Latest CVE Feed
-
5.4
MEDIUMCVE-2025-11429
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overr... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authentication
-
5.4
MEDIUMCVE-2025-62048
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through <= 3.14.3.... Read more
Affected Products : smartcrawl- Published: Oct. 22, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-8848
A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> ... Read more
Affected Products : librechat- Published: Oct. 22, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62402
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.... Read more
Affected Products : airflow- Published: Oct. 30, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2025-34316
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the txt_mailuser and txt_mailpass parameters when updating the mail... Read more
- Published: Oct. 28, 2025
- Modified: Nov. 03, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2023-7319
Nagios Network Analyzer versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Percentile Calculator menu. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in th... Read more
Affected Products : network_analyzer- Published: Oct. 30, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62265
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through upd... Read more
- Published: Oct. 30, 2025
- Modified: Nov. 11, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62939
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Open Currency Converter artiss-currency-converter allows Stored XSS.This issue affects Open Currency Converter: from n/a through <= 1.5.0.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2022-50588
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a vict... Read more
- Published: Oct. 30, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-34281
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in ... Read more
Affected Products : thingsboard- Published: Oct. 17, 2025
- Modified: Oct. 24, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-11154
The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.... Read more
Affected Products : idonate- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-34301
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user... Read more
- Published: Oct. 28, 2025
- Modified: Nov. 03, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62982
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sarah Giles Dynamic User Directory dynamic-user-directory allows Stored XSS.This issue affects Dynamic User Directory: from n/a through <= 2.3.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2023-7313
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a vi... Read more
- Published: Oct. 30, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-11844
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into ... Read more
Affected Products : smolagents- Published: Oct. 22, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2022-50586
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the cont... Read more
- Published: Oct. 30, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2021-47699
Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the contex... Read more
- Published: Oct. 30, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-8558
Insider Threat Management (ITM) Server versions prior to 7.17.2 contain an authentication bypass vulnerability that allows unauthenticated users on an adjacent network to perform agent unregistration when the number of registered agents exceeds the licens... Read more
Affected Products : insider_threat_management_server- Published: Nov. 03, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Authentication
-
5.4
MEDIUMCVE-2025-62940
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Diego Blox Lite blox-lite allows Stored XSS.This issue affects Blox Lite: from n/a through <= 1.2.8.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62913
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpopal Opal Service opal-service allows Stored XSS.This issue affects Opal Service: from n/a through <= 1.9.1.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting