Latest CVE Feed
-
5.4
MEDIUMCVE-2025-34281
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in ... Read more
Affected Products : thingsboard- Published: Oct. 17, 2025
- Modified: Oct. 24, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-55073
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin ... Read more
Affected Products : mattermost_server- Published: Nov. 14, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-63449
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /orders.php.... Read more
Affected Products : water_management_system- Published: Nov. 03, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-41410
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data... Read more
Affected Products : mattermost_server- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authentication
-
5.4
MEDIUMCVE-2025-12905
Inappropriate implementation in Downloads in Google Chrome on Windows prior to 140.0.7339.80 allowed a remote attacker to bypass Mark of the Web via a crafted HTML page. (Chromium security severity: Low)... Read more
Affected Products : chrome- Published: Nov. 08, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Misconfiguration
-
5.4
MEDIUMCVE-2025-54760
Stored cross-site scripting (XSS) vulnerability in desknet's NEO V9.0R2.0 and earlier allow execution of arbitrary JavaScript in a user’s web browser.... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-24833
Stored cross-site scripting (XSS) vulnerability in desknet's NEO versions V4.0R1.0–V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-53858
ChatLuck contains a cross-site scripting vulnerability in Chat Rooms. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product.... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-41021
Stored Cross-Site Scripting (XSS) in Sergestec's Exito v8.0, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'obs' parameter in '/admin/index.php?action=product_update'. This vulnerability co... Read more
Affected Products : exito- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12880
The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for... Read more
Affected Products :- Published: Nov. 11, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12546
A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has be... Read more
Affected Products : logicaldoc- Published: Oct. 31, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-55072
Stored cross-site scripting (XSS) vulnerability in desknet's NEO V2.0R1.0 to V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62911
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rock Content Rock Convert rock-convert allows Stored XSS.This issue affects Rock Convert: from n/a through <= 3.0.1.... Read more
Affected Products : rock_convert- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12872
The a+HRD and a+HCM developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to upload files containing malicious JavaScript code, which will execute on the client side when a user is tricked into visit... Read more
Affected Products : a\+hrd- Published: Nov. 12, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12227
A vulnerability was determined in projectworlds Gate Pass Management System 1.0. The affected element is an unknown function of the file /add-pass.php. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The explo... Read more
Affected Products : gate_pass_management_system- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-40643
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parame... Read more
Affected Products : energy_crm- Published: Oct. 23, 2025
- Modified: Oct. 31, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-11210
Side-channel information leakage in Tab in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)... Read more
- Published: Nov. 06, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Information Disclosure
-
5.4
MEDIUMCVE-2025-61261
A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.... Read more
Affected Products :- Published: Nov. 07, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-64263
Missing Authorization vulnerability in PluginEver WP Content Pilot wp-content-pilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Content Pilot: from n/a through <= 2.1.7.... Read more
Affected Products :- Published: Nov. 13, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-62903
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPClever WPC Smart Messages for WooCommerce wpc-smart-messages allows Stored XSS.This issue affects WPC Smart Messages for WooCommerce: from n/a through ... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting