Monthly
Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.
Stored/reflected cross-site scripting in the md-fileserver npm package (versions prior to 1.10.3) allows remote unauthenticated attackers to execute arbitrary JavaScript in a viewer's browser by uploading or supplying Markdown files containing raw HTML or script tags. The vulnerability stems from markdown-it being configured with html:true and rendered output being injected into the template without sanitization or output encoding. No public exploit identified at time of analysis beyond the vendor-provided PoC, and the issue is not currently listed in CISA KEV.
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.
HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.
Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.
Stored/reflected cross-site scripting in the md-fileserver npm package (versions prior to 1.10.3) allows remote unauthenticated attackers to execute arbitrary JavaScript in a viewer's browser by uploading or supplying Markdown files containing raw HTML or script tags. The vulnerability stems from markdown-it being configured with html:true and rendered output being injected into the template without sanitization or output encoding. No public exploit identified at time of analysis beyond the vendor-provided PoC, and the issue is not currently listed in CISA KEV.
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.
HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.