CVE-2021-47690

The Core Config Manager CCM in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting XSS vulnerabilities in Overlay modals. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the conte...

CVE-2020-36860

The Core Config Manager CCM in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple cross-site scripting XSS vulnerabilities in the object edit pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in th...

CVE-2018-25119

Nagios Fusion versions prior to 4.1.5 are vulnerable to cross-site scripting XSS via the "fusionwindow" parameter. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2013-10074

Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting XSS via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2016-15051 Nagios XI < 5.2.4 XSS via Report startdate/enddate Fields

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting XSS via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a...

CVE-2021-47690 Nagios XI < 5.8.2 Core Config Manager (CCM) XSS via Overlay Modals

The Core Config Manager CCM in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting XSS vulnerabilities in Overlay modals. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the conte...

CVE-2020-36860 Nagios XI < 5.7.4 Core Config Manager (CCM) XSS via Object Edit Pages

The Core Config Manager CCM in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple cross-site scripting XSS vulnerabilities in the object edit pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in th...

EUVD-2025-37047

A stored cross-site scripting XSS vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the modeldesc field...

GO-2025-4065 Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server

Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server...

CVE-2025-62793

eLabFTW is an open source electronic lab notebook for research labs. The application served uploaded SVG files inline. Because SVG supports active content, an attacker could upload a crafted SVG that executes script when viewed, resulting in stored XSS under the application origin. A victim who...

IBM QRadar SIEM 跨站脚本漏洞

IBM QRadar SIEM is a solution from International Business Machines IBM that utilizes security intelligence to protect assets and information from advanced threats. The solution provides oversight of the entire scope of the IT architecture, generates detailed reports on data access and user...

PT-2025-44056

Name of the Vulnerable Software and Affected Versions eLabFTW versions prior to 5.3.0 Description eLabFTW, an electronic lab notebook, allowed the serving of uploaded SVG files inline. Due to SVG’s support for active content, a malicious SVG file could be uploaded and executed when viewed, leadin...

code-projects Client Details System 代码注入漏洞

Client Details System is a client information system. Client Details System suffers from a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of user-supplied data in the file /update-clients.php, which can be exploited by an attacker to execute...

Pleasanter 跨站脚本漏洞

Pleasanter is a free OSS no-code/low-code development tool from Pleasanter, Inc. A cross-site scripting vulnerability exists in Pleasanter that stems from a stored cross-site scripting vulnerability in Body, Description, and Comments that could lead to an attacker executing arbitrary script in a...

CVE-2025-61931

CVE-2025-61931 describes a stored cross-site scripting vulnerability in Pleasanter, affecting the Body, Description and Comments fields. The vulnerability allows an attacker to execute arbitrary JavaScript in a logged-in user’s browser. Multiple connected sources (including JVNDB and Red Hat/NVD ...

EUVD-2025-35798

Pleasanter contains a stored cross-site scripting vulnerability in Body, Description and Comments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser...

CVE-2025-58070

CVE-2025-58070 affects Pleasanter: stored XSS in Preview for Attachments. Root cause is insecure handling in the attachment preview feature, enabling arbitrary script execution in a logged‑in user’s browser. Impact is user‑level (confidentiality/integrity not clearly affected beyond script execut...

CVE-2025-58070

Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser...

EUVD-2025-35799

Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser...

Cross-site Scripting (XSS)

com.liferay, com.liferay.dynamic.data.mapping.form.field.type is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of user-supplied input in "Rich Text" type fields within web content structures, document types, or custom assets using the Data Engine module,...