Export limit exceeded: 46133 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46133 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12333 | 2 Code-projects, Fabian | 2 E-commerce Website, E-commerce Website | 2025-10-30 | 4.3 Medium |
| A vulnerability has been found in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/supplier_add.php. The manipulation of the argument supp_name/supp_address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-3272 | 1 Dlink | 40 Dnr-202l, Dnr-202l Firmware, Dnr-322l and 37 more | 2025-10-30 | 9.8 Critical |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | ||||
| CVE-2025-2161 | 2 Pega, Pegasystems | 2 Pega Platform, Pega Infinity | 2025-10-30 | 7.1 High |
| Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup | ||||
| CVE-2025-2160 | 2 Pega, Pegasystems | 2 Pega Platform, Pega Infinity | 2025-10-30 | 8.1 High |
| Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup | ||||
| CVE-2025-32809 | 1 Wwnorton | 1 Inquizitive | 2025-10-30 | 6.4 Medium |
| W. W. Norton InQuizitive through 2025-04-08 allows students to conduct stored XSS attacks against educators via a bonus description, feedback.choice_fb[], or question_id. | ||||
| CVE-2025-8848 | 1 Librechat | 1 Librechat | 2025-10-30 | 5.4 Medium |
| A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks. | ||||
| CVE-2023-36800 | 1 Microsoft | 1 Dynamics 365 | 2025-10-30 | 7.6 High |
| Dynamics Finance and Operations Cross-site Scripting Vulnerability | ||||
| CVE-2023-38164 | 1 Microsoft | 1 Dynamics 365 | 2025-10-30 | 7.6 High |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2023-36886 | 1 Microsoft | 1 Dynamics 365 | 2025-10-30 | 7.6 High |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2025-62528 | 1 Taguette | 1 Taguette | 2025-10-30 | 5.4 Medium |
| Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. This issue has been patched in version 1.5.0. | ||||
| CVE-2025-10869 | 1 Oct8ne | 1 Chatbot | 2025-10-30 | 6.1 Medium |
| Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Data/SaveInteractions. | ||||
| CVE-2024-43573 | 1 Microsoft | 22 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 19 more | 2025-10-30 | 6.5 Medium |
| Windows MSHTML Platform Spoofing Vulnerability | ||||
| CVE-2024-12374 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-10-30 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript in the victim's browser. | ||||
| CVE-2025-25009 | 1 Elastic | 1 Kibana | 2025-10-30 | 8.7 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||||
| CVE-2025-25017 | 1 Elastic | 1 Kibana | 2025-10-30 | 8.2 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | ||||
| CVE-2025-52620 | 1 Hcltech | 1 Bigfix Saas | 2025-10-29 | 4.3 Medium |
| HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format. | ||||
| CVE-2025-58747 | 1 Langgenius | 1 Dify | 2025-10-29 | 6.1 Medium |
| Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert(1)) in the authorization_url field, which is then executed when the victim attempts to connect to the MCP server. This allows the attacker to execute arbitrary JavaScript in the context of the Dify application. | ||||
| CVE-2025-8681 | 2 Pega, Pegasystems | 2 Pega Platform, Pega Infinity | 2025-10-29 | 5.5 Medium |
| Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role. | ||||
| CVE-2023-7143 | 1 Fabian | 1 Client Details System | 2025-10-29 | 2.4 Low |
| A vulnerability was found in code-projects Client Details System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/regester.php. The manipulation of the argument fname/lname/email/contact leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249146 is the identifier assigned to this vulnerability. | ||||
| CVE-2022-41299 | 1 Ibm | 1 Transformation Advisor | 2025-10-29 | 4.4 Medium |
| IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214. | ||||