Skip to main content

XSS

38822 CVEs technique

Monthly

CVE-2026-40732 HIGH This Week

Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.

XSS Notification For Telegram
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39540 MEDIUM This Month

Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.

WordPress XSS Shipment Tracker For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-39514 HIGH This Week

Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.

XSS Paid Member Subscriptions
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39507 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.

XSS Social Slider Feed
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39491 MEDIUM This Month

Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS Jupiterx Core
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-39463 HIGH This Week

Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

XSS Managewp Worker
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39451 MEDIUM This Month

Unauthenticated cross-site scripting in the WP Google Review Slider WordPress plugin (versions up to and including 18.0) allows a remote, unauthenticated attacker to inject arbitrary JavaScript that executes in the browser of any user who interacts with the affected page. Reported by Patchstack and tracked as EUVD-2026-36930, the vulnerability stems from improper input sanitization in a publicly accessible plugin component. No public exploit code or CISA KEV listing has been identified at the time of analysis, placing this in the medium-priority tier despite the unauthenticated attack vector.

Google XSS Wp Google Review Slider
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-39449 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Contact Form to Any API through version 3.0.3 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw requires user interaction (UI:R) and changes scope (S:C), meaning injected script can affect resources beyond the vulnerable component, typically the WordPress admin session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Contact Form To Any Api
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39447 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Simply Schedule Appointments
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39435 HIGH This Week

Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.

XSS Cformsii
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-34902 HIGH This Week

Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.

WordPress XSS Woocommerce Product Table Lite
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-34900 HIGH This Week

Unauthenticated reflected cross-site scripting in the GiveWP WordPress donation plugin (versions ≤4.14.2) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36921; no public exploit identified at time of analysis, and the CVSS scope-change rating of 7.1 reflects potential session hijacking or administrative action abuse against logged-in WordPress users including site administrators.

XSS Givewp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-23970 HIGH This Week

Reflected/stored cross-site scripting in the Redirection for Contact Form 7 WordPress plugin (versions ≤ 3.2.8) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36909, carries a CVSS 3.1 base score of 7.1 with scope change due to script execution crossing the plugin/browser trust boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Redirection For Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-68872 HIGH This Week

Reflected cross-site scripting in Eli's WordCents adSense Widget with Analytics WordPress plugin (versions <= 1.3.03.27) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The flaw stems from improper neutralization of user-supplied input (CWE-79), and while no public exploit identified at time of analysis, the scope-changing CVSS vector indicates potential for session hijacking or administrative account takeover if a logged-in WordPress admin is targeted.

XSS Eli 039 S Wordcents Adsense Widget With Analytics
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68851 HIGH This Week

Reflected cross-site scripting in the Okay Toolkit WordPress plugin (versions ≤2.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with a scope-changed impact, but no public exploit identified at time of analysis and EPSS data was not provided. Successful exploitation can lead to session hijacking, credential theft, or administrative actions against the targeted WordPress site.

XSS Okay Toolkit
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68840 HIGH This Week

Reflected cross-site scripting in the iRobots.txt SEO WordPress plugin (versions 1.1.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 driven by a scope change, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction, which limits mass-scale weaponization but makes it viable for targeted phishing against WordPress administrators.

XSS Irobots Txt Seo
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49978 npm MEDIUM PATCH GHSA This Month

DOMPurify's HTML sanitizer silently skips shadow DOM contents nested inside <template> elements, allowing stored or reflected XSS payloads to survive sanitization untouched in versions up to and including 3.4.6. When a consuming application clones and inserts the sanitized template into the live DOM - the standard and intended usage pattern for HTML templates - any attacker-controlled payload within the shadow root executes with full script privileges in the victim's browser context. A publicly available proof-of-concept (poc.html) has been released alongside the advisory; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis, but the low attack complexity and broad deployment of DOMPurify across web applications make this a high-priority patching target.

XSS
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-49458 npm MEDIUM PATCH GHSA This Month

{ IN_PLACE: true })` - a pattern common in email-preview panes, WYSIWYG editors, and declarative shadow DOM consumers. Three working proof-of-concept exploits are publicly available, confirmed against DOMPurify 3.4.5 and HEAD commit `89da34e` on Chromium 148; no CISA KEV listing exists at time of analysis.

Google XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-49459 npm MEDIUM PATCH GHSA This Month

Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.

Google Mozilla Apple XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-54266 npm HIGH PATCH GHSA This Week

Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.

Google XSS Information Disclosure
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-54265 npm MEDIUM PATCH GHSA This Month

DOM sanitization bypass in @angular/compiler allows client-side XSS in Angular applications that use two-way property binding syntax on security-sensitive native DOM properties. The Angular template compiler's sanitizer-resolution phase omitted a case for the TwoWayProperty IR operation, meaning compiled templates with [(innerHTML)], [(src)], [(href)], [(srcdoc)], [(data)], or [(sandbox)] bindings emit the runtime ɵɵtwoWayProperty() instruction without the required sanitizer function argument, while identical one-way [property] bindings are correctly protected. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the patch diff in PR #69107 fully characterizes the missing code path.

XSS Information Disclosure
NVD GitHub VulDB HeroDevs
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-50557 npm MEDIUM PATCH GHSA This Month

Cross-site scripting execution is possible in Angular applications (@angular/compiler and @angular/core) through a dual-bypass of the framework's template sanitization engine using XML namespace prefixes. The Angular template preparser used a simple string comparison for 'script' that failed to match namespaced representations such as ':svg:script', allowing those elements to survive template compilation unstripped. Concurrently, the security context schema mappings for namespaced SVG and MathML attributes were incomplete, allowing malicious attribute bindings to evade both compile-time and runtime sanitizers. No public exploit has been identified at time of analysis, and exploitation requires the specific non-default deployment condition of runtime JIT template compilation with user-controlled input.

XSS Information Disclosure
NVD GitHub HeroDevs VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-50556 npm HIGH PATCH GHSA This Week

Cross-site scripting in @angular/platform-server allows attackers to inject executing script into SSR-rendered pages that bind user-controlled text inside a `<noscript>` element. The bundled `domino` DOM emulator omitted `<noscript>` from raw-text closing-tag escaping, so a `</noscript>` substring in dynamic content broke out of the element and ran an attacker-controlled `<script>` sibling in the victim's origin. No public exploit identified at time of analysis, but a fix-validating test in the upstream patch effectively demonstrates the technique.

XSS
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-50555 npm HIGH PATCH GHSA This Week

Same-origin Cross-Site Scripting in @angular/platform-server (SSR) allows attackers who control bound dynamic text inside raw-text elements (script, style, iframe, noscript) to break out of the raw-text context and execute arbitrary JavaScript in the victim's browser. The root cause is a Unicode index-alignment bug in the bundled domino DOM library: astral characters (e.g. emojis) before a closing tag shift the replacement offset, leaving the closing tag unescaped. Publicly available exploit code exists in the upstream PR's regression tests, but there is no public exploit identified in the wild and the CVE is not on CISA KEV.

XSS
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-52725 npm MEDIUM PATCH GHSA This Month

Dynamic component mounting in @angular/core permits client-side XSS by failing to reject script elements as valid host targets for `createComponent`. Angular applications that pass user-supplied selectors or host element references to the `createComponent` API without prior sanitization are vulnerable to namespace bypass, allowing an attacker to mount Angular components onto `<script>` or `<svg:script>` elements and execute arbitrary JavaScript in the victim's browser. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, but vendor-released patches are available across multiple supported major versions.

XSS Information Disclosure
NVD GitHub HeroDevs VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-48761 PHP MEDIUM PATCH GHSA This Month

Stored XSS in the Symfony HtmlSanitizer component (symfony/html-sanitizer) allows injection of javascript: scheme URLs through HTML attributes not covered by the library's URL sanitization allow-list. The UrlAttributeSanitizer hardcodes a fixed set of URL-bearing attributes to sanitize, omitting data (on object), codebase and archive (on applet), and longdesc (on iframe/img); a related gap allows javascript: URLs embedded in meta http-equiv=refresh content values to pass through unchanged. Only non-default configurations that explicitly opt in to those element-attribute combinations via allowElement() or allowAttribute() are affected - default Symfony configurations are confirmed safe. No public exploit code has been identified at time of analysis, though the vendor advisory includes functional proof-of-concept payloads; the issue was reported by Scott Arciszewski of Trail of Bits.

XSS
NVD GitHub
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-49294 MEDIUM This Month

Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.

XSS Valhalla
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-54267 npm HIGH PATCH GHSA This Week

DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.

Privilege Escalation XSS
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.6
EPSS
0.3%
CVE-2025-15659 MEDIUM This Month

Stored Cross-Site Scripting in the Elizaibots WordPress chatbot plugin (versions <= 1.0.2) allows authenticated Contributor-level users to inject malicious scripts that execute in the browser context of higher-privileged users - including site administrators - when they visit affected pages. The CVSS scope-change indicator (S:C) confirms the payload escapes the contributor's privilege boundary and can compromise admin sessions, enabling privilege escalation or site takeover. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Elizaibots
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-15658 MEDIUM This Month

Stored Cross-Site Scripting in the WP Emmet WordPress plugin (by rewish) versions 0.3.4 and earlier allows an administrator-level user to inject persistent malicious scripts through the plugin interface, which then execute in the browsers of other users who visit affected pages. The CVSS scope-change metric (S:C) confirms the injected payload crosses trust boundaries beyond the attacker's own session, enabling session hijacking, credential theft, or unauthorized actions against victims. No public exploit has been identified at time of analysis, and the vulnerability has not appeared in CISA KEV.

XSS Wp Emmet
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2016-20084 MEDIUM POC This Month

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS Privilege Escalation Booking Calendar Contact
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2016-20070 MEDIUM POC This Month

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS Privilege Escalation Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2016-20066 MEDIUM POC This Month

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress XSS Cp Polls
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-9278 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.

XSS WordPress Form Builder Cp
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-12202 LOW POC Monitor

Cross-site scripting in Intelliants Subrion CMS up to version 4.0.3 allows an authenticated high-privilege attacker to inject malicious JavaScript via the CSS class name argument in the Blocks Endpoint, executing in a victim user's browser upon viewing the manipulated block. Publicly available exploit code exists (disclosed on HackMD), and the vendor did not respond to responsible disclosure, leaving no patch available at time of analysis. Exploitation is constrained by a high-privilege authentication requirement and mandatory user interaction, limiting opportunistic mass exploitation but posing meaningful insider-threat and compromised-credential risk.

XSS Subrion Cms
NVD VulDB
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-50876 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

XSS N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-37216 MEDIUM This Month

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-50883 CRITICAL Act Now

Stored HTML/script injection in matze wastebin v3.4.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in the browser of any user who views a crafted paste, by abusing improper output encoding in the /src/highlight.rs syntax-highlighting component. A public gist appears to demonstrate the issue, but no public exploit identified at time of analysis as weaponized tooling, and EPSS exploitation probability is low at 0.18% (8th percentile).

XSS N A
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-36521 MEDIUM This Month

PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-12176 LOW Monitor

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `action` parameter in `/index.php`. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

PHP XSS Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5513 HIGH This Week

Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.

WordPress XSS Online Scheduling And Appointment Booking System Bookly
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-9629 MEDIUM This Month

Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.

WordPress XSS Canvas
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3297 MEDIUM This Month

Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.

WordPress XSS Page Builder
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9134 MEDIUM This Month

Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Photo Gallery By Foogallery
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9061 LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

XSS WordPress Store Locator Wordpress
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-9109 HIGH This Week

Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.

WordPress XSS Gptranslate Multilingual Ai Translation For Wordpress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11443 MEDIUM This Month

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Authentication Bypass XSS Allegra
NVD VulDB
CVSS 3.0
4.6
EPSS
0.1%
CVE-2026-44311 npm MEDIUM PATCH GHSA This Month

Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via `canvas.toSVG()` and render the result into the DOM using `innerHTML`. The `color` field within `colorStops` of a `fabric.Gradient` object is inserted into SVG `<stop>` elements without escaping `"`, `<`, or `>`, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.

XSS Information Disclosure Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-53608 HIGH This Week

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default editor role to inject arbitrary JavaScript that executes in every visitor's browser. The seoGoogleTrackingId and seoGoogleTagManager fields are interpolated directly into inline <script> tag bodies via template literals with no sanitization, turning legitimate analytics configuration into a persistent payload delivery channel. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.

Google XSS Node.js Apostrophecms Seo
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-53606 MEDIUM PATCH This Month

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable `javascript:` URIs through HTML attributes that the library's scheme-blocking logic never inspects. The `naughtyHref()` function gates dangerous URI schemes only for attributes listed in `allowedSchemesAppliedToAttributes` (defaulting to `href`, `src`, and `cite`), leaving attributes such as `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc` entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

XSS Node.js Sanitize Html
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45014 MEDIUM This Month

Stored cross-site scripting in ApostropheCMS up to and including version 4.29.0 allows an attacker who controls a user account to inject malicious script into the draft version tooltip via an unsanitized display name field. Any editor or administrator who subsequently views that tooltip in the CMS backend will execute the attacker's payload in their browser, enabling session hijacking or unauthorized action execution. No public exploit has been identified at time of analysis and no patched version is available per the vendor advisory.

XSS Node.js Apostrophe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-12130 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated low-privilege user to inject persistent malicious script via the `protitle` argument on the `/Projects/Add_Projects` endpoint. When any other authenticated user (e.g., an HR administrator) subsequently views the Projects Management Page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public proof-of-concept exploit is hosted on GitHub, lowering the bar for exploitation, though KEV listing is absent and the CVSS 4.0 score of 2.0 reflects the constrained impact scope.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-54395 MEDIUM PATCH This Month

Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (&#039; → ') and enabling string breakout. No public exploit code has been identified at time of analysis, and the fix has been committed upstream by the MISP maintainers at CIRCL.

XSS Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-12129 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated remote attacker to inject persistent malicious scripts via the `todo_data` parameter at the `/dashboard/add_tod` endpoint. When a higher-privileged user subsequently views the to-do list in the dashboard, the stored payload executes silently in their browser context, enabling session hijacking or unauthorized privileged actions. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, but the low barrier to exploitation for any authenticated user elevates practical risk above the CVSS 4.0 score of 2.0 implies.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-54393 MEDIUM PATCH This Month

Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. No public exploit has been identified at time of analysis; exploitation is bounded by the Overmind-theme-only precondition and mandatory victim interaction.

XSS Misp
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-53724 npm LOW PATCH GHSA Monitor

Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.

File Upload XSS Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-53568 MEDIUM PATCH This Month

Stored XSS in Frappe's Report and List View components allows injection of persistent JavaScript payloads that execute in the browsers of any user who subsequently accesses the affected views. All Frappe deployments on the v15 branch prior to 15.107.2 and v16 branch prior to 16.17.4 are affected per the GitHub security advisory GHSA-rx63-c3fh-8926. No public exploit has been identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects low current exploitation probability, though the network-accessible nature of Frappe instances keeps this relevant for organizations running unpatched versions.

XSS Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44205 MEDIUM PATCH This Month

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browsers of any user who views the compromised profile. Affected versions are all Frappe releases prior to 15.106.0. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.02% (7th percentile) reflects low observed exploitation activity, though stored XSS in a shared framework carries inherent persistence risk across all applications built on Frappe.

XSS Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47739 MEDIUM PATCH This Month

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious JavaScript that executes in the browsers of users who subsequently view the poisoned note. All Frappe deployments on the v15 branch prior to 15.106.0 and the v16 branch prior to 16.16.0 are affected. No public exploit or CISA KEV listing exists at time of analysis; vendor-confirmed patches are available and should be applied promptly given the ease of exploitation once an attacker holds any valid user account.

XSS Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53787 CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.

Adobe RCE XSS File Upload Path Traversal +2
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-53722 npm MEDIUM POC PATCH GHSA This Month

Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. No public exploit code has been identified and the EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability; vendor-released patches are available in versions 3.21.7 and 4.4.7.

XSS Nuxt
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-9269 LOW POC PATCH Monitor

The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

XSS WordPress Secure Copy Content Protection And Content Locking
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-9125 MEDIUM This Month

Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.

WordPress XSS Presto Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-42653 HIGH This Week

Stored cross-site scripting in the SliceWP WordPress affiliate-marketing plugin (all versions up to and including 1.2.6) lets remote attackers persist malicious JavaScript that executes in the browsers of users who later view the affected page. Patchstack-reported issue with no public exploit identified at time of analysis; CVSS 7.1 reflects the scope-changing impact when an admin or another user is lured into rendering the injected payload. Affects WordPress sites running the iova.Mihai SliceWP plugin in default configurations exposed to attacker-supplied input.

XSS Slicewp
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46489 HIGH PATCH This Week

Stored cross-site scripting in SolidInvoice prior to 2.3.17 allows an authenticated administrator to upload a malicious SVG as the company logo, with the file's contents being base64-encoded and injected unescaped into every page of the application. The embedded JavaScript executes in every authenticated user's browser session, enabling session hijacking and privileged action abuse across the tenant. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Solidinvoice
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4096 MEDIUM PATCH This Month

HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.

XSS IBM Devops Plan
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-8589 HIGH POC PATCH NEWS This Week

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18.11 prior to 18.11.5, and 19.0 prior to 19.0.2 allows an authenticated low-privileged user to inject unsanitized input into certain group setting fields and add unauthorized email addresses to a targeted user's account. Publicly available exploit code exists via a HackerOne report, though EPSS exploitation probability remains very low at 0.02% and the SSVC framework rates current exploitation as 'none' with total technical impact when successful.

Gitlab XSS
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-10087 HIGH POC PATCH NEWS This Week

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role user to execute arbitrary client-side JavaScript in the browser of a targeted user, leveraging improper input sanitization. The flaw affects all 17.1 through 18.10.x, 18.11.x, and 19.0.x branches before fixed releases, and publicly available exploit code exists via a HackerOne report, raising the realistic risk of opportunistic abuse against multi-tenant GitLab instances.

Gitlab XSS
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-10733 MEDIUM PATCH This Month

Denial of service on the GitLab CI/CD Catalog page is achievable by any authenticated user across a broad version range (17.0 through pre-patch releases of 18.10, 18.11, and 19.0) due to improper sanitization of user-supplied content. The low-privilege, network-accessible attack vector means any GitLab account holder can trigger the condition without elevated permissions or complex setup. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited availability impact (A:L) constrains real-world severity, though the wide version exposure across three concurrent release branches broadens organizational risk.

Gitlab XSS Denial Of Service
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2023-33999 HIGH This Week

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Mail Log
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40986 MEDIUM PATCH This Month

Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Java XSS Spring Web Flow
NVD HeroDevs VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2827 MEDIUM This Month

Stored Cross-Site Scripting in the Open User Map PRO WordPress plugin (versions ≤ 1.4.31) via the 'oum_location_notification' parameter enables unauthenticated attackers to persistently inject arbitrary JavaScript into WordPress pages. The injected payload executes in any visitor's browser upon accessing the affected page, with scope extending beyond the originating application context (S:C). No public exploit code or CISA KEV listing has been identified at time of analysis, but the unauthenticated injection surface lowers the barrier for mass exploitation against unpatched sites.

WordPress XSS
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-42558 HIGH This Week

Stored cross-site scripting in Xibo CMS prior to 4.4.2 allows authenticated users with elevated DataSet privileges to chain a Stored XSS with an iframe sandbox escape via the Data Connector functionality, executing script in another user's browser context. Scope-changed impact (S:C) with high confidentiality loss means a low-privileged-but-trusted operator can compromise an admin session viewing the affected dataset content. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Microsoft XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-53742 MEDIUM This Month

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53741 MEDIUM This Month

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53740 MEDIUM This Month

Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.

XSS Yoast Duplicate Post
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53737 MEDIUM This Month

Stored cross-site scripting in the Juicer WordPress plugin (versions through 1.12.18) allows an attacker who controls a connected social media feed source to inject arbitrary JavaScript that executes in a WordPress administrator's browser when the Juicer settings page loads. The plugin fetches remote feed API responses and renders them on the admin settings page without HTML output escaping, enabling script injection via externally controlled data. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the passive user interaction requirement limiting broad exploitation.

XSS Juicer
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-0266 LOW PATCH Monitor

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a JavaScript payload via the web management interface, enabling potential execution of that script in the browsers of other administrative users who view the affected interface element. Affected platforms include PA-Series and VM-Series physical and virtual firewalls as well as Panorama (both virtual appliances and M-Series hardware). The CVSS 4.0 base score of 1.1 reflects the extremely constrained exploitability: high-privilege access is a prerequisite and passive user interaction by a second victim is required. No public exploit identified at time of analysis.

XSS Paloalto Cloud Ngfw Pan Os Prisma Access
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-48060 PyPI HIGH PATCH GHSA This Week

Cross-Site Scripting in Litestar Python web framework versions prior to 2.22.0 allows remote attackers to execute arbitrary JavaScript in victim browsers by poisoning the csrftoken cookie, whose contents are rendered into HTML templates without escaping when the documented csrf_input helper is used. Publicly available exploit code exists via the GitHub Security Advisory GHSA-542p-wvx7-72m4, which includes two working proof-of-concept applications. The flaw only manifests in applications that combine a template engine (Jinja, Mako, MiniJinja) with CSRF protection and the recommended hidden CSRF input field pattern.

XSS Python CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46642 MEDIUM PATCH This Month

Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Drawio
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20258 MEDIUM PATCH This Month

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132) allows a low-privileged authenticated user - without 'admin' or 'power' roles - to embed malicious JavaScript inside a classic dashboard HTML panel that executes in another user's browser session. Exploitation requires phishing the victim into initiating a specific browser request, and no public exploit was identified at time of analysis.

XSS Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53693 MEDIUM PATCH This Month

Stored cross-site scripting in MISP BSimVis through v0.2.0 allows network-accessible attackers who can create or influence tag names, collection names, entity identifiers, cluster names, or tag metadata to inject malicious payloads that execute in victims' browsers. The vulnerability spans multiple client-side rendering paths in tags.js, where user-controlled values were interpolated raw into innerHTML, HTML attributes, inline JavaScript event handlers, and CSS style values - covering tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. No public exploit has been identified at time of analysis; the issue was reported and patched by CIRCL, the primary MISP development organization.

XSS Bsimvis
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45560 MEDIUM This Month

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

XSS Nginx Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-53473 MEDIUM This Month

Stored cross-site scripting in Red Hat's migration-planner-ui-app (kubev2v project) allows an authenticated attacker who can register a discovery agent to inject a javascript: URI into the agent's credentialUrl field, which executes in another organizational user's browser when they click the resulting link in the UI. No public exploit identified at time of analysis, but the upstream fix (PR #750) and Red Hat Bugzilla entry confirm the issue is real and patched via a safeExternalUrl protocol allowlist. Successful exploitation hijacks the victim's Red Hat SSO session and enables cross-tenant data access and API actions.

XSS Red Hat Migration Planner Ui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53441 Maven MEDIUM PATCH GHSA This Month

Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the `POST config.xml` API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.

Jenkins XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-49069 HIGH POC This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

XSS Wpzoom Portfolio
NVD Exploit-DB VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-11859 LOW PATCH Monitor

HTML injection in the 'fetch links' alert email feature of Thinkst Canarytokens allows unauthenticated remote attackers to embed malicious HTML and JavaScript into notification emails delivered to token owners (defenders). The vulnerability is notable because it weaponizes the deception platform's own alert mechanism against the security operators relying on it - turning a defensive tool into a phishing vector. Proof-of-concept exploit code exists (CVSS 4.0 E:P), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 base score of 2.0 reflects the limited, interaction-dependent impact.

Docker XSS
NVD GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9019 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Image Collage WordPress plugin (all versions through 1.13.6) allows authenticated attackers with author-level access to permanently inject arbitrary JavaScript into pages via the `grid[properties][borderColor]` and `grid[images][N][attachment_url]` parameters, which executes in victims' browsers upon page load. The critical aggravating factor is that payloads are persisted via WordPress's `update_post_meta()` API rather than through post content, which deliberately sidesteps the `unfiltered_html` capability check that normally prevents lower-privilege users from injecting raw HTML - meaning site administrators cannot block this attack path through standard WordPress role controls alone. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low privilege requirement and well-documented bypass of WordPress hardening make this a credible threat on multi-author sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8853 MEDIUM This Month

Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.

XSS WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-8613 MEDIUM This Month

Stored Cross-Site Scripting in the aThemes Addons for Elementor WordPress plugin (versions up to and including 1.1.8) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title_tag' widget setting in the Posts Timeline and Posts Carousel widgets. The injected payload executes in the browsers of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing has been identified at time of analysis, though the contributor-level authentication barrier is low in multi-author WordPress deployments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.

XSS Notification For Telegram
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.

WordPress XSS Shipment Tracker For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.

XSS Paid Member Subscriptions
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.

XSS Social Slider Feed
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS Jupiterx Core
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

XSS Managewp Worker
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Unauthenticated cross-site scripting in the WP Google Review Slider WordPress plugin (versions up to and including 18.0) allows a remote, unauthenticated attacker to inject arbitrary JavaScript that executes in the browser of any user who interacts with the affected page. Reported by Patchstack and tracked as EUVD-2026-36930, the vulnerability stems from improper input sanitization in a publicly accessible plugin component. No public exploit code or CISA KEV listing has been identified at the time of analysis, placing this in the medium-priority tier despite the unauthenticated attack vector.

Google XSS Wp Google Review Slider
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Contact Form to Any API through version 3.0.3 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw requires user interaction (UI:R) and changes scope (S:C), meaning injected script can affect resources beyond the vulnerable component, typically the WordPress admin session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Contact Form To Any Api
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Simply Schedule Appointments
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.

XSS Cformsii
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.

WordPress XSS Woocommerce Product Table Lite
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected cross-site scripting in the GiveWP WordPress donation plugin (versions ≤4.14.2) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36921; no public exploit identified at time of analysis, and the CVSS scope-change rating of 7.1 reflects potential session hijacking or administrative action abuse against logged-in WordPress users including site administrators.

XSS Givewp
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the Redirection for Contact Form 7 WordPress plugin (versions ≤ 3.2.8) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36909, carries a CVSS 3.1 base score of 7.1 with scope change due to script execution crossing the plugin/browser trust boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Redirection For Contact Form 7
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in Eli's WordCents adSense Widget with Analytics WordPress plugin (versions <= 1.3.03.27) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The flaw stems from improper neutralization of user-supplied input (CWE-79), and while no public exploit identified at time of analysis, the scope-changing CVSS vector indicates potential for session hijacking or administrative account takeover if a logged-in WordPress admin is targeted.

XSS Eli 039 S Wordcents Adsense Widget With Analytics
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Okay Toolkit WordPress plugin (versions ≤2.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with a scope-changed impact, but no public exploit identified at time of analysis and EPSS data was not provided. Successful exploitation can lead to session hijacking, credential theft, or administrative actions against the targeted WordPress site.

XSS Okay Toolkit
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the iRobots.txt SEO WordPress plugin (versions 1.1.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 driven by a scope change, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction, which limits mass-scale weaponization but makes it viable for targeted phishing against WordPress administrators.

XSS Irobots Txt Seo
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

DOMPurify's HTML sanitizer silently skips shadow DOM contents nested inside <template> elements, allowing stored or reflected XSS payloads to survive sanitization untouched in versions up to and including 3.4.6. When a consuming application clones and inserts the sanitized template into the live DOM - the standard and intended usage pattern for HTML templates - any attacker-controlled payload within the shadow root executes with full script privileges in the victim's browser context. A publicly available proof-of-concept (poc.html) has been released alongside the advisory; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis, but the low attack complexity and broad deployment of DOMPurify across web applications make this a high-priority patching target.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

{ IN_PLACE: true })` - a pattern common in email-preview panes, WYSIWYG editors, and declarative shadow DOM consumers. Three working proof-of-concept exploits are publicly available, confirmed against DOMPurify 3.4.5 and HEAD commit `89da34e` on Chromium 148; no CISA KEV listing exists at time of analysis.

Google XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.

Google Mozilla Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.

Google XSS Information Disclosure
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DOM sanitization bypass in @angular/compiler allows client-side XSS in Angular applications that use two-way property binding syntax on security-sensitive native DOM properties. The Angular template compiler's sanitizer-resolution phase omitted a case for the TwoWayProperty IR operation, meaning compiled templates with [(innerHTML)], [(src)], [(href)], [(srcdoc)], [(data)], or [(sandbox)] bindings emit the runtime ɵɵtwoWayProperty() instruction without the required sanitizer function argument, while identical one-way [property] bindings are correctly protected. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the patch diff in PR #69107 fully characterizes the missing code path.

XSS Information Disclosure
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting execution is possible in Angular applications (@angular/compiler and @angular/core) through a dual-bypass of the framework's template sanitization engine using XML namespace prefixes. The Angular template preparser used a simple string comparison for 'script' that failed to match namespaced representations such as ':svg:script', allowing those elements to survive template compilation unstripped. Concurrently, the security context schema mappings for namespaced SVG and MathML attributes were incomplete, allowing malicious attribute bindings to evade both compile-time and runtime sanitizers. No public exploit has been identified at time of analysis, and exploitation requires the specific non-default deployment condition of runtime JIT template compilation with user-controlled input.

XSS Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-site scripting in @angular/platform-server allows attackers to inject executing script into SSR-rendered pages that bind user-controlled text inside a `<noscript>` element. The bundled `domino` DOM emulator omitted `<noscript>` from raw-text closing-tag escaping, so a `</noscript>` substring in dynamic content broke out of the element and ran an attacker-controlled `<script>` sibling in the victim's origin. No public exploit identified at time of analysis, but a fix-validating test in the upstream patch effectively demonstrates the technique.

XSS
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Same-origin Cross-Site Scripting in @angular/platform-server (SSR) allows attackers who control bound dynamic text inside raw-text elements (script, style, iframe, noscript) to break out of the raw-text context and execute arbitrary JavaScript in the victim's browser. The root cause is a Unicode index-alignment bug in the bundled domino DOM library: astral characters (e.g. emojis) before a closing tag shift the replacement offset, leaving the closing tag unescaped. Publicly available exploit code exists in the upstream PR's regression tests, but there is no public exploit identified in the wild and the CVE is not on CISA KEV.

XSS
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Dynamic component mounting in @angular/core permits client-side XSS by failing to reject script elements as valid host targets for `createComponent`. Angular applications that pass user-supplied selectors or host element references to the `createComponent` API without prior sanitization are vulnerable to namespace bypass, allowing an attacker to mount Angular components onto `<script>` or `<svg:script>` elements and execute arbitrary JavaScript in the victim's browser. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, but vendor-released patches are available across multiple supported major versions.

XSS Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored XSS in the Symfony HtmlSanitizer component (symfony/html-sanitizer) allows injection of javascript: scheme URLs through HTML attributes not covered by the library's URL sanitization allow-list. The UrlAttributeSanitizer hardcodes a fixed set of URL-bearing attributes to sanitize, omitting data (on object), codebase and archive (on applet), and longdesc (on iframe/img); a related gap allows javascript: URLs embedded in meta http-equiv=refresh content values to pass through unchanged. Only non-default configurations that explicitly opt in to those element-attribute combinations via allowElement() or allowAttribute() are affected - default Symfony configurations are confirmed safe. No public exploit code has been identified at time of analysis, though the vendor advisory includes functional proof-of-concept payloads; the issue was reported by Scott Arciszewski of Trail of Bits.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.

XSS Valhalla
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.

Privilege Escalation XSS
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Elizaibots WordPress chatbot plugin (versions <= 1.0.2) allows authenticated Contributor-level users to inject malicious scripts that execute in the browser context of higher-privileged users - including site administrators - when they visit affected pages. The CVSS scope-change indicator (S:C) confirms the payload escapes the contributor's privilege boundary and can compromise admin sessions, enabling privilege escalation or site takeover. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Elizaibots
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored Cross-Site Scripting in the WP Emmet WordPress plugin (by rewish) versions 0.3.4 and earlier allows an administrator-level user to inject persistent malicious scripts through the plugin interface, which then execute in the browsers of other users who visit affected pages. The CVSS scope-change metric (S:C) confirms the injected payload crosses trust boundaries beyond the attacker's own session, enabling session hijacking, credential theft, or unauthorized actions against victims. No public exploit has been identified at time of analysis, and the vulnerability has not appeared in CISA KEV.

XSS Wp Emmet
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS +2
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS +2
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress XSS +1
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.

XSS WordPress Form Builder Cp
NVD WPScan
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting in Intelliants Subrion CMS up to version 4.0.3 allows an authenticated high-privilege attacker to inject malicious JavaScript via the CSS class name argument in the Blocks Endpoint, executing in a victim user's browser upon viewing the manipulated block. Publicly available exploit code exists (disclosed on HackMD), and the vendor did not respond to responsible disclosure, leaving no patch available at time of analysis. Exploitation is constrained by a high-privilege authentication requirement and mandatory user interaction, limiting opportunistic mass exploitation but posing meaningful insider-threat and compromised-credential risk.

XSS Subrion Cms
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

XSS N A
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.

XSS N A
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL Act Now

Stored HTML/script injection in matze wastebin v3.4.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in the browser of any user who views a crafted paste, by abusing improper output encoding in the /src/highlight.rs syntax-highlighting component. A public gist appears to demonstrate the issue, but no public exploit identified at time of analysis as weaponized tooling, and EPSS exploitation probability is low at 0.18% (8th percentile).

XSS N A
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.

XSS N A
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `action` parameter in `/index.php`. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

PHP XSS Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.

WordPress XSS Online Scheduling And Appointment Booking System Bookly
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.

WordPress XSS Canvas
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.

WordPress XSS Page Builder
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Photo Gallery By Foogallery
NVD VulDB
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

XSS WordPress Store Locator Wordpress
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.

WordPress XSS Gptranslate Multilingual Ai Translation For Wordpress
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Authentication Bypass XSS Allegra
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via `canvas.toSVG()` and render the result into the DOM using `innerHTML`. The `color` field within `colorStops` of a `fabric.Gradient` object is inserted into SVG `<stop>` elements without escaping `"`, `<`, or `>`, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.

XSS Information Disclosure Node.js
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default editor role to inject arbitrary JavaScript that executes in every visitor's browser. The seoGoogleTrackingId and seoGoogleTagManager fields are interpolated directly into inline <script> tag bodies via template literals with no sanitization, turning legitimate analytics configuration into a persistent payload delivery channel. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.

Google XSS Node.js +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable `javascript:` URIs through HTML attributes that the library's scheme-blocking logic never inspects. The `naughtyHref()` function gates dangerous URI schemes only for attributes listed in `allowedSchemesAppliedToAttributes` (defaulting to `href`, `src`, and `cite`), leaving attributes such as `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc` entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

XSS Node.js Sanitize Html
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored cross-site scripting in ApostropheCMS up to and including version 4.29.0 allows an attacker who controls a user account to inject malicious script into the draft version tooltip via an unsanitized display name field. Any editor or administrator who subsequently views that tooltip in the CMS backend will execute the attacker's payload in their browser, enabling session hijacking or unauthorized action execution. No public exploit has been identified at time of analysis and no patched version is available per the vendor advisory.

XSS Node.js Apostrophe
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated low-privilege user to inject persistent malicious script via the `protitle` argument on the `/Projects/Add_Projects` endpoint. When any other authenticated user (e.g., an HR administrator) subsequently views the Projects Management Page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public proof-of-concept exploit is hosted on GitHub, lowering the bar for exploitation, though KEV listing is absent and the CVSS 4.0 score of 2.0 reflects the constrained impact scope.

XSS Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (&#039; → ') and enabling string breakout. No public exploit code has been identified at time of analysis, and the fix has been committed upstream by the MISP maintainers at CIRCL.

XSS Misp
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated remote attacker to inject persistent malicious scripts via the `todo_data` parameter at the `/dashboard/add_tod` endpoint. When a higher-privileged user subsequently views the to-do list in the dashboard, the stored payload executes silently in their browser context, enabling session hijacking or unauthorized privileged actions. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, but the low barrier to exploitation for any authenticated user elevates practical risk above the CVSS 4.0 score of 2.0 implies.

XSS Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. No public exploit has been identified at time of analysis; exploitation is bounded by the Overmind-theme-only precondition and mandatory victim interaction.

XSS Misp
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.

File Upload XSS Node.js +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored XSS in Frappe's Report and List View components allows injection of persistent JavaScript payloads that execute in the browsers of any user who subsequently accesses the affected views. All Frappe deployments on the v15 branch prior to 15.107.2 and v16 branch prior to 16.17.4 are affected per the GitHub security advisory GHSA-rx63-c3fh-8926. No public exploit has been identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects low current exploitation probability, though the network-accessible nature of Frappe instances keeps this relevant for organizations running unpatched versions.

XSS Frappe
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browsers of any user who views the compromised profile. Affected versions are all Frappe releases prior to 15.106.0. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.02% (7th percentile) reflects low observed exploitation activity, though stored XSS in a shared framework carries inherent persistence risk across all applications built on Frappe.

XSS Frappe
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious JavaScript that executes in the browsers of users who subsequently view the poisoned note. All Frappe deployments on the v15 branch prior to 15.106.0 and the v16 branch prior to 16.16.0 are affected. No public exploit or CISA KEV listing exists at time of analysis; vendor-confirmed patches are available and should be applied promptly given the ease of exploitation once an attacker holds any valid user account.

XSS Frappe
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.

Adobe RCE XSS +4
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. No public exploit code has been identified and the EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability; vendor-released patches are available in versions 3.21.7 and 4.4.7.

XSS Nuxt
NVD GitHub VulDB
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

XSS WordPress Secure Copy Content Protection And Content Locking
NVD WPScan VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.

WordPress XSS Presto Player
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the SliceWP WordPress affiliate-marketing plugin (all versions up to and including 1.2.6) lets remote attackers persist malicious JavaScript that executes in the browsers of users who later view the affected page. Patchstack-reported issue with no public exploit identified at time of analysis; CVSS 7.1 reflects the scope-changing impact when an admin or another user is lured into rendering the injected payload. Affects WordPress sites running the iova.Mihai SliceWP plugin in default configurations exposed to attacker-supplied input.

XSS Slicewp
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Stored cross-site scripting in SolidInvoice prior to 2.3.17 allows an authenticated administrator to upload a malicious SVG as the company logo, with the file's contents being base64-encoded and injected unescaped into every page of the application. The embedded JavaScript executes in every authenticated user's browser session, enabling session hijacking and privileged action abuse across the tenant. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Solidinvoice
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.

XSS IBM Devops Plan
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18.11 prior to 18.11.5, and 19.0 prior to 19.0.2 allows an authenticated low-privileged user to inject unsanitized input into certain group setting fields and add unauthorized email addresses to a targeted user's account. Publicly available exploit code exists via a HackerOne report, though EPSS exploitation probability remains very low at 0.02% and the SSVC framework rates current exploitation as 'none' with total technical impact when successful.

Gitlab XSS
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role user to execute arbitrary client-side JavaScript in the browser of a targeted user, leveraging improper input sanitization. The flaw affects all 17.1 through 18.10.x, 18.11.x, and 19.0.x branches before fixed releases, and publicly available exploit code exists via a HackerOne report, raising the realistic risk of opportunistic abuse against multi-tenant GitLab instances.

Gitlab XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Denial of service on the GitLab CI/CD Catalog page is achievable by any authenticated user across a broad version range (17.0 through pre-patch releases of 18.10, 18.11, and 19.0) due to improper sanitization of user-supplied content. The low-privilege, network-accessible attack vector means any GitLab account holder can trigger the condition without elevated permissions or complex setup. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited availability impact (A:L) constrains real-world severity, though the wide version exposure across three concurrent release branches broadens organizational risk.

