scripting issue was identified within the "Add Entry" feature, allowing authenticated attackers to inject malicious JavaScript payloads into blog posts. This is executed when other user...

Unauthenticated Stored XSS via dangerouslySetInnerHTML

An UNAUTHENTICATED attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript the v1/runs/ingest if he adds an empty citations field to trigger a code path where dangerouslySetInnerHTML is used to render the attacker controlled text. This vulnerability allows the...

Cross-Site Scripting (XSS)

labelstudio is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-provided HTML content in the /projects/upload-example endpoint, allowing attackers to inject malicious JavaScript via a specially crafted labelconfig query parameter in a GET request...

CVE-2025-25296

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's /projects/upload-example endpoint allows injection of arbitrary HTML through a GET request with an appropriately crafted labelconfig query parameter. By crafting a specially formatted XML label config with...

CVE-2025-0178 WatchGaurd Firebox Host Header Injection Vulnerability

Improper Input Validation vulnerability in WatchGuard Fireware OS allows an attacker to manipulate the value of the HTTP Host header in requests sent to the Web UI. An attacker could exploit this vulnerability to redirect users to malicious websites, poison the web cache, or inject malicious...