Skip to main content

CWE-80

Basic XSS

339 CVEs Avg CVSS 5.7 MITRE
7
CRITICAL
37
HIGH
273
MEDIUM
21
LOW
62
POC
0
KEV

Monthly

CVE-2026-54443 MEDIUM PATCH This Month

Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.

XSS Dashy
NVD GitHub
CVSS 4.0
5.9
CVE-2026-59838 MEDIUM This Month

Stored or reflected cross-site scripting in Fortinet FortiSIEM's web interface enables a high-privileged authenticated attacker to inject malicious script tags that execute in the browsers of other users who view the affected page. The vulnerability spans a wide version range from FortiSIEM 6.4 through 7.4.0, affecting all deployments of this enterprise SIEM platform. No active exploitation has been confirmed by CISA KEV, and no public exploit code is identified at time of analysis; the PR:H requirement meaningfully constrains real-world attacker opportunity despite the scope change to the victim's browser context.

Fortinet XSS Fortisiem
NVD
CVSS 3.1
4.8
CVE-2026-57167 MEDIUM PATCH This Month

Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. The payload executes automatically for every visitor to the affected video's watch page, and no public exploit has been identified at time of analysis.

XSS Peertube
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-59855 HIGH This Week

Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. No public exploit identified at time of analysis, and it is not listed in CISA KEV; user interaction is required to trigger the flaw.

XSS Siyuan
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-52774 PHP MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.

XSS Information Disclosure PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-52773 PHP MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-7380 MEDIUM This Month

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-36321 MEDIUM PATCH This Month

HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to plant malicious HTML content that executes in a victim's browser within the hosting site's security context. The CVSS vector (PR:L/UI:R/C:H) confirms exploitation requires low-privilege authentication and a second user to view the injected content, with the primary impact being confidentiality loss - such as session token theft or credential harvesting. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; a vendor patch is available via IBM advisory 7277801.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
5.7
EPSS
0.4%
CVE-2026-50229 MEDIUM POC PATCH This Month

Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.

XSS Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-64637 MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVSS 5.9
MEDIUM PATCH This Month

Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.

XSS Dashy
NVD GitHub
CVSS 4.8
MEDIUM This Month

Stored or reflected cross-site scripting in Fortinet FortiSIEM's web interface enables a high-privileged authenticated attacker to inject malicious script tags that execute in the browsers of other users who view the affected page. The vulnerability spans a wide version range from FortiSIEM 6.4 through 7.4.0, affecting all deployments of this enterprise SIEM platform. No active exploitation has been confirmed by CISA KEV, and no public exploit code is identified at time of analysis; the PR:H requirement meaningfully constrains real-world attacker opportunity despite the scope change to the victim's browser context.

Fortinet XSS Fortisiem
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. The payload executes automatically for every visitor to the affected video's watch page, and no public exploit has been identified at time of analysis.

XSS Peertube
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. No public exploit identified at time of analysis, and it is not listed in CISA KEV; user interaction is required to trigger the flaw.

XSS Siyuan
NVD GitHub VulDB
CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.

XSS Information Disclosure PHP
NVD GitHub
CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.

XSS Access Control System Gks
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to plant malicious HTML content that executes in a victim's browser within the hosting site's security context. The CVSS vector (PR:L/UI:R/C:H) confirms exploitation requires low-privilege authentication and a second user to view the injected content, with the primary impact being confidentiality loss - such as session token theft or credential harvesting. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; a vendor patch is available via IBM advisory 7277801.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.

XSS Tomcat Apache +1
NVD VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy