U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 11,679 matching records.
Displaying matches 201 through 220.
Vuln ID Summary CVSS Severity
CVE-2025-39502

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Goodlayers Hostel allows Reflected XSS. This issue affects Goodlayers Hostel: from n/a through 3.1.2.

Published: May 23, 2025; 9:15:31 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-32285

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Butcher allows Reflected XSS. This issue affects Butcher: from n/a through 2.40.

Published: May 23, 2025; 9:15:29 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-31636

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SaurabhSharma WP Post Modules for Elementor allows Reflected XSS. This issue affects WP Post Modules for Elementor: from n/a through 2.5.0.

Published: May 23, 2025; 9:15:27 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-3894

Text editor embedded into MegaBIP software does not neutralize user input allowing Stored XSS attacks on other users. In order to use the editor high privileges are required.   Version 5.20 of MegaBIP fixes this issue.

Published: May 23, 2025; 7:15:32 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-48369

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue.

Published: May 22, 2025; 2:15:43 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2025-48366

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution without user interaction. Versions 6.8.119 and 25.0.20 contain a fix for the issue.

Published: May 22, 2025; 2:15:43 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2025-4123

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

Published: May 22, 2025; 4:15:52 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-45755

A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.

Published: May 21, 2025; 4:15:32 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-2261

Stored XSS in TIBCO ActiveMatrix Administrator allows malicious data to appear to be part of the website and run within user's browser under the privileges of the web application.

Published: May 21, 2025; 3:16:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-45754

A stored cross-site scripting (XSS) vulnerability exists in SeedDMS 6.0.32. This vulnerability allows an attacker to inject malicious JavaScript payloads by creating a document with an XSS payload as the document name.

Published: May 21, 2025; 1:15:58 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-48206

The ns_backup extension through 13.0.0 for TYPO3 allows XSS.

Published: May 21, 2025; 12:15:33 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-48203

The cs_seo extension through 9.2.0 for TYPO3 allows XSS.

Published: May 21, 2025; 12:15:32 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-47853

In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible

Published: May 20, 2025; 2:15:47 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2025-47852

In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible

Published: May 20, 2025; 2:15:47 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2025-47851

In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible

Published: May 20, 2025; 2:15:47 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes.

Published: May 19, 2025; 4:15:26 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-39393

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla Hospital Management System allows Reflected XSS.This issue affects Hospital Management System: from n/a through 47.0 (20-11-2023).

Published: May 19, 2025; 4:15:25 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-39392

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPAMS allows Reflected XSS.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).

Published: May 19, 2025; 4:15:24 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-39372

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in elbisnero WordPress Events Calendar Registration & Tickets allows Reflected XSS.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.

Published: May 19, 2025; 4:15:24 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2025-39365

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rocket Apps wProject allows Reflected XSS.This issue affects wProject: from n/a before 5.8.0.

Published: May 19, 2025; 4:15:23 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)