Latest CVE Feed
-
6.1
MEDIUMCVE-2025-63949
A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-64225
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-13513
The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for u... Read more
Affected Products :- Published: Dec. 04, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-13007
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externall... Read more
Affected Products :- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-67986
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7.... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-65120
Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page or URL, an arbitrary script may be execu... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-11222
Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft.... Read more
Affected Products : central_dogma- Published: Dec. 04, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
6.1
MEDIUMCVE-2025-13988
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SE... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-14049
The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This ... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-34440
AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.... Read more
Affected Products : avideo- Published: Dec. 17, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
6.1
MEDIUMCVE-2023-36337
A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-67724
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it c... Read more
Affected Products : tornado- Published: Dec. 12, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Information Disclosure
-
6.1
MEDIUMCVE-2025-14137
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possib... Read more
Affected Products : simple_al_slider- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-68474
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC... Read more
Affected Products : esp-idf- Published: Dec. 27, 2025
- Modified: Dec. 27, 2025
- Vuln Type: Memory Corruption
-
6.1
MEDIUMCVE-2025-67349
A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inje... Read more
Affected Products :- Published: Dec. 26, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-66459
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HT... Read more
Affected Products : lookyloo- Published: Dec. 02, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-63737
Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint.... Read more
Affected Products : rockoa- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-14125
The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for una... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-41080
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_i... Read more
Affected Products : seafile- Published: Dec. 04, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-12076
The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting