Monthly
Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.
Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.
Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.
Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.
Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.
Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.