Hortusfox Security Vulnerabilities and Issues — Hortusfox CVE List

Lucene search

HortusfoxHortusfox

6 matches found

CVE•added 2025/01/23 10:15 p.m.•44 views

CVE-2024-57329

HortusFox v3.9 contains a stored XSS vulnerability in the "Add Plant" function. The name input field does not sanitize or escape user inputs, allowing attackers to inject and execute arbitrary JavaScript payloads.

5.4CVSS6.3AI score0.00036EPSS

CVE•added 6 days ago•6 views

CVE-2025-45313

A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter.

6.1CVSS6AI score0.00027EPSS

CVE•added 6 days ago•5 views

CVE-2025-45316

A cross-site scripting (XSS) vulnerability in the TextBlockModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter.

6.1CVSS5.9AI score0.00033EPSS

CVE•added 6 days ago•5 views

CVE-2025-45317

A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive.

6.5CVSS7.9AI score0.00044EPSS

CVE•added 6 days ago•4 views

CVE-2025-45314

A cross-site scripting (XSS) vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the add function.

6.1CVSS6AI score0.00029EPSS

CVE•added 6 days ago•4 views

CVE-2025-45315

A cross-site scripting (XSS) vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter.

5.4CVSS6AI score0.0003EPSS