Skip to main content

CWE-83

Improper Neutralization of Script in Attributes in a Web Page

17 CVEs Avg CVSS 5.7 MITRE
1
CRITICAL
2
HIGH
12
MEDIUM
2
LOW
2
POC
0
KEV

Monthly

CVE-2026-49276 PHP HIGH PATCH GHSA This Week

Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. There is no public exploit and it is not in CISA KEV; the vendor rates it high severity for affected sites.

XSS
NVD GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-48591 MEDIUM This Month

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.

XSS Earmark
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-53841 npm LOW PATCH GHSA Monitor

Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.

XSS Openclaw
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-8245 PHP MEDIUM PATCH This Month

Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Concrete Cms
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-45669 npm MEDIUM PATCH GHSA This Month

Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-23516 MEDIUM PATCH This Month

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

RCE AI / ML Computer Vision Annotation Tool
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22849 MEDIUM PATCH This Month

Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]

XSS Saleor
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-4615 MEDIUM This Month

Improper input neutralization in Palo Alto Networks PAN-OS management web interface allows authenticated high-privilege administrators to bypass system restrictions and execute arbitrary commands through command injection. The vulnerability affects PAN-OS across multiple versions (specific version ranges not independently confirmed from provided data), with a low EPSS exploitation probability (0.06%, 17th percentile) and no confirmed active exploitation or public proof-of-concept. Risk is significantly reduced when CLI access is restricted to a limited administrator group; Cloud NGFW and Prisma Access are unaffected.

Paloalto RCE Authentication Bypass Command Injection Pan Os
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-0137 MEDIUM This Month

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Paloalto
NVD
CVSS 4.0
4.8
EPSS
0.4%
CVE-2025-0125 MEDIUM This Month

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Paloalto
NVD
CVSS 4.0
6.9
EPSS
0.5%
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. There is no public exploit and it is not in CISA KEV; the vendor rates it high severity for affected sites.

XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.

XSS Earmark
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.

XSS Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Concrete Cms
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

RCE AI / ML Computer Vision Annotation Tool
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]

XSS Saleor
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper input neutralization in Palo Alto Networks PAN-OS management web interface allows authenticated high-privilege administrators to bypass system restrictions and execute arbitrary commands through command injection. The vulnerability affects PAN-OS across multiple versions (specific version ranges not independently confirmed from provided data), with a low EPSS exploitation probability (0.06%, 17th percentile) and no confirmed active exploitation or public proof-of-concept. Risk is significantly reduced when CLI access is restricted to a limited administrator group; Cloud NGFW and Prisma Access are unaffected.

Paloalto RCE Authentication Bypass +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Paloalto
NVD
EPSS 1% CVSS 6.9
MEDIUM This Month

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Paloalto
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy