Total
40725 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54272 | 1 Adobe | 1 Experience Manager | 2025-11-19 | 5.4 Medium |
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | ||||
| CVE-2025-61796 | 1 Adobe | 1 Experience Manager | 2025-11-19 | 5.4 Medium |
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | ||||
| CVE-2025-61797 | 1 Adobe | 1 Experience Manager | 2025-11-19 | 5.4 Medium |
| Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed. | ||||
| CVE-2025-64747 | 2 Directus, Monospace | 2 Directus, Directus | 2025-11-19 | 5.5 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue. | ||||
| CVE-2025-59571 | 2 Purethemes, Wordpress | 2 Workscout Core, Wordpress | 2025-11-19 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through < 1.7.06. | ||||
| CVE-2025-62982 | 2 Sarah Giles, Wordpress | 2 Dynamic User Directory, Wordpress | 2025-11-19 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sarah Giles Dynamic User Directory dynamic-user-directory allows Stored XSS.This issue affects Dynamic User Directory: from n/a through <= 2.3. | ||||
| CVE-2025-62984 | 2 Wordpress, Wpeka | 2 Wordpress, Wp Adcenter | 2025-11-19 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter wpadcenter allows Stored XSS.This issue affects WP AdCenter: from n/a through <= 2.6.1. | ||||
| CVE-2025-64194 | 2 Thimpress, Wordpress | 2 Eduma, Wordpress | 2025-11-19 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Eduma eduma allows Stored XSS.This issue affects Eduma: from n/a through <= 5.7.6. | ||||
| CVE-2025-63830 | 2 Ckeditor, Cksource | 2 Ckfinder, Ckfinder | 2025-11-19 | 6.1 Medium |
| CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content. | ||||
| CVE-2025-13202 | 2 Code-projects, Fabian | 2 Simple Cafe Ordering System, Simple Cafe Ordering System | 2025-11-19 | 3.5 Low |
| A security flaw has been discovered in code-projects Simple Cafe Ordering System 1.0. This affects an unknown part of the file /add_to_cart. Performing manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-13244 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 4.3 Medium |
| A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-13245 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 3.5 Low |
| A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-64046 | 1 Openrapid | 1 Rapidcms | 2025-11-19 | 6.1 Medium |
| OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php. | ||||
| CVE-2024-44647 | 1 Phpgurukul | 1 Small Crm | 2025-11-19 | 6.1 Medium |
| PHPGurukul Small CRM 3.0 is vulnerable to Cross Site Scripting (XSS) via the aremark parameter in manage-tickets.php. | ||||
| CVE-2024-46334 | 1 Kashipara | 1 School Management System | 2025-11-19 | 6.1 Medium |
| kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php. | ||||
| CVE-2024-46336 | 1 Kashipara | 1 School Management System | 2025-11-19 | 6.1 Medium |
| kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php. | ||||
| CVE-2024-46335 | 1 Phpgurukul | 1 Complaint Management System | 2025-11-19 | 4.6 Medium |
| PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php. | ||||
| CVE-2025-12457 | 2 Ideastocode, Wordpress | 2 Enable Svg, Webp & Ico Upload, Wordpress | 2025-11-19 | 6.4 Medium |
| The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-13196 | 2 Bdthemes, Wordpress | 3 Element Pack, Element Pack Elementor Addons, Wordpress | 2025-11-19 | 5.4 Medium |
| The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12079 | 2 F1logic, Wordpress | 2 Wp Twitter Auto Publish, Wordpress | 2025-11-19 | 6.1 Medium |
| The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||