Gitlab XSS Denial Of Service
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Mail Log
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Java XSS Spring Web Flow
NVD HeroDevs VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Stored Cross-Site Scripting in the Open User Map PRO WordPress plugin (versions ≤ 1.4.31) via the 'oum_location_notification' parameter enables unauthenticated attackers to persistently inject arbitrary JavaScript into WordPress pages. The injected payload executes in any visitor's browser upon accessing the affected page, with scope extending beyond the originating application context (S:C). No public exploit code or CISA KEV listing has been identified at time of analysis, but the unauthenticated injection surface lowers the barrier for mass exploitation against unpatched sites.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Stored cross-site scripting in Xibo CMS prior to 4.4.2 allows authenticated users with elevated DataSet privileges to chain a Stored XSS with an iframe sandbox escape via the Data Connector functionality, executing script in another user's browser context. Scope-changed impact (S:C) with high confidentiality loss means a low-privileged-but-trusted operator can compromise an admin session viewing the affected dataset content. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Microsoft XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

XSS Simple Link Directory
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

XSS Simple Link Directory
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.

XSS Yoast Duplicate Post
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored cross-site scripting in the Juicer WordPress plugin (versions through 1.12.18) allows an attacker who controls a connected social media feed source to inject arbitrary JavaScript that executes in a WordPress administrator's browser when the Juicer settings page loads. The plugin fetches remote feed API responses and renders them on the admin settings page without HTML output escaping, enabling script injection via externally controlled data. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the passive user interaction requirement limiting broad exploitation.

XSS Juicer
NVD VulDB
EPSS 0% CVSS 1.1
LOW PATCH Monitor

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a JavaScript payload via the web management interface, enabling potential execution of that script in the browsers of other administrative users who view the affected interface element. Affected platforms include PA-Series and VM-Series physical and virtual firewalls as well as Panorama (both virtual appliances and M-Series hardware). The CVSS 4.0 base score of 1.1 reflects the extremely constrained exploitability: high-privilege access is a prerequisite and passive user interaction by a second victim is required. No public exploit identified at time of analysis.

XSS Paloalto Cloud Ngfw +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-Site Scripting in Litestar Python web framework versions prior to 2.22.0 allows remote attackers to execute arbitrary JavaScript in victim browsers by poisoning the csrftoken cookie, whose contents are rendered into HTML templates without escaping when the documented csrf_input helper is used. Publicly available exploit code exists via the GitHub Security Advisory GHSA-542p-wvx7-72m4, which includes two working proof-of-concept applications. The flaw only manifests in applications that combine a template engine (Jinja, Mako, MiniJinja) with CSRF protection and the recommended hidden CSRF input field pattern.

XSS Python CSRF
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Drawio
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132) allows a low-privileged authenticated user - without 'admin' or 'power' roles - to embed malicious JavaScript inside a classic dashboard HTML panel that executes in another user's browser session. Exploitation requires phishing the victim into initiating a specific browser request, and no public exploit was identified at time of analysis.

XSS Splunk Splunk Enterprise +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in MISP BSimVis through v0.2.0 allows network-accessible attackers who can create or influence tag names, collection names, entity identifiers, cluster names, or tag metadata to inject malicious payloads that execute in victims' browsers. The vulnerability spans multiple client-side rendering paths in tags.js, where user-controlled values were interpolated raw into innerHTML, HTML attributes, inline JavaScript event handlers, and CSS style values - covering tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. No public exploit has been identified at time of analysis; the issue was reported and patched by CIRCL, the primary MISP development organization.

XSS Bsimvis
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

XSS Nginx Apache
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Red Hat's migration-planner-ui-app (kubev2v project) allows an authenticated attacker who can register a discovery agent to inject a javascript: URI into the agent's credentialUrl field, which executes in another organizational user's browser when they click the resulting link in the UI. No public exploit identified at time of analysis, but the upstream fix (PR #750) and Red Hat Bugzilla entry confirm the issue is real and patched via a safeExternalUrl protocol allowlist. Successful exploitation hijacks the victim's Red Hat SSO session and enables cross-tenant data access and API actions.

XSS Red Hat Migration Planner Ui
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the `POST config.xml` API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.

Jenkins XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

XSS Wpzoom Portfolio
NVD Exploit-DB VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in the 'fetch links' alert email feature of Thinkst Canarytokens allows unauthenticated remote attackers to embed malicious HTML and JavaScript into notification emails delivered to token owners (defenders). The vulnerability is notable because it weaponizes the deception platform's own alert mechanism against the security operators relying on it - turning a defensive tool into a phishing vector. Proof-of-concept exploit code exists (CVSS 4.0 E:P), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 base score of 2.0 reflects the limited, interaction-dependent impact.

Docker XSS
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Easy Image Collage WordPress plugin (all versions through 1.13.6) allows authenticated attackers with author-level access to permanently inject arbitrary JavaScript into pages via the `grid[properties][borderColor]` and `grid[images][N][attachment_url]` parameters, which executes in victims' browsers upon page load. The critical aggravating factor is that payloads are persisted via WordPress's `update_post_meta()` API rather than through post content, which deliberately sidesteps the `unfiltered_html` capability check that normally prevents lower-privilege users from injecting raw HTML - meaning site administrators cannot block this attack path through standard WordPress role controls alone. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low privilege requirement and well-documented bypass of WordPress hardening make this a credible threat on multi-author sites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the aThemes Addons for Elementor WordPress plugin (versions up to and including 1.1.8) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title_tag' widget setting in the Posts Timeline and Posts Carousel widgets. The injected payload executes in the browsers of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing has been identified at time of analysis, though the contributor-level authentication barrier is low in multi-author WordPress deployments.

XSS WordPress
NVD VulDB
Prev Page 10 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy