XSS
Monthly
Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.
Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.
Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.
Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.
Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.
Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.
Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.
Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.
Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.
Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.
Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.
Stored cross-site scripting in OpenWrt's default odhcpd server (all releases prior to 25.12.5) lets a network-adjacent DHCP client inject forged lease records that execute as HTML/JavaScript in a router administrator's browser. The client-supplied DHCPv6 FQDN option 39 (and DHCPv4 option 12) hostname is written unescaped into /tmp/odhcpd.leases, enabling newline injection of attacker-controlled fields that LuCI's Active DHCPv6 Leases page renders via unsafe dom.append. No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; it is fixed in 25.12.5.
Stored cross-site scripting in RustFS Console (0.1.7 through 0.1.9) lets an attacker upload an HTML payload disguised as a .pdf file that executes when an administrator previews it, exfiltrating the console's AccessKeyId, SecretAccessKey, and SessionToken. The flaw is a regression of the previously patched CVE-2026-27822 and stems from the PDF preview path trusting the .pdf filename extension rather than the actual content type. No public exploit identified at time of analysis, but a fix and the vulnerable code are public in 0.1.10.
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Reflected cross-site scripting in HCL Notes 12.0.2FP5HF8 enables unauthenticated network attackers to inject and execute arbitrary JavaScript in the browser sessions of targeted users who interact with malicious links. The CVSS 4.0 vector (SC:H/SI:H/SA:H) signals high downstream impact on victim sessions - including potential session hijacking, credential theft, and unauthorized action execution within the Notes web environment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.
Stored cross-site scripting in Stirling-PDF's /get-info-on-pdf endpoint allows attacker-controlled JavaScript to execute in any user's browser when they view metadata of a crafted PDF file. All versions prior to 2.0.0 are affected; the CVSS scope change (S:C) indicates injected scripts operate within the application's browser origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis and this vulnerability has not been listed in CISA KEV.
Stored or reflected cross-site scripting in Fortinet FortiSIEM's web interface enables a high-privileged authenticated attacker to inject malicious script tags that execute in the browsers of other users who view the affected page. The vulnerability spans a wide version range from FortiSIEM 6.4 through 7.4.0, affecting all deployments of this enterprise SIEM platform. No active exploitation has been confirmed by CISA KEV, and no public exploit code is identified at time of analysis; the PR:H requirement meaningfully constrains real-world attacker opportunity despite the scope change to the victim's browser context.
{{ page.content|raw }} filter. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass technique is explicitly documented in the vendor advisory.
Stored cross-site scripting in Open WebUI before 0.9.5 lets an attacker plant a malicious SVG as a victim's OAuth profile image and execute script in the application's origin. During OAuth login, the `picture` claim URL is fetched and its MIME type is guessed from the file extension rather than the response Content-Type, so a `.svg` URL is stored as a `data:image/svg+xml;base64,...` URI that bypasses the profile-image allowlist; when an authenticated user opens the profile image endpoint the SVG is served inline with no default CSP, running JavaScript that reads `localStorage.token` for account takeover. Reported by VulnCheck with a detailed GHSA source-code advisory; no public exploit identified at time of analysis and it is not in CISA KEV.
Unauthenticated stored cross-site scripting in the 4Analytics analytics extension for Joomla (by weeblr.com) lets a remote attacker inject persistent JavaScript through a specially crafted request, with no login required. Because the payload is stored and later rendered in a privileged context, it can escalate to full website takeover under some conditions. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored cross-site scripting in the 4Analytics privacy analytics extension for Joomla (by weeblr.com) lets unauthenticated attackers inject persistent JavaScript that executes when a victim views the AI analysis feature. Because injection requires no authentication (PR:N) but execution requires a victim to open the affected view (UI:A), an attacker can seed malicious script that later runs in a privileged operator's browser session. There is no public exploit identified at time of analysis and the extension is not listed in CISA KEV.
Cross Site Scripting vulnerability in xxl-job-admin v.3.0.0 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request containing a malicious script
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
Reflected Cross-Site Scripting (CWE-79) in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) lets an unauthenticated attacker inject script into a rendered page when a victim opens a malicious file, executing in the victim's session with a scope change to the browser context. Adobe (psirt@adobe.com) rates it Critical (CVSS 9.6, S:C, C:H/I:H/A:H), though these impact metrics appear inflated for a reflected XSS. There is no public exploit identified at time of analysis; EPSS is 3.75% (89th percentile), indicating elevated but not high near-term exploitation likelihood, and it is not listed in CISA KEV.
Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. No public exploit identified at time of analysis; remediated in Adobe security bulletin APSB26-73.
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source lets a low-privileged authenticated attacker persist malicious JavaScript into vulnerable form fields, which then executes in a victim's browser and can escalate to account or session takeover. Because scope is changed (S:C), the injected script runs in a security context beyond the attacker's own privileges - the hallmark of admin-panel or storefront XSS crossing a trust boundary. No public exploit identified at time of analysis, but the 8.7 CVSS and account-takeover impact make this a meaningful priority for e-commerce operators running the affected platforms.
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `'`, `"`, `<`, `>`. The defender therefore expects that any apostrophe a user typed becomes `'` in the database, which renders inside the `onclick` attribute as `'` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1',alert(1),'2');"> ``` After the tokenizer decodes `'` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1',alert(1),'2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`'`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1',alert(1),'2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1',alert(...),'2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).
Cross-site scripting in Microsoft Visual Studio Code lets an attacker who tricks a local user into opening crafted content bypass a built-in security feature and gain high-impact code execution within the editor context. The flaw (CWE-79) carries a CVSS 3.1 base score of 7.1 with a local attack vector requiring user interaction, and Microsoft has published an advisory with a fix. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Stored/reflected cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an authenticated attacker inject script that executes in another user's browser session to spoof content over the network. Although Microsoft classifies the impact as 'spoofing,' the CVSS 3.1 vector rates confidentiality and integrity as High (C:H/I:H), indicating the injected script can access or alter sensitive session data. There is no public exploit identified at time of analysis, and a vendor patch is available.
Cross-site scripting (CWE-79) in on-premises Microsoft SharePoint Server allows an authenticated, low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing across a network. The scope-changed CVSS 3.1 rating of 8.7 (vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) reflects the ability to break out of the vulnerable component's security context and impact victim data. Microsoft has released patches; there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation as none.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Spoofing via stored cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) allows an authenticated attacker to inject script that executes in another user's browser session across a network. CVSS is 8.7 with a scope change, reflecting that injected content escapes into the victim's authenticated context; there is no public exploit identified at time of analysis and CISA SSVC rates exploitation status as none. A vendor patch is available via Microsoft MSRC.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables an authenticated attacker with low-privilege network access to inject malicious scripts into SharePoint pages, resulting in spoofing impacts when a victim user interacts with the crafted content. The CVSS vector (PR:L/UI:R) confirms exploitation requires both an existing authenticated account and victim interaction, constraining real-world risk relative to unauthenticated XSS variants. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog. Vendor patch is available via the Microsoft Security Response Center.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network.
Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject script that executes in another user's browser session, enabling spoofing of report content and hijacking of the victim's authenticated context over the network. Exploitation requires a victim to interact with attacker-controlled report content (UI:R). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a vendor patch is available per the MSRC advisory.
Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). Microsoft has released a patch; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.
Reflected or stored cross-site scripting in Fortinet FortiOS, FortiPAM, and FortiProxy web interfaces allows a remote unauthenticated attacker to execute JavaScript in the browser session of an authenticated administrator via crafted HTTP requests. The CVSS temporal metric E:P confirms publicly available proof-of-concept exploit code exists, and the RL:O metric confirms Fortinet has released an official fix. No active exploitation has been confirmed by CISA KEV at time of analysis, but the combination of a POC and the high-value targets (network security appliances and privileged access management systems) elevates real-world risk beyond what the base CVSS score of 6.1 suggests.
Stored XSS in Easy!Appointments versions prior to 1.6.0 allows an authenticated administrator to inject arbitrary HTML or JavaScript into the 'booking disabled' message field via the booking settings rich-text editor. The unsanitized value is rendered directly to every unauthenticated visitor who opens the public booking page while booking is disabled, crossing a scope boundary from admin context to anonymous public users. No public exploit has been identified at time of analysis; CVSS rates this 2.6 (Low) driven by the administrator-level privilege requirement, though the persistent cross-scope impact on all public visitors is a meaningful secondary risk factor.
Stored cross-site scripting in Rockwell Automation FactoryTalk DataMosaix Private Cloud lets a high-privileged authenticated user persist malicious JavaScript through the Workflows configuration, which then executes in the browsers of other users who view the affected page. Successful exploitation can lead to session/account takeover, credential theft, or redirection to attacker-controlled sites. No public exploit identified at time of analysis, and the CVSS 4.0 base score is 8.4 (High).
Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. A publicly available proof-of-concept exploit from ZeroScience (ZSL-2026-5994) documents the attack path; this CVE is not currently listed in the CISA KEV catalog.
Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.
