Total
38585 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9105 | 1 Portabilis | 1 I-diario | 2025-09-02 | 3.5 Low |
| A vulnerability has been found in Portabilis i-Diario up to 1.5.0. The impacted element is an unknown function of the file /planos-de-ensino-por-areas-de-conhecimento/ of the component Informações Adicionais Page. Such manipulation of the argument Parecer/Conteúdos/Objetivos leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9104 | 1 Portabilis | 1 I-diario | 2025-09-02 | 3.5 Low |
| A flaw has been found in Portabilis i-Diario up to 1.5.0. The affected element is an unknown function of the file /planos-de-aulas-por-disciplina/ of the component Informações Adicionais Page. This manipulation of the argument Parecer/Objeto de Conhecimento/Habilidades causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-24157 | 1 Sir | 1 Gnuboard | 2025-09-02 | 6.1 Medium |
| Gnuboard g6 / https://github.com/gnuboard/g6 commit c2cc1f5069e00491ea48618d957332d90f6d40e4 is vulnerable to Cross Site Scripting (XSS) via board.py. | ||||
| CVE-2025-9438 | 1 1000projects | 2 Online Project Report Submission And Evaluation System, Online Student Project Report Submission And Evaluation System | 2025-09-02 | 4.3 Medium |
| A security flaw has been discovered in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected is an unknown function of the file /admin/add_student.php. The manipulation of the argument address results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-9439 | 1 1000projects | 2 Online Project Report Submission And Evaluation System, Online Student Project Report Submission And Evaluation System | 2025-09-02 | 4.3 Medium |
| A weakness has been identified in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected by this vulnerability is an unknown functionality of the file /rse/admin/edit_faculty.php?id=2. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-9440 | 1 1000projects | 2 Online Project Report Submission And Evaluation System, Online Student Project Report Submission And Evaluation System | 2025-09-02 | 4.3 Medium |
| A security vulnerability has been detected in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_title.php. Such manipulation of the argument Title leads to cross site scripting. The attack may be performed from a remote location. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-40702 | 1 Craws | 1 Openatlas | 2025-09-02 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/file" petition, "creator" and "license_holder" parameters. | ||||
| CVE-2025-40703 | 1 Craws | 1 Openatlas | 2025-09-02 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/group" petition, "name" and "alias-0” parameters. | ||||
| CVE-2025-40704 | 1 Craws | 1 Openatlas | 2025-09-02 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/edition" petition, "name" parameter. | ||||
| CVE-2025-40705 | 1 Craws | 1 Openatlas | 2025-09-02 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/acquisition" petition, "name" parameter. | ||||
| CVE-2025-40706 | 1 Craws | 1 Openatlas | 2025-09-02 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/source" petition, "name" parameter. | ||||
| CVE-2024-29193 | 1 Alexxit | 1 Go2rtc | 2025-09-02 | 6.1 Medium |
| gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API in the client side. Then, it uses `Object.entries` to iterate over the result whose first item (`name`) gets appended using `innerHTML`. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available. | ||||
| CVE-2024-29203 | 2 Tiny, Tinymce | 2 Tinymce, Tinymce | 2025-09-02 | 4.3 Medium |
| TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1. | ||||
| CVE-2024-29881 | 2 Tiny, Tinymce | 2 Tinymce, Tinymce | 2025-09-02 | 4.3 Medium |
| TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload. This vulnerability is fixed in 6.8.1 and 7.0.0. | ||||
| CVE-2024-28233 | 1 Jupyter | 1 Jupyterhub | 2025-09-02 | 8.1 High |
| JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0. | ||||
| CVE-2025-9499 | 2 Oceanwp, Wordpress | 2 Ocean Extra, Wordpress | 2025-09-02 | 6.4 Medium |
| The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's oceanwp_library shortcode in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12923 | 2025-09-02 | N/A | ||
| A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: Photo Station 6.4.5 ( 2025/01/02 ) and later | ||||
| CVE-2025-9500 | 2 Tablepress, Wordpress | 2 Tablepress, Wordpress | 2025-09-02 | 6.4 Medium |
| The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-22483 | 2025-09-02 | N/A | ||
| A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: License Center 1.8.51 and later License Center 1.9.51 and later | ||||
| CVE-2025-9568 | 1 Sunnet | 1 Ehrd Ctms | 2025-09-02 | 6.1 Medium |
| The eHRD developed by Sunnet has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | ||||