Explore CVEs related to XSS vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing XSS CVEs published in 2025. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2025-67711 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.20% | 2025-12-31 | 2026-06-17 |
| CVE-2025-67710 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.20% | 2025-12-31 | 2026-06-17 |
| CVE-2025-67709 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.20% | 2025-12-31 | 2026-06-17 |
| CVE-2025-67708 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.20% | 2025-12-31 | 2026-06-17 |
| CVE-2025-67705 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.19% | 2025-12-31 | 2026-06-17 |
| CVE-2025-67704 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.20% | 2025-12-31 | 2026-06-17 |
| CVE-2025-67703 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 6.1 | 0.19% | 2025-12-31 | 2026-06-17 |
| CVE-2025-53235 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social easy-social-media allows Reflected XSS.This issue affects Easy Social: from n/a through <= 1.3. | 7.1 | 0.19% | 2025-12-31 | 2026-06-17 |
| CVE-2025-52739 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3. | 7.1 | 0.15% | 2025-12-31 | 2026-06-17 |
| CVE-2025-50053 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App yournewsapp allows Reflected XSS.This issue affects Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App: from n/a through <= 0.8.8.8. | 7.1 | 0.15% | 2025-12-31 | 2026-06-17 |
| CVE-2025-47566 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91. | 7.1 | 0.15% | 2025-12-31 | 2026-06-17 |
| CVE-2025-23757 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper zd-scribd-ipaper allows Reflected XSS.This issue affects ZD Scribd iPaper: from n/a through <= 1.0. | 7.1 | 0.08% | 2025-12-31 | 2026-06-17 |
| CVE-2025-23719 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget zhina-twitter-widget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through <= 1.0. | 7.1 | 0.08% | 2025-12-31 | 2026-06-17 |
| CVE-2025-23707 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through <= 1.0. | 7.1 | 0.08% | 2025-12-31 | 2026-06-17 |
| CVE-2025-23705 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery zielke-design-project-gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through <= 2.5.0. | 7.1 | 0.08% | 2025-12-31 | 2026-06-17 |
| CVE-2025-23667 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill custom-post-edit front-end-post-edit allows Reflected XSS.This issue affects custom-post-edit: from n/a through <= 1.0.4. | 7.1 | 0.08% | 2025-12-31 | 2026-06-17 |
| CVE-2021-47743 | COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session. | 5.1 | 0.24% | 2025-12-31 | 2026-06-17 |
| CVE-2021-47725 | STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site. | 4.8 | 0.18% | 2025-12-31 | 2026-06-17 |
| CVE-2025-62989 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gora Tech Cooked cooked allows Stored XSS.This issue affects Cooked: from n/a through <= 1.11.3. | 5.9 | 0.14% | 2025-12-31 | 2026-06-17 |
| CVE-2025-59135 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5. | 5.9 | 0.14% | 2025-12-31 | 2026-06-17 |