Total
38425 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47783 | 1 Humansignal | 1 Label Studio | 2025-08-22 | 6.1 Medium |
| Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. Version 1.18.0 contains a patch for the issue. | ||||
| CVE-2025-49575 | 2 Starcitizen.tools, Starcitizentools | 2 Citizen, Mediawiki-skins-citizen | 2025-08-22 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1. | ||||
| CVE-2025-49576 | 2 Starcitizen.tools, Starcitizentools | 2 Citizen, Mediawiki-skins-citizen | 2025-08-22 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1. | ||||
| CVE-2025-49577 | 2 Starcitizen.tools, Starcitizentools | 2 Citizen, Mediawiki-skins-citizen | 2025-08-22 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1. | ||||
| CVE-2025-49578 | 2 Starcitizen.tools, Starcitizentools | 2 Citizen, Mediawiki-skins-citizen | 2025-08-22 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1. | ||||
| CVE-2025-49579 | 3 Mediawiki, Starcitizen.tools, Starcitizentools | 3 Mediawiki, Citizen, Mediawiki-skins-citizen | 2025-08-22 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1. | ||||
| CVE-2025-8607 | 2 Funnelkit, Wordpress | 2 Slingblocks, Wordpress | 2025-08-22 | 6.4 Medium |
| The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-53504 | 1 Intermesh | 1 Group-office | 2025-08-22 | N/A |
| Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser. | ||||
| CVE-2025-8064 | 1 Wordpress | 1 Wordpress | 2025-08-22 | 6.4 Medium |
| The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9235 | 1 Scada-lts | 1 Scada-lts | 2025-08-22 | 3.5 Low |
| A flaw has been found in Scada-LTS up to 2.7.8.1. The impacted element is an unknown function of the file compound_events.shtm. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | ||||
| CVE-2025-9233 | 1 Scada-lts | 1 Scada-lts | 2025-08-22 | 3.5 Low |
| A security vulnerability has been detected in Scada-LTS up to 2.7.8.1. Impacted is an unknown function of the file view_edit.shtm. The manipulation of the argument Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-9234 | 1 Scada-lts | 1 Scada-lts | 2025-08-22 | 3.5 Low |
| A vulnerability was detected in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file maintenance_events.shtm. The manipulation of the argument Alias results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. | ||||
| CVE-2025-43757 | 1 Liferay | 2 Dxp, Portal | 2025-08-22 | N/A |
| A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. | ||||
| CVE-2025-51990 | 1 Xwiki | 1 Xwiki | 2025-08-22 | 4.8 Medium |
| XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised. | ||||
| CVE-2025-51991 | 1 Xwiki | 1 Xwiki | 2025-08-22 | 8.8 High |
| XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields. | ||||
| CVE-2025-36042 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2025-08-22 | 5.4 Medium |
| IBM QRadar SIEM 7.5 through 7.5.0 Dashboard is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-49557 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-08-22 | 8.7 High |
| Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed. | ||||
| CVE-2024-13202 | 1 Wander-chu | 1 Springboot-blog | 2025-08-22 | 2.4 Low |
| A vulnerability was found in wander-chu SpringBoot-Blog 1.0 and classified as problematic. This issue affects the function modifiyArticle of the file src/main/java/com/my/blog/website/controller/admin/PageController.java of the component Blog Article Handler. The manipulation of the argument content leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-45061 | 1 Observium | 1 Observium | 2025-08-22 | 8.7 High |
| A cross-site scripting (xss) vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker. | ||||
| CVE-2024-47002 | 1 Observium | 1 Observium | 2025-08-22 | 8.7 High |
| A html code injection vulnerability exists in the vlan management part of Observium CE 24.4.13528. A specially crafted HTTP request can lead to an arbitrary html code. An authenticated user would need to click a malicious link provided by the attacker. | ||||