Total
40801 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11435 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 4.3 Medium |
| A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch. | ||||
| CVE-2025-11437 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 2.4 Low |
| A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector. | ||||
| CVE-2025-60313 | 2 Rems, Sourcecodester | 2 Link Status Checker, Link Status Checker | 2025-10-09 | 6.1 Medium |
| Sourcecodester Link Status Checker 1.0 is vulnerable to a Cross-Site Scripting (XSS) in the Enter URLs to check input field. This allows a remote attacker to execute arbitrary code. | ||||
| CVE-2025-60318 | 2 Mayurik, Sourcecodester | 2 Pet Grooming Management Software, Pet Grooming Management Software | 2025-10-09 | 6.1 Medium |
| SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the fname (First Name) and lname (Last Name) fields. | ||||
| CVE-2025-11485 | 2 Remyandrade, Sourcecodester | 2 Student Grades Management System, Student Grades Management System | 2025-10-09 | 2.4 Low |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function add_user of the file /admin.php of the component Manage Users Page. This manipulation of the argument first_name/last_name causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-51462 | 1 Infiniflow | 1 Ragflow | 2025-10-09 | 6.1 Medium |
| Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw. | ||||
| CVE-2025-61788 | 2 Apereo, Opencast | 2 Opencast, Opencast | 2025-10-09 | 5.4 Medium |
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2. | ||||
| CVE-2025-2979 | 1 Wcms | 1 Wcms | 2025-10-09 | 2.4 Low |
| A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3251 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation of the argument motto leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-36016 | 1 Microsoft | 1 Dynamics 365 | 2025-10-09 | 6.2 Medium |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2023-36031 | 1 Microsoft | 1 Dynamics 365 | 2025-10-08 | 7.6 High |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2023-36030 | 1 Microsoft | 1 Dynamics 365 | 2025-10-08 | 6.1 Medium |
| Microsoft Dynamics 365 Sales Spoofing Vulnerability | ||||
| CVE-2023-36007 | 1 Microsoft | 1 Send Customer Voice Survey From Dynamics 365 | 2025-10-08 | 7.6 High |
| Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability | ||||
| CVE-2023-36410 | 1 Microsoft | 1 Dynamics 365 | 2025-10-08 | 7.6 High |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2025-40991 | 1 Creativeitem | 2 Ekushey Crm, Ekushey Project Manager Crm | 2025-10-08 | 5.4 Medium |
| Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_file/upload/xxxx", affecting to "description" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details. | ||||
| CVE-2025-40990 | 1 Creativeitem | 2 Ekushey Crm, Ekushey Project Manager Crm | 2025-10-08 | 5.4 Medium |
| Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_bug/create/xxx", affecting to "title" and "description" parameters via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details. | ||||
| CVE-2025-40989 | 1 Creativeitem | 2 Ekushey Crm, Ekushey Project Manager Crm | 2025-10-08 | 5.4 Medium |
| Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_message/add/xxx", affecting to "message" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details. | ||||
| CVE-2025-30196 | 1 Jenkins | 1 Anchorchain | 2025-10-08 | 6.5 Medium |
| Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. | ||||
| CVE-2025-20368 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-10-08 | 5.7 Medium |
| In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user. | ||||
| CVE-2025-20367 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-10-08 | 5.7 Medium |
| In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user. | ||||