Skip to main content

CWE-87

Improper Neutralization of Alternate XSS Syntax

31 CVEs Avg CVSS 6.2 MITRE
0
CRITICAL
6
HIGH
24
MEDIUM
1
LOW
6
POC
0
KEV

Monthly

CVE-2026-55237 HIGH PATCH This Week

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose `next` URL parameter is passed unsanitized into `router.push`. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.

XSS Autogpt
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-25688 MEDIUM This Month

Unsanitized rendering of AI-generated response content in Apache Answer through 2.0.0 enables cross-site scripting (XSS) execution in the browsers of any user viewing affected AI-generated answers. The vulnerability (CWE-87, Improper Neutralization of Alternate XSS Syntax) arises because the AI answer rendering pipeline passes output directly to the browser DOM without stripping or encoding malicious script constructs. No public exploit code has been identified at time of analysis, and CISA KEV listing has not been confirmed, but the critical severity designation and vendor-confirmed patch at 2.0.1 indicate this is a high-priority remediation target for all deployments using the AI answer feature.

XSS Apache
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45314 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.

XSS
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-42458 PHP MEDIUM PATCH GHSA This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42235 npm HIGH PATCH GHSA This Week

Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-40321 NuGet HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) via malicious SVG file upload in DNN Platform (DotNetNuke) versions before 10.2.2 allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers. Attackers can craft SVG files containing embedded scripts that execute when viewed by victims, with elevated impact if targeting administrative users. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. CVSS 8.1 (High) reflects the scope change and high confidentiality/integrity impact despite requiring both authentication and user interaction.

Information Disclosure Microsoft
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-14732 MEDIUM This Month

Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.

WordPress XSS Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-22711 MEDIUM This Month

Cross-site scripting (XSS) in the Mediawiki Wikilove Extension via improper neutralization of alternate XSS syntax allows unauthenticated remote attackers to inject malicious scripts with low complexity attack surface. The vulnerability affects Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2, enabling stored or reflected XSS attacks that can compromise user sessions, steal credentials, or deface wiki content. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no user interaction or privileges, making it a moderate-risk priority for affected wiki administrators.

XSS
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-33510 HIGH PATCH This Week

DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.

XSS Homarr
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33506 HIGH PATCH This Week

DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.

XSS Polis
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose `next` URL parameter is passed unsanitized into `router.push`. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.

XSS Autogpt
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Unsanitized rendering of AI-generated response content in Apache Answer through 2.0.0 enables cross-site scripting (XSS) execution in the browsers of any user viewing affected AI-generated answers. The vulnerability (CWE-87, Improper Neutralization of Alternate XSS Syntax) arises because the AI answer rendering pipeline passes output directly to the browser DOM without stripping or encoding malicious script constructs. No public exploit code has been identified at time of analysis, and CISA KEV listing has not been confirmed, but the critical severity designation and vendor-confirmed patch at 2.0.1 indicate this is a high-priority remediation target for all deployments using the AI answer feature.

XSS Apache
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.

Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Stored cross-site scripting (XSS) via malicious SVG file upload in DNN Platform (DotNetNuke) versions before 10.2.2 allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers. Attackers can craft SVG files containing embedded scripts that execute when viewed by victims, with elevated impact if targeting administrative users. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. CVSS 8.1 (High) reflects the scope change and high confidentiality/integrity impact despite requiring both authentication and user interaction.

Information Disclosure Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.

WordPress XSS Elementor
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Cross-site scripting (XSS) in the Mediawiki Wikilove Extension via improper neutralization of alternate XSS syntax allows unauthenticated remote attackers to inject malicious scripts with low complexity attack surface. The vulnerability affects Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2, enabling stored or reflected XSS attacks that can compromise user sessions, steal credentials, or deface wiki content. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no user interaction or privileges, making it a moderate-risk priority for affected wiki administrators.

XSS
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.

XSS Homarr
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.

XSS Polis
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy