Total
45574 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8017 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-07-21 | N/A |
| An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin. | ||||
| CVE-2024-7990 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-07-21 | N/A |
| A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution. | ||||
| CVE-2025-53924 | 1 Emlog | 1 Emlog | 2025-07-21 | 6.9 Medium |
| Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the siteurl parameter. It is possible to inject malicious code into siteurl parameter resulting in Stored XSS. When someone clicks on the link the malicious code is executed. As of time of publication, no known patched versions exist. | ||||
| CVE-2024-41785 | 1 Ibm | 1 Concert | 2025-07-18 | 6.1 Medium |
| IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-6131 | 1 Codeastro | 1 Food Ordering System | 2025-07-18 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in CodeAstro Food Ordering System 1.0. Affected is an unknown function of the file /admin/store/edit/ of the component POST Request Parameter Handler. The manipulation of the argument Restaurant Name/Address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-34831 | 2 Gibbon, Gibbonedu | 2 Core, Gibbon | 2025-07-17 | 6.1 Medium |
| cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component. | ||||
| CVE-2024-51337 | 2 Gibbon, Gibbonedu | 2 Core, Gibbon | 2025-07-17 | 3.5 Low |
| Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php. | ||||
| CVE-2024-55492 | 1 Magicwinmail | 1 Winmail Server | 2025-07-17 | 6.1 Medium |
| Winmail Server 4.4 is vulnerable to f_user=%22%3E%3Csvg%20onload Cross Site Scripting (XSS). | ||||
| CVE-2025-48918 | 1 1xinternet | 1 Simple Klaro | 2025-07-17 | 8.8 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0. | ||||
| CVE-2025-48919 | 1 1xinternet | 1 Simple Klaro | 2025-07-17 | 5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0. | ||||
| CVE-2024-8029 | 1 Pribai | 1 Privategpt | 2025-07-17 | 6.1 Medium |
| An XSS vulnerability was discovered in the upload file(s) process of imartinez/privategpt v0.5.0. Attackers can upload malicious SVG files, which execute JavaScript when victims click on the file link. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks. | ||||
| CVE-2025-28243 | 1 Alteryx | 1 Alteryx Server | 2025-07-17 | 8 High |
| An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component. | ||||
| CVE-2024-6006 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2025-07-17 | 3.5 Low |
| A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKBio CVSecurity latest version." This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-6005 | 1 Zkteco | 2 Zkbio Cvsecurity V5000, Zkbiosecurity V5000 | 2025-07-17 | 3.5 Low |
| A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKBio CVSecurity latest version." This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-28245 | 1 Alteryx | 1 Alteryx Server | 2025-07-17 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in Alteryx Server 2023.1.1.460 allows remote attackers to inject arbitrary web script or HTML via the notification body. | ||||
| CVE-2024-10029 | 1 Eclipse | 1 Glassfish | 2025-07-16 | 6.1 Medium |
| In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. | ||||
| CVE-2024-10031 | 1 Eclipse | 1 Glassfish | 2025-07-16 | 5.4 Medium |
| In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. | ||||
| CVE-2024-10032 | 1 Eclipse | 1 Glassfish | 2025-07-16 | 5.4 Medium |
| In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | ||||
| CVE-2024-9343 | 1 Eclipse | 1 Glassfish | 2025-07-16 | 6.1 Medium |
| In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | ||||
| CVE-2025-27867 | 1 Apache | 1 Felix Http Webconsole Plugin | 2025-07-16 | 5.6 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0. Users are recommended to upgrade to version 1.2.2, which fixes the issue. | ||||