Filtered by CWE-79
Total 45425 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-60378 1 Fairsketch 1 Rise Ultimate Project Manager 2025-11-17 8.1 High
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.
CVE-2025-13097 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2025-11-17 5.4 Medium
Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
CVE-2025-9647 1 Mtons 1 Mblog 2025-11-14 4.3 Medium
A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
CVE-2025-54168 1 Qnap 1 Qulog Center 2025-11-14 4.8 Medium
A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.923 ( 2025/08/27 ) and later
CVE-2025-57706 1 Qnap 1 File Station 2025-11-14 5.4 Medium
A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
CVE-2020-0656 1 Microsoft 1 Dynamics 365 2025-11-14 5.4 Medium
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'.
CVE-2025-24297 1 Growatt 1 Cloud Portal 2025-11-14 9.8 Critical
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
CVE-2025-41107 1 Qdocs 1 Smart School 2025-11-14 5.4 Medium
Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details.
CVE-2024-34240 1 Qdocs 1 Smart School 2025-11-14 6.1 Medium
QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) resulting in arbitrary code execution in admin functions related to adding or updating records.
CVE-2024-7056 1 Wpforms 1 Wpforms 2025-11-13 3.5 Low
The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-0249 1 Hijiriworld 1 Advanced Schedule Posts 2025-11-13 7.1 High
The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
CVE-2025-9111 2 Quantumcloud, Wordpress 2 Wpbot, Wordpress 2025-11-13 3.5 Low
The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-6711 1 Vollstart 1 Event Tickets With Ticket Scanner 2025-11-13 3.5 Low
The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks
CVE-2024-4091 1 Bdwm 1 Responsive Gallery Grid 2025-11-13 3.5 Low
The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVE-2024-4004 1 Bracketspace 1 Advanced Cron Manager 2025-11-13 3.5 Low
The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-4002 1 Techearty 1 Carousel\, Slider\, Gallery By Wp Carousel 2025-11-13 3.5 Low
The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-3996 1 Shapedplugin 1 Smart Post Show 2025-11-13 3.5 Low
The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-3901 1 Wpengine 1 Genesis Blocks 2025-11-13 6.8 Medium
The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS attacks.
CVE-2024-0852 1 Dev4press 1 Coreactivity 2025-11-13 8.8 High
The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin
CVE-2024-6942 1 Thinksaas 1 Thinksaas 2025-11-13 3.5 Low
A vulnerability, which was classified as problematic, was found in ThinkSAAS 3.7.0. Affected is an unknown function of the file app/system/action/anti.php of the component Admin Panel Security Center. The manipulation of the argument ip/email/phone leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272064.