Monthly
Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.
Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.
Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.
Stored cross-site scripting (XSS) via malicious SVG file upload in DNN Platform (DotNetNuke) versions before 10.2.2 allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers. Attackers can craft SVG files containing embedded scripts that execute when viewed by victims, with elevated impact if targeting administrative users. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. CVSS 8.1 (High) reflects the scope change and high confidentiality/integrity impact despite requiring both authentication and user interaction.
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
Cross-site scripting (XSS) in the Mediawiki Wikilove Extension via improper neutralization of alternate XSS syntax allows unauthenticated remote attackers to inject malicious scripts with low complexity attack surface. The vulnerability affects Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2, enabling stored or reflected XSS attacks that can compromise user sessions, steal credentials, or deface wiki content. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no user interaction or privileges, making it a moderate-risk priority for affected wiki administrators.
DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.
DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.
Contao is an Open Source CMS. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.
Galette is a membership management web application for non profit organizations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.
Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.
Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.
Stored cross-site scripting (XSS) via malicious SVG file upload in DNN Platform (DotNetNuke) versions before 10.2.2 allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers. Attackers can craft SVG files containing embedded scripts that execute when viewed by victims, with elevated impact if targeting administrative users. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. CVSS 8.1 (High) reflects the scope change and high confidentiality/integrity impact despite requiring both authentication and user interaction.
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
Cross-site scripting (XSS) in the Mediawiki Wikilove Extension via improper neutralization of alternate XSS syntax allows unauthenticated remote attackers to inject malicious scripts with low complexity attack surface. The vulnerability affects Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2, enabling stored or reflected XSS attacks that can compromise user sessions, steal credentials, or deface wiki content. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no user interaction or privileges, making it a moderate-risk priority for affected wiki administrators.
DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.
DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.
Contao is an Open Source CMS. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.
Galette is a membership management web application for non profit organizations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.