Stored Cross-Site Scripting in WP Customer Area WordPress plugin (versions up to and including 8.3.5) allows authenticated attackers with Contributor-level access or above to persistently inject arbitrary JavaScript via the unsanitized 'type' attribute of the customer-area-protected-content shortcode. The injected payload executes in the browser of any user who visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis; however, the Contributor-level prerequisite is a low barrier in multi-author WordPress environments.
Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.
Reflected XSS in SAP NetWeaver Application Server ABAP's Business Server Pages (BSP) framework allows remote unauthenticated attackers to inject arbitrary JavaScript into HTTP responses when a victim user interacts with a crafted URL. Successful exploitation enables session token theft and execution of authenticated actions on behalf of the victim within the SAP web context. No public exploit code or CISA KEV listing is identified at time of analysis; CVSS AC:H indicates non-trivial conditions must align for successful delivery, moderating real-world risk despite the enterprise sensitivity of SAP environments.
Reflected cross-site scripting in SAP NetWeaver Enterprise Portal enables unauthenticated remote attackers to inject arbitrary JavaScript into URL parameters that are echoed back unencoded in server responses. When a victim with an active portal session visits a crafted URL, the injected script executes in their browser under the portal's origin, permitting session token theft, unauthorized manipulation of portal content, or forced redirection to attacker-controlled resources. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, though the unauthenticated network-accessible attack surface and low complexity make phishing-based delivery operationally straightforward.
Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals.
Stored XSS in osTicket's Agent and Admin panel allows any authenticated user with ticket-submission privileges to inject persistent JavaScript that executes in privileged staff browser sessions. Affected versions span two release branches: 1.10 through 1.17.7 and 1.18.0 through 1.18.3. No public exploit identified at time of analysis per KEV, but publicly available exploit code exists on GitHub (WesWrench/CVE-2026-36214), and the CVSS scope-change rating (S:C) reflects that successful exploitation compromises Agent or Admin sessions rather than the attacker's own context.
Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.
Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.
Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). No public exploit identified at time of analysis, though the fix commit ships XSS test cases; fixed in 1.85.10.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.
Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.
{...}> component are directly affected; no public exploit code has been identified at time of analysis, and a patched release (1.2.7) is available.
Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (	) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.
Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.
Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.
Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.
Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.
Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. No public exploit code or CISA KEV listing exists; vendor-released patches are available and the fix has been merged upstream.
An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.
Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.
Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.
Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.
Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.
Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.
Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.
Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.
Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.
Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.
Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.
Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.
Stored cross-site scripting in OpenWrt's default odhcpd server (all releases prior to 25.12.5) lets a network-adjacent DHCP client inject forged lease records that execute as HTML/JavaScript in a router administrator's browser. The client-supplied DHCPv6 FQDN option 39 (and DHCPv4 option 12) hostname is written unescaped into /tmp/odhcpd.leases, enabling newline injection of attacker-controlled fields that LuCI's Active DHCPv6 Leases page renders via unsafe dom.append. No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; it is fixed in 25.12.5.
Stored cross-site scripting in RustFS Console (0.1.7 through 0.1.9) lets an attacker upload an HTML payload disguised as a .pdf file that executes when an administrator previews it, exfiltrating the console's AccessKeyId, SecretAccessKey, and SessionToken. The flaw is a regression of the previously patched CVE-2026-27822 and stems from the PDF preview path trusting the .pdf filename extension rather than the actual content type. No public exploit identified at time of analysis, but a fix and the vulnerable code are public in 0.1.10.
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Reflected cross-site scripting in HCL Notes 12.0.2FP5HF8 enables unauthenticated network attackers to inject and execute arbitrary JavaScript in the browser sessions of targeted users who interact with malicious links. The CVSS 4.0 vector (SC:H/SI:H/SA:H) signals high downstream impact on victim sessions - including potential session hijacking, credential theft, and unauthorized action execution within the Notes web environment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.
Stored cross-site scripting in Stirling-PDF's /get-info-on-pdf endpoint allows attacker-controlled JavaScript to execute in any user's browser when they view metadata of a crafted PDF file. All versions prior to 2.0.0 are affected; the CVSS scope change (S:C) indicates injected scripts operate within the application's browser origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis and this vulnerability has not been listed in CISA KEV.
Stored or reflected cross-site scripting in Fortinet FortiSIEM's web interface enables a high-privileged authenticated attacker to inject malicious script tags that execute in the browsers of other users who view the affected page. The vulnerability spans a wide version range from FortiSIEM 6.4 through 7.4.0, affecting all deployments of this enterprise SIEM platform. No active exploitation has been confirmed by CISA KEV, and no public exploit code is identified at time of analysis; the PR:H requirement meaningfully constrains real-world attacker opportunity despite the scope change to the victim's browser context.
{{ page.content|raw }} filter. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass technique is explicitly documented in the vendor advisory.
Stored cross-site scripting in Open WebUI before 0.9.5 lets an attacker plant a malicious SVG as a victim's OAuth profile image and execute script in the application's origin. During OAuth login, the `picture` claim URL is fetched and its MIME type is guessed from the file extension rather than the response Content-Type, so a `.svg` URL is stored as a `data:image/svg+xml;base64,...` URI that bypasses the profile-image allowlist; when an authenticated user opens the profile image endpoint the SVG is served inline with no default CSP, running JavaScript that reads `localStorage.token` for account takeover. Reported by VulnCheck with a detailed GHSA source-code advisory; no public exploit identified at time of analysis and it is not in CISA KEV.
Unauthenticated stored cross-site scripting in the 4Analytics analytics extension for Joomla (by weeblr.com) lets a remote attacker inject persistent JavaScript through a specially crafted request, with no login required. Because the payload is stored and later rendered in a privileged context, it can escalate to full website takeover under some conditions. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored cross-site scripting in the 4Analytics privacy analytics extension for Joomla (by weeblr.com) lets unauthenticated attackers inject persistent JavaScript that executes when a victim views the AI analysis feature. Because injection requires no authentication (PR:N) but execution requires a victim to open the affected view (UI:A), an attacker can seed malicious script that later runs in a privileged operator's browser session. There is no public exploit identified at time of analysis and the extension is not listed in CISA KEV.
Cross Site Scripting vulnerability in xxl-job-admin v.3.0.0 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request containing a malicious script
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
Reflected Cross-Site Scripting (CWE-79) in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) lets an unauthenticated attacker inject script into a rendered page when a victim opens a malicious file, executing in the victim's session with a scope change to the browser context. Adobe (psirt@adobe.com) rates it Critical (CVSS 9.6, S:C, C:H/I:H/A:H), though these impact metrics appear inflated for a reflected XSS. There is no public exploit identified at time of analysis; EPSS is 3.75% (89th percentile), indicating elevated but not high near-term exploitation likelihood, and it is not listed in CISA KEV.
Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. No public exploit identified at time of analysis; remediated in Adobe security bulletin APSB26-73.
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source lets a low-privileged authenticated attacker persist malicious JavaScript into vulnerable form fields, which then executes in a victim's browser and can escalate to account or session takeover. Because scope is changed (S:C), the injected script runs in a security context beyond the attacker's own privileges - the hallmark of admin-panel or storefront XSS crossing a trust boundary. No public exploit identified at time of analysis, but the 8.7 CVSS and account-takeover impact make this a meaningful priority for e-commerce operators running the affected platforms.
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `'`, `"`, `<`, `>`. The defender therefore expects that any apostrophe a user typed becomes `'` in the database, which renders inside the `onclick` attribute as `'` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1',alert(1),'2');"> ``` After the tokenizer decodes `'` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1',alert(1),'2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`'`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1',alert(1),'2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1',alert(...),'2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).
Cross-site scripting in Microsoft Visual Studio Code lets an attacker who tricks a local user into opening crafted content bypass a built-in security feature and gain high-impact code execution within the editor context. The flaw (CWE-79) carries a CVSS 3.1 base score of 7.1 with a local attack vector requiring user interaction, and Microsoft has published an advisory with a fix. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Stored/reflected cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an authenticated attacker inject script that executes in another user's browser session to spoof content over the network. Although Microsoft classifies the impact as 'spoofing,' the CVSS 3.1 vector rates confidentiality and integrity as High (C:H/I:H), indicating the injected script can access or alter sensitive session data. There is no public exploit identified at time of analysis, and a vendor patch is available.
Cross-site scripting (CWE-79) in on-premises Microsoft SharePoint Server allows an authenticated, low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing across a network. The scope-changed CVSS 3.1 rating of 8.7 (vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) reflects the ability to break out of the vulnerable component's security context and impact victim data. Microsoft has released patches; there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation as none.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Spoofing via stored cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) allows an authenticated attacker to inject script that executes in another user's browser session across a network. CVSS is 8.7 with a scope change, reflecting that injected content escapes into the victim's authenticated context; there is no public exploit identified at time of analysis and CISA SSVC rates exploitation status as none. A vendor patch is available via Microsoft MSRC.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables an authenticated attacker with low-privilege network access to inject malicious scripts into SharePoint pages, resulting in spoofing impacts when a victim user interacts with the crafted content. The CVSS vector (PR:L/UI:R) confirms exploitation requires both an existing authenticated account and victim interaction, constraining real-world risk relative to unauthenticated XSS variants. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog. Vendor patch is available via the Microsoft Security Response Center.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network.
Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject script that executes in another user's browser session, enabling spoofing of report content and hijacking of the victim's authenticated context over the network. Exploitation requires a victim to interact with attacker-controlled report content (UI:R). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a vendor patch is available per the MSRC advisory.
Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). Microsoft has released a patch; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.
Reflected or stored cross-site scripting in Fortinet FortiOS, FortiPAM, and FortiProxy web interfaces allows a remote unauthenticated attacker to execute JavaScript in the browser session of an authenticated administrator via crafted HTTP requests. The CVSS temporal metric E:P confirms publicly available proof-of-concept exploit code exists, and the RL:O metric confirms Fortinet has released an official fix. No active exploitation has been confirmed by CISA KEV at time of analysis, but the combination of a POC and the high-value targets (network security appliances and privileged access management systems) elevates real-world risk beyond what the base CVSS score of 6.1 suggests.
Stored XSS in Easy!Appointments versions prior to 1.6.0 allows an authenticated administrator to inject arbitrary HTML or JavaScript into the 'booking disabled' message field via the booking settings rich-text editor. The unsanitized value is rendered directly to every unauthenticated visitor who opens the public booking page while booking is disabled, crossing a scope boundary from admin context to anonymous public users. No public exploit has been identified at time of analysis; CVSS rates this 2.6 (Low) driven by the administrator-level privilege requirement, though the persistent cross-scope impact on all public visitors is a meaningful secondary risk factor.
Stored cross-site scripting in Rockwell Automation FactoryTalk DataMosaix Private Cloud lets a high-privileged authenticated user persist malicious JavaScript through the Workflows configuration, which then executes in the browsers of other users who view the affected page. Successful exploitation can lead to session/account takeover, credential theft, or redirection to attacker-controlled sites. No public exploit identified at time of analysis, and the CVSS 4.0 base score is 8.4 (High).
Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. A publicly available proof-of-concept exploit from ZeroScience (ZSL-2026-5994) documents the attack path; this CVE is not currently listed in the CISA KEV catalog.
Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.
Stored Cross-Site Scripting in WP Customer Area WordPress plugin (versions up to and including 8.3.5) allows authenticated attackers with Contributor-level access or above to persistently inject arbitrary JavaScript via the unsanitized 'type' attribute of the customer-area-protected-content shortcode. The injected payload executes in the browser of any user who visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis; however, the Contributor-level prerequisite is a low barrier in multi-author WordPress environments.
Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.
Reflected XSS in SAP NetWeaver Application Server ABAP's Business Server Pages (BSP) framework allows remote unauthenticated attackers to inject arbitrary JavaScript into HTTP responses when a victim user interacts with a crafted URL. Successful exploitation enables session token theft and execution of authenticated actions on behalf of the victim within the SAP web context. No public exploit code or CISA KEV listing is identified at time of analysis; CVSS AC:H indicates non-trivial conditions must align for successful delivery, moderating real-world risk despite the enterprise sensitivity of SAP environments.
Reflected cross-site scripting in SAP NetWeaver Enterprise Portal enables unauthenticated remote attackers to inject arbitrary JavaScript into URL parameters that are echoed back unencoded in server responses. When a victim with an active portal session visits a crafted URL, the injected script executes in their browser under the portal's origin, permitting session token theft, unauthorized manipulation of portal content, or forced redirection to attacker-controlled resources. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, though the unauthenticated network-accessible attack surface and low complexity make phishing-based delivery operationally straightforward.
Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals.
Stored XSS in osTicket's Agent and Admin panel allows any authenticated user with ticket-submission privileges to inject persistent JavaScript that executes in privileged staff browser sessions. Affected versions span two release branches: 1.10 through 1.17.7 and 1.18.0 through 1.18.3. No public exploit identified at time of analysis per KEV, but publicly available exploit code exists on GitHub (WesWrench/CVE-2026-36214), and the CVSS scope-change rating (S:C) reflects that successful exploitation compromises Agent or Admin sessions rather than the attacker's own context.
Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.
Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.
Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). No public exploit identified at time of analysis, though the fix commit ships XSS test cases; fixed in 1.85.10.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.
Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.
{...}> component are directly affected; no public exploit code has been identified at time of analysis, and a patched release (1.2.7) is available.
Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (	) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.
Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.
Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.
Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.
Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.
Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. No public exploit code or CISA KEV listing exists; vendor-released patches are available and the fix has been merged upstream.
An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.