Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-13167

Summary
Assigner-synology
Assigner Org ID-db201096-a0cc-46c7-9a55-61d9e221bf01
Published At-27 May, 2026 | 08:34
Updated At-27 May, 2026 | 08:34
Rejected At-
Credits

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:synology
Assigner Org ID:db201096-a0cc-46c7-9a55-61d9e221bf01
Published At:27 May, 2026 | 08:34
Updated At:27 May, 2026 | 08:34
Rejected At:
â–¼CVE Numbering Authority (CNA)

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.

Affected Products
Vendor
Synology, Inc.Synology
Product
Synology Contacts
Default Status
affected
Versions
Affected
  • From * before 1.0.10-20659 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Warisse Valentin (Aytio)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.synology.com/en-global/security/advisory/Synology_SA_25_13
vendor-advisory
Hyperlink: https://www.synology.com/en-global/security/advisory/Synology_SA_25_13
Resource:
vendor-advisory
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@synology.com
Published At:27 May, 2026 | 09:16
Updated At:27 May, 2026 | 09:16

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity@synology.com
CWE ID: CWE-79
Type: Primary
Source: security@synology.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.synology.com/en-global/security/advisory/Synology_SA_25_13security@synology.com
N/A
Hyperlink: https://www.synology.com/en-global/security/advisory/Synology_SA_25_13
Source: security@synology.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

10326Records found
CVE-2022-22682
Matching Score-10
Assigner-Synology Inc.
ShareView Details
Matching Score-10
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 31.38%
||
7 Day CHG~0.00%
Published-12 Jul, 2022 | 06:20
Updated-17 Sep, 2024 | 00:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-calendarSynology Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-11828
Matching Score-10
Assigner-Synology Inc.
ShareView Details
Matching Score-10
Assigner-Synology Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-30 Jun, 2019 | 15:05
Updated-17 Sep, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-officeOffice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-11827
Matching Score-10
Assigner-Synology Inc.
ShareView Details
Matching Score-10
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-30 Jun, 2019 | 15:05
Updated-16 Sep, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-note_stationNote Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-11825
Matching Score-10
Assigner-Synology Inc.
ShareView Details
Matching Score-10
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-30 Jun, 2019 | 15:00
Updated-16 Sep, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-calendarCalendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43929
Matching Score-10
Assigner-Synology Inc.
ShareView Details
Matching Score-10
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 42.85%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 02:15
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-0854
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 38.93%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 10:08
Updated-30 May, 2025 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7, 7.1.1-42962-7 and 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-13987
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 24.86%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 07:20
Updated-01 Sep, 2025 | 02:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Synology RADIUS Server allows remote authenticated users with administrator privileges to read or write limited files in SRM and conduct limited denial-of-service via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-RADIUS Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-16774
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-01 Apr, 2019 | 14:24
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-15888
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 47.39%
||
7 Day CHG~0.00%
Published-30 Oct, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-audio_stationSynology Audio Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-16771
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 48.33%
||
7 Day CHG~0.00%
Published-22 Mar, 2018 | 14:00
Updated-16 Sep, 2024 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationPhoto Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-15890
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 37.69%
||
7 Day CHG~0.00%
Published-15 Dec, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-mailplus_serverMailPlus Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-10466
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-Not Assigned
Published-27 May, 2026 | 08:32
Updated-27 May, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM.

Action-Not Available
Vendor-Synology, Inc.
Product-Safe Access
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-16767
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-27 Feb, 2018 | 15:00
Updated-16 Sep, 2024 | 23:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationSurveillance Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-12072
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-20 Dec, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationPhoto Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53279
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-1.09% / 78.14%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:30
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in file station functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8915
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-10 May, 2018 | 13:00
Updated-16 Sep, 2024 | 23:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-calendarCalendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8928
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-05 Jul, 2018 | 13:00
Updated-17 Sep, 2024 | 02:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-carddav_serverCardDAV Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8918
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.12%
||
7 Day CHG~0.00%
Published-24 Dec, 2018 | 15:00
Updated-17 Sep, 2024 | 03:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8910
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-10 May, 2018 | 13:00
Updated-17 Oct, 2024 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.

Action-Not Available
Vendor-Synology, Inc.
Product-drive_serverDrive
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8923
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-05 Jun, 2018 | 14:00
Updated-16 Sep, 2024 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology File Station before 1.1.4-0122 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.

