Total
40727 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64758 | 1 Owasp | 1 Dependency-track Frontend | 2025-11-18 | 4.8 Medium |
| @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6. | ||||
| CVE-2025-40834 | 2 Mendix, Siemens | 2 Mendix, Mendix | 2025-11-18 | 5.7 Medium |
| A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks. | ||||
| CVE-2022-44759 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 4.6 Medium |
| Improper sanitization of SVG files in HCL Leap allows client-side script injection in deployed applications. | ||||
| CVE-2024-30147 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 6.5 Medium |
| Multiple vectors in HCL Leap allow client-side script injection in the authoring environment and deployed applications. | ||||
| CVE-2024-30114 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 3.7 Low |
| Insufficient sanitization in HCL Leap allows client-side script injection in the authoring environment. | ||||
| CVE-2024-30113 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 6.3 Medium |
| Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget. | ||||
| CVE-2023-37534 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 7.1 High |
| Insufficient URI protocol whitelist in HCL Leap allows script injection through query parameters. | ||||
| CVE-2025-34278 | 1 Nagios | 1 Network Analyzer | 2025-11-17 | 5.4 Medium |
| Nagios Network Analyzer versions prior to 2024R1 contain a stored cross-site scripting (XSS) vulnerability in the Source Groups page (percentile calculator menu). An attacker can supply a malicious payload which is stored by the application and later rendered in the context of other users. When a victim views the affected page the injected script executes in the victim's browser context. | ||||
| CVE-2023-7323 | 1 Nagios | 1 Log Server | 2025-11-17 | 5.4 Medium |
| Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Create User function. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2023-7321 | 1 Nagios | 1 Log Server | 2025-11-17 | 5.4 Medium |
| Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin. | ||||
| CVE-2023-7319 | 1 Nagios | 1 Network Analyzer | 2025-11-17 | 5.4 Medium |
| Nagios Network Analyzer versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Percentile Calculator menu. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2023-7312 | 1 Nagios | 1 Fusion | 2025-11-17 | 4.8 Medium |
| Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability when adding or configuring Email Settings. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add or modify SMTP/email settings or manipulate the sendmail configuration fields could persist a malicious payload that executes in the context of other users' browsers. | ||||
| CVE-2023-53690 | 1 Nagios | 1 Fusion | 2025-11-17 | 4.8 Medium |
| Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability in the LDAP/AD authentication-server configuration. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add authentication servers via LDAP/AD integration could persist a malicious payload that executes in the context of other users' browsers. | ||||
| CVE-2023-53689 | 1 Nagios | 1 Fusion | 2025-11-17 | 4.8 Medium |
| Nagios Fusion versions prior to 4.2.0 contain a reflected cross-site scripting (XSS) vulnerability in the license key configuration flow that can result in execution of attacker-controlled script in the browser of a user who follows a crafted URL. While the application server itself is not directly corrupted by the reflected XSS, the resulting browser compromise can lead to credential/session theft and unauthorized administrative actions. | ||||
| CVE-2020-36858 | 1 Nagios | 1 Log Server | 2025-11-17 | 5.4 Medium |
| Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the web interface on the Create User, Edit User, and Manage Host Lists pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2018-25119 | 1 Nagios | 1 Fusion | 2025-11-17 | 6.1 Medium |
| Nagios Fusion versions prior to 4.1.5 are vulnerable to cross-site scripting (XSS) via the "fusionwindow" parameter. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2017-20209 | 1 Nagios | 1 Fusion | 2025-11-17 | 6.1 Medium |
| Nagios Fusion versions prior to 4.0.1 are vulnerable to cross-site scripting (XSS) via the Users and Servers pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2016-15049 | 1 Nagios | 1 Log Server | 2025-11-17 | 5.4 Medium |
| Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin. | ||||
| CVE-2025-10018 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | 4.8 Medium |
| QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-64381 | 2 Wordpress, Wpdevelop | 2 Wordpress, Booking Calendar | 2025-11-17 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7. | ||||