XSS

Stored cross-site scripting in OpenEMR versions prior to 8.0.0.1 allows authenticated users with Track Anything feature access to inject malicious scripts into item names that execute in the browsers of all users viewing the corresponding Dygraph charts. An attacker with create or edit permissions can craft payloads that run in victims' sessions without their knowledge, potentially enabling session hijacking or unauthorized actions within the application. No patch is currently available for affected versions.

Stored cross-site scripting (XSS) in OpenEMR prior to 8.0.0.1 allows administrators or users with code management privileges to inject malicious scripts into code descriptions that execute in the browsers of all users accessing the dynamic code picker. All OpenEMR instances running affected versions are at risk, as any authenticated admin can inject payloads affecting the entire user base. No patch is currently available for this vulnerability.

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

Stored XSS in OpenEMR's Pain Map form prior to version 8.0.0.1 allows authenticated users to inject malicious JavaScript into encounter records that executes when other clinicians view the affected form. Since session cookies lack HttpOnly protection, attackers can hijack sessions of other users including administrators. This vulnerability requires user interaction and network access but poses significant risk in multi-user healthcare environments.

Medium severity vulnerability in Home Assistant MCP. #

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename `.prologue.html` and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. If successful, the malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the link.

Reflected cross-site scripting in LockerProject Locker versions 0.0.0 through 0.1.0 allows unauthenticated remote attackers to inject malicious scripts through the ID parameter in the Error Response Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch despite early notification.

Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).

Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).

Stored XSS in Notesnook Mobile and Desktop versions prior to 3.3.9 allows authenticated users to execute arbitrary JavaScript by injecting malicious code into Twitter/X embed URLs through the editor component. An attacker with user account access can craft a malicious note containing a specially crafted embed URL that executes when the note is viewed, potentially compromising user data or session tokens. No patch is currently available for affected versions.

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

Unauthenticated attackers can inject malicious scripts into Cisco Unified CCX's web management interface due to insufficient input validation, enabling XSS attacks against administrators and users. Successful exploitation allows arbitrary JavaScript execution within the browser context or theft of sensitive session information. No patch is currently available.

Unauthenticated attackers can inject malicious scripts into the web management interfaces of multiple Cisco contact center products (Finesse, Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center) due to insufficient input validation. Successful exploitation allows arbitrary script execution in the victim's browser context, potentially enabling session hijacking or credential theft from administrators. No patch is currently available for this cross-site scripting vulnerability.

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 versions up to 18.7.6 is affected by cross-site scripting (xss) (CVSS 8.7).

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. [CVSS 3.5 LOW]

Unauthenticated attackers can inject malicious scripts into the Name Directory WordPress plugin (versions up to 1.32.1) through the 'name_directory_name' parameter, which are then executed in users' browsers when they visit affected pages. The vulnerability stems from inadequate input sanitization and output escaping, allowing stored cross-site scripting attacks that impact all unauthenticated visitors. No patch is currently available, though partial mitigations were attempted in versions 1.30.3 and 1.32.1.

Stored XSS in Gravity Forms WordPress plugin through version 2.9.28.1 allows authenticated subscribers and above to inject malicious JavaScript via the form creation endpoint, which executes when administrators interact with the Form Switcher dropdown. The vulnerability stems from inadequate input sanitization and missing output escaping in the form title field. No patch is currently available.

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

The Responsive Contact Form Builder & Lead Generation Plugin for WordPress through version 2.0.1 fails to properly sanitize form field submissions, allowing unauthenticated attackers to inject malicious scripts that execute in the administrator dashboard when viewing lead entries. The vulnerability stems from incomplete input validation in the sanitization function combined with overly permissive output filtering that permits onclick attributes on links. Attackers can exploit this to steal admin credentials, modify site content, or perform arbitrary actions within WordPress.

Authenticated contributors to WordPress sites running Happy Addons for Elementor up to version 3.21.0 can modify display conditions of published templates due to improper authorization checks in the `ha_condition_update` AJAX action and missing capability validation in `ha_get_current_condition`. The vulnerability allows attackers to alter template visibility rules and potentially inject unescaped content into HTML attributes, affecting site content delivery and potentially enabling stored XSS attacks.

Reflected XSS in the Organization Portal System's IFTOP module enables authenticated attackers to inject malicious JavaScript that executes in victims' browsers via social engineering or phishing links. This vulnerability requires user interaction to trigger and affects confidentiality and integrity with no current patch available.

Stored cross-site scripting in the Astra WordPress theme through versions 4.12.3 allows authenticated contributors and higher-privileged users to inject malicious scripts into post meta fields that execute when pages are viewed. The vulnerability stems from improper sanitization of background-related meta fields and missing output escaping in CSS property handling. Attackers with contributor-level access can compromise page content and redirect or manipulate user sessions.

Spin.js versions before 3.0.0 allow attackers to execute arbitrary JavaScript through a combination of prototype pollution and XSS in the spin() function, requiring user interaction via a crafted URL. An attacker can exploit this to manipulate Object.prototype and trigger malicious code execution in affected users' browsers. No patch is currently available.

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

DukaPress WordPress plugin versions up to 3.2.4 contain a reflected XSS vulnerability due to improper input sanitization and output encoding, allowing attackers to inject malicious scripts that execute in the browsers of high-privilege users like administrators. The vulnerability requires user interaction to exploit and can result in session hijacking, credential theft, or unauthorized administrative actions. No patch is currently available.

Stored XSS in the WP ULike WordPress plugin up to version 5.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts into pages through the shortcode template attribute, which executes when visitors view affected content. The vulnerability stems from improper use of html_entity_decode() that circumvents WordPress sanitization filters, requiring at least one like on a post to trigger payload execution. No patch is currently available.

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.

Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.

Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.

Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in victims' browsers when they access affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or malware distribution. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and is currently unpatched, with no active exploitation reported.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the affected pages are accessed. An attacker with login credentials can craft payloads that persist in the application and compromise victim sessions or steal sensitive data. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers when they access affected pages. An attacker can exploit this to steal session tokens, perform unauthorized actions, or deface content with minimal user interaction required. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when the affected pages are accessed. An attacker with login credentials can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of users viewing the compromised forms. No patch is currently available for this vulnerability.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims through their browsers. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts through form fields, which execute in victims' browsers when they view affected pages. The vulnerability requires user interaction and network access but can impact confidentiality and integrity across security domains. No patch is currently available.

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts affecting other users who view the compromised pages. When a victim browses to a page containing the injected payload, the malicious JavaScript executes in their browser context, potentially enabling session hijacking or credential theft. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when they view affected pages. This requires user interaction and an authenticated attacker, but could compromise the confidentiality and integrity of user sessions. No patch is currently available.

Stored XSS in Adobe Experience Manager 6.5.23 and earlier enables authenticated attackers to inject malicious scripts into form fields that execute when users view affected pages. An attacker with login credentials can compromise victim browsers and steal sensitive data or perform actions on their behalf. No patch is currently available.

Stored XSS in Dear Flipbook WordPress plugin through version 2.4.20 allows authenticated users with Author privileges or higher to inject malicious scripts via PDF page labels due to inadequate input sanitization. These injected scripts execute in the browsers of any user viewing the affected pages. No patch is currently available for this vulnerability.

Umbraco is an ASP.NET CMS. From 16.2.0 to versions up to 16.5.1 is affected by cross-site scripting (xss) (CVSS 6.7).

Stored XSS vulnerabilities in Sylius allow authenticated attackers with high privileges to inject malicious scripts through unsanitized entity names (taxons, products) that are rendered as raw HTML in breadcrumbs and admin interfaces. An attacker could craft malicious product or category names to execute arbitrary JavaScript in the browsers of shop visitors and administrators, potentially leading to session hijacking or credential theft. No patch is currently available for this medium-severity vulnerability.

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentication error messages that are unsafely rendered via innerHTML. An attacker can craft a failed login attempt containing JavaScript payload that executes in the browser of any user viewing the checkout page, potentially stealing session tokens or credentials. The vulnerability affects Sylius versions prior to 2.0.16, 2.1.12, and 2.2.3, with no current patch available for older releases.

SiYuan's SVG sanitizer fails to properly filter malicious href attributes when whitespace characters are inserted into javascript: URLs, allowing reflected cross-site scripting on the unauthenticated /api/icon/getDynamicIcon endpoint. Public exploit code exists for this vulnerability, which bypasses the previous fix for CVE-2026-29183. Attackers can inject executable JavaScript to target unauthenticated users of SiYuan versions prior to 3.5.10.

Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows unauthenticated attackers to inject malicious JavaScript through SVG animation elements that bypass the sanitizer's static filters. The vulnerability exists because the SVG sanitizer blocks script tags and event handlers but fails to restrict <animate> and <set> elements, which can dynamically modify attributes at runtime to execute code. Public exploit code exists and patches are not yet available for affected versions prior to 3.5.10.

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

DOM-based XSS in GitHub Enterprise Server prior to version 3.20 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious HTML through task list content in issues and pull requests. The vulnerability stems from improper input neutralization in the task list rendering logic, which fails to re-encode user-supplied content before display. An attacker with repository access could exploit this to steal session tokens or perform actions on behalf of other users.

Stored XSS in Craft Commerce Order details allows authenticated users to inject malicious scripts through Shipping Method Name, Order Reference, or Site Name fields that execute when administrators view order information. Public exploit code exists for this vulnerability affecting versions before 4.10.2 and 5.5.3. Patches are available to remediate the issue.

Stored XSS in Craft Commerce versions before 5.5.3 allows authenticated users with product editing permissions to inject malicious JavaScript through the Inventory Locations Name field, which executes when administrators view affected product variants. An attacker with these privileges can steal session tokens, modify product data, or perform other administrative actions within the application. A patch is available in version 5.5.3.

Craft Commerce versions before 5.5.3 contain stored cross-site scripting (XSS) vulnerabilities in the inventory management interface where product and variant fields lack proper HTML escaping. An attacker can inject malicious JavaScript through these fields that executes in the browsers of any user viewing the inventory page, including administrators, with public exploit code currently available. The vulnerability requires authenticated access and user interaction to exploit but can compromise sensitive administrative functions.

Stored cross-site scripting in Craft Commerce versions before 4.10.2 and 5.5.3 allows authenticated users with high privileges to inject malicious scripts through unescaped Order Status Name fields. Public exploit code exists for this vulnerability, which can be leveraged to execute arbitrary JavaScript in the browser context of other administrators. The vulnerability is restricted by high privilege requirements and user interaction, but affects the integrity and confidentiality of the Commerce Orders management interface.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. [CVSS 6.1 MEDIUM]

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]