Action-Not Available
Vendor-Synology, Inc.
Product-file_stationFile Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8917
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-24 Dec, 2018 | 15:00
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8924
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-05 Jun, 2018 | 14:00
Updated-16 Sep, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.

Action-Not Available
Vendor-Synology, Inc.
Product-officeOffice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8911
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 13:00
Updated-16 Sep, 2024 | 23:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.

Action-Not Available
Vendor-Synology, Inc.
Product-note_stationNote Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8921
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 13:00
Updated-17 Oct, 2024 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.

Action-Not Available
Vendor-Synology, Inc.
Product-drive_serverDrive
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-8912
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.35%
||
7 Day CHG~0.00%
Published-09 May, 2018 | 13:00
Updated-17 Sep, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via the commit_msg parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-note_stationNote Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-13293
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 30.72%
||
7 Day CHG~0.00%
Published-01 Apr, 2019 | 14:28
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9555
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-24 Aug, 2017 | 19:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationSynology Photo Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9556
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-11 Aug, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-video_stationSynology Video Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53281
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.69% / 72.02%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:30
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)router_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53287
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.30% / 53.74%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 04:11
Updated-29 Jul, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53285
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.69% / 72.02%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:38
Updated-04 Aug, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)router_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53288
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.30% / 53.74%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 04:11
Updated-29 Jul, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53283
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.69% / 72.02%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:31
Updated-04 Aug, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Router Port Forward functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)router_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53282
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-1.09% / 78.14%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:30
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect MAC Filter functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)router_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53284
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.69% / 72.02%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:32
Updated-04 Aug, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)router_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53280
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.9||MEDIUM
EPSS-1.09% / 78.14%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 03:29
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in network center policy route functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrary web script or HTML.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9105
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 47.87%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.

Action-Not Available
Vendor-Synology, Inc.
Product-video_stationVideo Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9103
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 47.87%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.

Action-Not Available
Vendor-Synology, Inc.
Product-note_stationNote Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9102
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 55.70%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationPhoto Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9104
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 41.06%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title.

Action-Not Available
Vendor-Synology, Inc.
Product-audio_stationAudio Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-27659
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-8.4||HIGH
EPSS-0.31% / 54.58%
||
7 Day CHG~0.00%
Published-30 Nov, 2020 | 09:30
Updated-17 Sep, 2024 | 04:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-safeaccessSafe Access
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-15892
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.15%
||
7 Day CHG~0.00%
Published-28 Dec, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-chatChat
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1393
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.35%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elementor Addon Elements <= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'icon_align' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-webtechstreetwpvibes
Product-elementor_addon_elementsAddon Elements for Elementor (formerly Elementor Addon Elements)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-24870
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.43% / 62.32%
||
7 Day CHG~0.00%
Published-21 Apr, 2022 | 16:40
Updated-22 Apr, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-site Scripting in Combodo iTop

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-combodoCombodo
Product-itopiTop
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25138
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 57.84%
||
7 Day CHG~0.00%
Published-03 Mar, 2022 | 16:56
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Axelor Open Suite v5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Name parameter.

Action-Not Available
Vendor-axelorn/a
Product-open_suiten/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25409
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.68%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 22:55
Updated-03 Aug, 2024 | 04:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hospital Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the demail parameter at /admin-panel1.php.

Action-Not Available
Vendor-hospital_management_system_projectn/a
Product-hospital_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25191
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.30%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Action-Not Available
Vendor-Jenkins
Product-agent_server_parameterJenkins Agent Server Parameter Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-24563
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 59.53%
||
7 Day CHG~0.00%
Published-03 Mar, 2022 | 01:23
Updated-03 Aug, 2024 | 04:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Genixcms v1.1.11, a stored Cross-Site Scripting (XSS) vulnerability exists in /gxadmin/index.php?page=themes&view=options" via the intro_title and intro_image parameters.

Action-Not Available
Vendor-metalgenixn/a
Product-genixcmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25185
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 42.44%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Action-Not Available
Vendor-Jenkins
Product-generic_webhook_triggerJenkins Generic Webhook Trigger Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-25606
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.84%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 18:02
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP-DownloadManager plugin <= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.

Action-Not Available
Vendor-wp-downloadmanager_projectLester 'GaMerZ' Chan
Product-wp-downloadmanagerWP-DownloadManager (WordPress)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 206
  • 207
  • Next
Details not found