Skip to main content

XSS

38823 CVEs technique

Monthly

CVE-2026-34692 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject malicious JavaScript that executes entirely within the victim's browser by manipulating client-side DOM sinks. The CVSS scope change (S:C) signal indicates successful exploitation can affect browser components beyond the AEM instance itself - enabling session hijacking or unauthorized actions on behalf of the victim. Adobe PSIRT has issued Security Bulletin APSB26-56 covering this issue; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33113 MEDIUM PATCH Exploit Unlikely This Month

Cross-site scripting in Microsoft SharePoint enables network-based spoofing attacks by injecting malicious scripts into web page output. The vulnerability (CWE-79) targets users of the SharePoint web interface and, when triggered via user interaction, allows an attacker to manipulate page content or impersonate legitimate UI elements - degrading both confidentiality and integrity. No public exploit or active exploitation has been identified at time of analysis, though the low-complexity network vector lowers the bar for opportunistic abuse.

XSS Microsoft Sharepoint Server
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-34693 MEDIUM This Month

Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

XSS Adobe
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-34694 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.

XSS Adobe Adobe Experience Manager Forms Jee
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-34691 MEDIUM This Month

Stored cross-site scripting in Adobe Experience Manager Forms JEE LTS SP1 and 6.5.24.0 and earlier allows remote unauthenticated attackers to inject malicious JavaScript into vulnerable form fields that executes in victims' browsers when they visit the affected page. The scope-changed CVSS 9.3 reflects that the injected script can pivot beyond the vulnerable component to compromise the victim's authenticated session or account. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

XSS Adobe
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-47901 MEDIUM This Month

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

XSS Authentication Bypass Logseq
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-47900 MEDIUM This Month

Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.

XSS RCE Logseq
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-47899 HIGH This Week

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Logseq
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-9279 HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection Logseq
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47348 PHP MEDIUM PATCH GHSA This Month

Stored Cross-Site Scripting in TYPO3 CMS allows authenticated editors to embed raw HTML and JavaScript payloads into page titles that are written to the search index without sanitization. When the EXT:indexed_search (Indexed Search) plugin renders frontend search results, these unsanitized titles are output directly into the HTML response, executing attacker-controlled scripts in the browsers of any user who views those results. No public exploit or CISA KEV listing is identified at time of analysis, but the stored nature of the XSS - requiring only a single malicious edit to affect many users over time - elevates practical impact beyond what the medium CVSS 4.0 score of 5.1 might suggest.

XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41031 CRITICAL PATCH Act Now

Stored cross-site scripting in Vinna Process Monitor 4.0 Service Pack 1 (Build 63255) allows authenticated low-privilege users to inject persistent JavaScript that executes in other users' browsers, enabling theft of administrative session tokens and credentials. The CVSS 4.0 score of 9.3 reflects the cross-scope impact whereby a low-privileged attacker can escalate to administrative control. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Vinna Process Monitor
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-49818 PyPI MEDIUM PATCH This Month

Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. No public exploit code has been identified at time of analysis, and CVSS scoring is not yet available.

XSS Path Traversal Apache Apache Airflow Providers Samba
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8677 MEDIUM This Month

Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8599 MEDIUM This Month

{id}-slug/) enforces a Content-Security-Policy header that blocks all inline scripts, meaning the attack surface is exclusively the WordPress admin dashboard preview context. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-25688 MEDIUM This Month

Unsanitized rendering of AI-generated response content in Apache Answer through 2.0.0 enables cross-site scripting (XSS) execution in the browsers of any user viewing affected AI-generated answers. The vulnerability (CWE-87, Improper Neutralization of Alternate XSS Syntax) arises because the AI answer rendering pipeline passes output directly to the browser DOM without stripping or encoding malicious script constructs. No public exploit code has been identified at time of analysis, and CISA KEV listing has not been confirmed, but the critical severity designation and vendor-confirmed patch at 2.0.1 indicate this is a high-priority remediation target for all deployments using the AI answer feature.

XSS Apache
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34033 MEDIUM This Month

HTML content injection in Apache Answer's email notification system allows authenticated users to embed arbitrary HTML markup into notification emails delivered to other platform users. All versions through 2.0.0 are affected. Because no CVSS vector was published at time of analysis, authentication requirements are confirmed from the description rather than from a CVSS PR component - an attacker must have a valid platform account to submit the content that triggers the malicious notification. No public exploit code and no CISA KEV listing have been identified.

XSS Apache
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8981 LOW PATCH Monitor

Stored cross-site scripting in the Custom Block Builder WordPress plugin (versions before 4.3.0) allows authenticated administrators to inject persistent JavaScript into block template code fields that executes in every visitor's browser on pages embedding the affected block. The vulnerability is specifically scoped to multisite WordPress installations or single-site deployments where DISALLOW_UNFILTERED_HTML is defined - environments that are supposed to restrict the unfiltered_html capability from lower-trust administrators. The root cause is inconsistent capability enforcement: certain code paths writing to block template fields bypass the unfiltered_html check that should gate raw HTML/JS input. No public exploit identified at time of analysis, and the CVSS score of 3.5 reflects the high-privilege prerequisite and limited confidentiality/integrity impact.

XSS WordPress
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-41539 MEDIUM PATCH This Month

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms and read application data when an authenticated user interacts with attacker-supplied content. The flaw carries a CVSS 4.0 score of 8.7 driven by network reachability, low attack complexity, no required privileges, and high impact across confidentiality, integrity, and availability of the NAS management surface. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Qnap Qts Quts Hero
NVD VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-41846 MEDIUM PATCH This Month

Cross-site scripting (XSS) in Spring Framework's MVC JSP form tags allows unauthenticated remote attackers to inject arbitrary HTML or JavaScript into rendered pages by supplying malicious values through the cssClass, cssErrorClass, or cssStyle tag attributes. Applications across four active Spring Framework release lines (5.3.x through 7.0.x) are affected when they pass user-controlled input directly into these tag attributes. No public exploit code has been identified at time of analysis, and CISA has not listed this CVE in the Known Exploited Vulnerabilities catalog, but the broad installed base of Spring MVC in enterprise Java environments and the high confidentiality impact (session hijacking, credential theft) warrant prompt patching.

XSS Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41845 MEDIUM PATCH This Month

Cross-site scripting in Spring Framework versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 allows remote attackers to inject JavaScript into victim browsers when applications rely on JavaScriptUtils.javaScriptEscape() for output encoding. The flaw stems from incomplete escaping in this utility method, and successful exploitation requires user interaction (UI:R) such as visiting a crafted page. No public exploit has been identified at time of analysis and the issue is not in CISA KEV.

XSS Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41839 MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-8895 MEDIUM This Month

Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.

PHP XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-11603 MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF WordPress Elementor
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-10553 MEDIUM This Month

Cross-Site Request Forgery in the jQuery Hover Footnotes WordPress plugin (all versions up to and including 1.4) enables unauthenticated remote attackers to chain CSRF into persistent stored Cross-Site Scripting affecting every visitor on the compromised site. The plugin's jqFootnotes_options_subpanel function lacks proper nonce validation, allowing a forged request to overwrite settings such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title with arbitrary HTML or JavaScript. Because these values are persisted via WordPress's update_option() without sanitization and rendered unescaped in frontend page output, a single successful social-engineering action against one administrator produces site-wide persistent XSS. No public exploit code is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF XSS WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-10738 MEDIUM This Month

{{...}}). The attack exploits an attribute-breakout technique - a double-quote followed by an event handler - that contains no angle brackets and therefore evades WordPress core's wp_kses_post() filter, which only strips disallowed HTML tags rather than sanitizing attribute injection contexts. The changed scope (S:C in the CVSS vector) means injected scripts execute in any victim's browser upon visiting a page containing the malicious footnote, enabling session theft, credential harvesting, or defacement at scale across site visitors. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8882 MEDIUM This Month

Stored Cross-Site Scripting in the WP ApplicantStack Jobs Display WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. Because the CVSS vector reflects Changed Scope (S:C), successful injection impacts the browsers of any user - including administrators - who subsequently load the affected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8977 MEDIUM This Month

Stored Cross-Site Scripting in the WP GDPR Cookie Consent WordPress plugin (versions up to and including 1.0.0, by techjewel) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into pages served to all site visitors. The vulnerability chains three distinct weaknesses in the handleAjaxCalls() function: absent capability verification, missing nonce validation, and unsanitized gdprConfig values that are echoed verbatim by generateCSS() into a <style> block on wp_head. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber-level) and changed scope (S:C) make this a meaningful risk for multi-user WordPress sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7662 MEDIUM This Month

Stored Cross-Site Scripting in the ePaperFlip Publisher WordPress plugin (all versions up to and including 1) permits authenticated Contributors to inject arbitrary JavaScript via the 'publicationid' attribute of the epaperflip_embed shortcode, which is written unsanitized directly into inline JavaScript on rendered pages. The CVSS Changed scope (S:C) reflects that the injected payload executes in the browser context of any visitor who loads the compromised page, crossing trust boundaries beyond the plugin itself. No public exploit code has been identified at time of analysis and this vulnerability is not currently listed in the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8880 MEDIUM This Month

Stored Cross-Site Scripting in the RomanCart Ecommerce WordPress plugin (versions ≤2.0.8) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'blclass' attribute - and other attributes - of the romancart_button shortcode. The injected payload executes in any visitor's browser upon page load, enabling session hijacking, credential theft, or administrative account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and changed scope (S:C) elevate real-world concern for multi-author WordPress deployments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-10024 MEDIUM This Month

Stored Cross-Site Scripting in the TinyMCE Shortcode Addon WordPress plugin (all versions ≤ 1.0.0) allows authenticated attackers with contributor-level access or higher to inject persistent JavaScript via the unsanitized 'btnrel' shortcode attribute. The injected script is stored server-side and executes in the browser of every subsequent visitor to the affected page, including administrators - enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8883 MEDIUM This Month

Stored Cross-Site Scripting in the Global Body Mass Index Calculator WordPress plugin (versions up to and including 1.2) allows authenticated contributors to persistently inject arbitrary JavaScript into any page rendering the 'gbmicalc' shortcode. The vulnerability arises from PHP's @extract() call on unsanitized shortcode attributes followed by unescaped output into both an HTML style attribute context and an HTML body context inside GBMI_Calc_Widget::widget(), enabling attribute-breakout payloads. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence-confirmed contributor-level requirement makes this a realistic risk for any multi-author WordPress installation.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8841 MEDIUM This Month

Stored Cross-Site Scripting in the Extra Settings for RocketChat WordPress plugin (versions up to and including 0.1) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript via the 'title' attribute of the [rocketchat] shortcode. The injected script persists in the database and executes in the browser of any site visitor who loads an affected page, enabling session hijacking, credential theft, or further privilege escalation depending on victim role. No public exploit code identified at time of analysis, and this CVE does not appear on the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7556 HIGH This Week

Stored cross-site scripting in the FV Flowplayer Video Player WordPress plugin (versions through 7.5.49.7212) allows remote attackers to inject persistent JavaScript via the comment text field, which executes in any visitor's browser when the affected page is loaded. The flaw stems from insufficient input sanitization and output escaping in the comment-parsing routine and is reachable only when the non-default 'Parse Vimeo and YouTube links' (parse_comments) option is enabled and an administrator approves the malicious comment. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5714 MEDIUM This Month

Stored Cross-Site Scripting in the Enable Media Replace WordPress plugin (all versions through 4.1.8) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts via the unsanitized 'location_dir' parameter. The injected payload executes in the browser of any user who accesses an affected page, with scope changed (S:C) indicating cross-boundary impact - most critically, a low-privileged Author can compromise higher-privileged sessions including administrators. No public exploit identified at time of analysis, and no CISA KEV listing, but the low attack complexity and broad WordPress install base elevate practical risk.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-10862 MEDIUM This Month

Stored Cross-Site Scripting in the Accordions plugin for WordPress (all versions through 2.3.23) enables authenticated attackers holding Custom-level roles or higher to permanently embed malicious JavaScript into Accordion body fields. The injected scripts execute in the browser of any user who subsequently visits an affected page, enabling session token theft, credential harvesting, or drive-by malware delivery within the WordPress site context. No public exploit has been identified at time of analysis, though an upstream fix commit is available in the plugin Trac repository.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-44757 MEDIUM This Month

Reflected cross-site scripting in SAP Wily Introscope Enterprise Manager allows an unauthenticated remote attacker to craft a malicious URL that, when accessed by a victim user, executes injected JavaScript within the application's browser context. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network-reachable delivery requiring no attacker credentials, but demands both high attack complexity and victim interaction, capping real-world exploitability. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a lower-urgency tier despite the cross-scope impact.

XSS SAP
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-44746 MEDIUM This Month

Reflected cross-site scripting in SAP NetWeaver JAVA's JDBC Test Servlet enables unauthenticated remote attackers to craft malicious URLs that execute arbitrary JavaScript in a victim's browser upon interaction. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect browser context beyond the vulnerable origin, enabling session theft, credential harvesting, or unauthorized modification of webclient data. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS SAP Java
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-36728 MEDIUM This Month

Markdown-based XSS in FastapiAdmin v2.2.0's AI assistant chat function allows unauthenticated remote attackers to inject crafted markdown payloads that execute arbitrary JavaScript in a victim's browser. The Changed scope (S:C) in the CVSS vector confirms the vulnerability crosses the application trust boundary into the browser security context. A public proof-of-concept exists via the researcher disclosure repository, and no vendor-released patch has been identified at time of analysis.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36725 MEDIUM This Month

Cross-site scripting via unsanitized markdown rendering in FastapiAdmin v2.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript or HTML through the notice_content parameter of the /system/notice/create endpoint. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in a browser security context distinct from the vulnerable component itself, enabling session hijacking, credential theft, or defacement against any user who views the crafted notice. No confirmed active exploitation (CISA KEV) exists at time of analysis, though a researcher-published reference on GitHub likely documents a proof-of-concept payload.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47725 Go HIGH PATCH GHSA This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS
0.0%
CVE-2026-47723 Go HIGH PATCH GHSA This Week

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

CSRF XSS
NVD GitHub
EPSS
0.0%
CVE-2026-47345 PHP MEDIUM PATCH GHSA This Month

HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.

XSS Html Sanitizer
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-47344 PHP LOW PATCH GHSA Monitor

XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Html Sanitizer
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11534 LOW POC Monitor

Cross-site scripting in imvks786/student_management_system allows a low-privileged remote attacker to inject malicious scripts via the name, address, or fname parameters in /add.php. The payload executes in a victim's browser when the affected page is viewed, enabling session hijacking, credential theft, or UI redress attacks against other users of the application. A public exploit is available via a GitHub issue report; the vendor has not responded to the coordinated disclosure.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-29170 MEDIUM PATCH This Month

Cross-site scripting in Apache HTTP Server's mod_proxy_ftp module allows a network-accessible attacker to inject malicious scripts into HTML directory listings generated when the server proxies FTP directory contents. Affected are all versions of Apache HTTP Server up to and including 2.4.67, in both forward and reverse proxy configurations. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the Changed scope (S:C) in the CVSS vector means injected scripts execute in victims' browsers under the origin of the proxy host, elevating the effective impact beyond the medium base score.

XSS Apache Red Hat Suse Apache HTTP Server
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25558 MEDIUM POC This Month

Stored cross-site scripting in QloApps through 1.7.0 enables authenticated administrators to inject persistent JavaScript into the application by uploading SVG files containing malicious event handlers (e.g., onload) via the admin file manager. Any user who subsequently views the uploaded file triggers the embedded script in their browser, crossing a security boundary (S:C) from the admin upload context into arbitrary victim sessions. Publicly available exploit code exists per VulnCheck and a linked GitHub issue; no active exploitation has been confirmed by CISA KEV.

XSS Qloapps
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-11520 LOW Monitor

Reflected cross-site scripting in SourceCodester Inventory System 1.0 allows remote authenticated attackers to inject arbitrary JavaScript into victim browsers via unsanitized parameters in header.php. The attack requires low-level authentication and victim interaction with a crafted URL, limiting scope to integrity impact only (no confidentiality or availability impact per CVSS). Publicly available exploit code exists (CVSS E:P), though no active exploitation has been confirmed via CISA KEV, and the overall CVSS score of 3.5 (Low) reflects the constrained attack conditions.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11518 LOW POC Monitor

Stored cross-site scripting in SourceCodester Inventory System 1.0 allows remote unauthenticated attackers to inject persistent malicious scripts via the fullname and username parameters in /users.php on the User Management Page. When an authenticated user - likely an administrator - visits the affected page, the injected script executes in their browser session, enabling session hijacking, credential theft, or unauthorized UI manipulation. Publicly available exploit code exists (GitHub PoC by Xmyronn); this is not listed in CISA KEV but the low-complexity, no-authentication submission path elevates practical risk above the CVSS 4.3 score suggests.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9549 MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's service discovery active check output allows a high-privileged administrator to inject persistent malicious HTML or JavaScript that executes in the browsers of other administrators or users with host read permissions when they run checks on the service discovery page. Affected versions span all currently maintained branches: Checkmk below 2.5.0p5, below 2.4.0p31, below 2.3.0p48, and all 2.2.0 releases with no patch for that branch. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the stored nature of the XSS and its targeting of privileged user sessions make it a meaningful lateral-privilege and session-compromise vector within Checkmk deployments.

XSS Checkmk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-8833 HIGH PATCH This Week

Stored/reflected cross-site scripting in Checkmk monitoring platform versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases allows authenticated users to bypass URL validation by leveraging HTML-encoded characters, enabling injection of javascript: URIs that execute in another user's browser session. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability when a victim interacts with a crafted link, though no public exploit identified at time of analysis and the issue requires both low-privilege authentication and user interaction.

XSS Checkmk
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-8078 MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's global settings change log enables a high-privileged administrator to persist malicious HTML or JavaScript within changelog messages, which then executes silently in the browsers of other authenticated users who view the Activate Changes page or Audit log. Affected versions span all 2.2.0 releases and builds prior to 2.5.0p5, 2.4.0p31, and 2.3.0p48. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the insider-threat angle - an already-privileged admin targeting peer users - is the realistic concern here.

XSS Checkmk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-7186 HIGH PATCH This Week

Stored cross-site scripting in Checkmk monitoring platform allows a low-privileged user with dashboard editing rights to embed a javascript: URI inside the URL dashboard widget, which then executes in the browser of any other user viewing that dashboard. The flaw affects Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases, and carries a CVSS 4.0 score of 8.5 due to the high confidentiality and integrity impact achievable against higher-privileged operators. No public exploit identified at time of analysis, but the prerequisite (dashboard edit permission) is commonly granted to operations staff.

XSS Checkmk
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-11512 LOW POC Monitor

Cross-site scripting in itsourcecode Hospital Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `patientid` parameter in `/billing.php`, executing in the context of a victim user's browser session upon interaction with a crafted URL. A publicly available proof-of-concept exploit exists, referenced in GitHub issue #13 of the ltranquility/vuln_submit repository, lowering the barrier for opportunistic exploitation. This CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects limited impact scope - low integrity effect only, no confidentiality or availability loss - constrained further by the passive user interaction requirement.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11511 LOW Monitor

HTML injection in Bolt CMS 3.7.5 and earlier allows authenticated remote attackers to inject arbitrary HTML by manipulating the `style` argument within the HTML Attribute Handler component (`src/Storage/Field/Type/TextType.php`). The vulnerability requires low-privilege credentials and passive victim interaction for injected content to render, producing low-severity but persistent integrity exposure. Publicly available exploit code exists (CVSS E:P confirmed), and because the project repository has been archived as read-only by the maintainer, no vendor patch will ever be released - any remaining deployment faces permanent unpatched exposure.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3011 MEDIUM This Month

Stored Cross-Site Scripting in WPZOOM's Recipe Card Blocks Lite WordPress plugin (all versions through 3.4.13) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts into published posts and recipe print views. The vulnerability is a sanitization bypass: the `WPZOOM_Helpers::deserialize_block_attributes` method re-decodes unicode-escaped character sequences back into raw HTML after WordPress's sanitization pipeline has already run, permitting crafted payloads in the recipe block's 'summary' and 'notes' attributes to survive sanitization and execute in victims' browsers. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Changed Scope (S:C) rating reflects cross-user impact, including potential administrator session hijacking.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-11569 MEDIUM This Month

Stored cross-site scripting in Red Hat Quay 3.x allows an authenticated user with repository write access to upload a malicious SVG file via the filedrop endpoint, which lacks MIME type validation. The uploaded file is persisted and served inline through the CDN, meaning any victim who visits the archive URL will have attacker-controlled JavaScript execute in their browser. No public exploit has been identified at time of analysis, and exploitation requires both repository write privileges and victim interaction, limiting opportunistic mass exploitation.

XSS Red Hat Quay 3 Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41724 MEDIUM This Month

Stored cross-site scripting in VMware Cloud Foundation Operations (and the related Aria Operations / Telco Cloud Platform builds) lets an authenticated user who can create policies, views, or text-widgets inject script that executes in the browser of any user who later views the affected object, including administrators. Because the CVSS vector marks Confidentiality, Integrity, and Availability as High with Scope:Unchanged, a successful payload effectively lets a low-privileged operator escalate to administrative actions inside the Operations console. No public exploit identified at time of analysis and not currently listed in CISA KEV, but a vendor advisory has been issued by Broadcom.

XSS VMware Vcf Operations Vmware Aria Operations Vmware Telco Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-41723 HIGH This Week

Stored cross-site scripting in VMware Cloud Foundation Operations (formerly Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject malicious scripts that execute in other users' browsers, including administrators. Affected products include VCF Operations 5.x through 9.1.x, VMware Aria Operations 8.18.x, and VMware Telco Cloud Platform 5.x. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS VMware Vcf Operations Vmware Aria Operations Vmware Telco Cloud Platform
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-41722 MEDIUM This Month

Stored cross-site scripting in VMware Cloud Foundation Operations (formerly VMware Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject scripts that execute in the browser context of other users, including administrators. The flaw spans VCF Operations 9.x, the legacy 5.x/Aria Operations 8.18.x line, and VMware Telco Cloud Platform 5.x, with a CVSS of 8.0 driven by high impact across confidentiality, integrity, and availability when a victim admin renders the malicious content. No public exploit identified at time of analysis and no EPSS or KEV signal is provided in the input.

XSS VMware Vcf Operations Vmware Aria Operations Vmware Telco Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-11491 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 enables a high-privileged authenticated attacker to inject persistent malicious script via the Notice Title parameter in the Notice Board Management component, executing in the browsers of any user who subsequently views the affected notice. The publicly available proof-of-concept on GitHub demonstrates exploitation via an SVG onload payload submitted through a POST request to /notice/All_notice. Despite remote accessibility, real-world severity is constrained by the requirement for prior high-privilege authentication and the need for victim interaction - reflected in the low CVSS score of 2.4 - and no public exploitation campaign has been identified at time of analysis.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2023-54351 MEDIUM POC This Month

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2021-47984 MEDIUM POC This Month

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47983 MEDIUM POC This Month

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47982 MEDIUM POC This Month

WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-11468 LOW POC Monitor

Stored or reflected cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, authenticated administrator to inject malicious client-side scripts via the unvalidated `room` argument at the `/admin/?page=room_types` endpoint. The CVSS score of 2.4 (Low) accurately reflects the constrained conditions: exploitation requires admin-level credentials (PR:H) and victim interaction (UI:R), limiting blast radius to the admin panel. A publicly available proof-of-concept exploit exists via a GitHub issue, but no active exploitation has been confirmed by CISA KEV.

XSS Hospitals Patient Records Management System
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-11436 LOW Monitor

Reflected cross-site scripting in Mage AI's sign-in flow (versions up to and including 0.9.79) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the query.redirect_url parameter passed to the useMutation hook in the SignForm component. A public proof-of-concept exploit exists (referenced via GitHub gist), elevating real-world risk despite the low CVSS 4.0 score of 2.1. The vendor was notified prior to disclosure but did not respond, meaning no patch is currently available.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11434 LOW POC Monitor

Cross-site scripting in FluentCMS 0.0.5 allows a remote, highly-privileged attacker to inject malicious JavaScript via the /admin/blocks endpoint of the Blocks Plugin. The attack requires high privileges (admin-level authentication) and victim user interaction, constraining real-world impact significantly - the CVSS base score of 2.4 reflects this narrow exploitation surface. A publicly available proof-of-concept exists per HackMD, and the vendor has not responded to disclosure, leaving no official patch in place. No public exploit identified at time of analysis as reaching CISA KEV status.

XSS Fluentcms
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9594 MEDIUM This Month

Stored Cross-Site Scripting in WP Maps (all versions through 4.9.4) allows authenticated attackers holding the wpgmp_manage_location capability - granted to administrators by default but delegable to lower-privileged roles - to inject persistent malicious scripts via the 'location_messages' parameter. The CVSS scope change (S:C) confirms the injected payload executes across victim browser sessions on any page rendering the affected shortcode, enabling session hijacking or unauthorized actions on behalf of site visitors. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the delegable capability expands the potential attacker pool beyond pure administrators.

XSS Google WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7796 MEDIUM This Month

Stored Cross-Site Scripting in the EmbedPress WordPress plugin (all versions through 4.5.3) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript via the block 'url' attribute, executing in the browsers of any user who visits an affected page. The vulnerability originates in insufficient sanitization within EmbedPressBlockRenderer.php and Helper.php, as confirmed by Wordfence and traceable to specific lines in the plugin's source repository. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Scope:Changed CVSS designation reflects that successful exploitation affects resources beyond the vulnerable component itself - namely, victim browser sessions.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-7795 MEDIUM This Month

Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.

PHP XSS WordPress RCE
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9280 MEDIUM This Month

Reflected XSS in the Ad Inserter - Ad Manager & AdSense Ads WordPress plugin (all versions through 2.8.15) enables unauthenticated attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs targeting pages where iframe mode is active. The vulnerability exists because URL parameters passed through the plugin's iframe rendering path (class.php lines 3460, 3462, 3470) are insufficiently sanitized before output. Exploitation is contingent on a non-default configuration (iframe mode enabled) and requires social engineering to make a user click a crafted link, but no public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8991 MEDIUM This Month

Stored Cross-Site Scripting in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (all versions through 1.3.9.7) allows authenticated administrators to persist malicious JavaScript via the 'drag_n_drop_text' and 'drag_n_drop_browse_text' plugin settings fields, which subsequently execute in the browsers of any site visitor accessing a page containing an affected CF7 upload form. The CVSS Scope:Changed designation reflects this cross-user impact - a compromised or rogue admin can silently weaponize public-facing forms without further interaction. No public exploit or CISA KEV listing exists at time of analysis, and the CVSS score of 4.4 reflects the high privilege and high complexity prerequisites that substantially limit opportunistic exploitation.

XSS File Upload WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-8438 HIGH This Week

Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-8901 HIGH This Week

Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-9281 MEDIUM This Month

Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.

PHP XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8900 MEDIUM This Month

Stored Cross-Site Scripting in the Simple SEO Slideshow WordPress plugin (all versions through 1.2.8) allows authenticated attackers holding contributor-level roles to inject persistent JavaScript payloads via unsanitized shortcode attributes. Because WordPress KSES does not strip malicious values from shortcode attributes during post save, the payload survives sanitization and executes for every subsequent visitor - including administrators reviewing the post - making privilege escalation a realistic downstream impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the Wordfence intelligence platform has formally catalogued it.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8893 MEDIUM This Month

Stored Cross-Site Scripting in the Express Payment For Stripe WordPress plugin (versions up to and including 1.28.0) allows authenticated contributors to permanently embed malicious JavaScript into site pages via the unsanitized 'type' attribute of the [stripe-express] shortcode. The root defect is in register_shortcode() within wp-stripe-shortcodes.php, where the attribute value is concatenated directly into an HTML attribute without passing through WordPress's esc_attr() or any equivalent escaping function. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV; however, the CVSS Changed Scope (S:C) signals that successful exploitation escapes the contributor's own security context and can compromise higher-privileged users such as administrators who visit the injected page.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-47730 PHP MEDIUM PATCH GHSA This Month

Cross-site scripting in Twig's profiler HtmlDumper component (twig/twig >= 3.0.0, < 3.26.0) allows an attacker who can control template names - via an ArrayLoader key, a database-backed loader row ID, or similar - to inject arbitrary HTML that executes in any browser rendering the profiler output. The root cause is a missing htmlspecialchars() call in HtmlDumper::formatTemplate() and related methods before writing Profile::getTemplate() and Profile::getName() into the HTML response. No public exploit or CISA KEV listing has been identified at time of analysis, but the vendor confirmed the issue and shipped a fix in v3.26.0 as part of a coordinated batch of security releases.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-47743 PHP HIGH PATCH GHSA This Week

Stored XSS, IDOR, and credential disclosure in Shopper Framework admin Livewire components (versions < 2.8.0) allow authenticated admin users to tamper with arbitrary records, harvest plaintext customer passwords from the page DOM, and persist JavaScript payloads in product barcode fields that execute against any admin viewing the product. The combined issues enable session hijacking and privileged-action chaining within the Laravel-based e-commerce admin panel; no public exploitation has been reported and no public exploit identified at time of analysis.

XSS Information Disclosure
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-45778 HIGH PATCH This Week

Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.

XSS Open Xdmod
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-25624 MEDIUM This Month

Cross-site scripting in the Arista Edge Threat Management Next Generation Firewall web UI dashboard allows a high-privileged attacker to inject unvalidated input that is reflected back into administrative profiles, enabling script execution in the context of other administrative sessions. The vulnerability carries a CVSS 4.0 score of 5.8 (Medium), with confidentiality impact rated High on the vulnerable system - consistent with session token or credential harvesting from targeted admin accounts. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Ng Firewall
NVD VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-47387 npm HIGH PATCH GHSA This Week

Stored cross-site scripting in NocoDB through 2026.05.0 allows a base editor to plant a `javascript:` URL in a form view's `redirect_url`, which executes same-origin in any authenticated viewer's browser when they submit the shared form. The payload can exfiltrate the session token from `localStorage["nocodb-gui-v2"]` and call NocoDB APIs as the victim. No public exploit identified at time of analysis, EPSS 0.07% (21st percentile), but a vendor patch is available in release 2026.05.1.

XSS
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-47383 npm HIGH PATCH GHSA This Week

Stored Cross-Site Scripting in NocoDB <= 2026.05.0 allows authenticated commenters to inject HTML payloads into row comments that execute as JavaScript when other users hover over the comment in the expanded form view. Successful exploitation runs script in the NocoDB origin under the victim's session, enabling theft of the auth JWT from localStorage. No public exploit identified at time of analysis; EPSS is low (0.11%, 29th percentile) and the issue is not listed in CISA KEV.

XSS
NVD GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-11338 LOW POC Monitor

Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. No public exploit identified at time of analysis as a KEV-confirmed threat, but publicly available exploit code exists via a published Medium article and VulDB report.

XSS Ship Ferry Ticket Reservation System
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-47376 npm MEDIUM PATCH GHSA This Month

Reflected XSS in NocoDB's password-reset flow allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser within the NocoDB origin by sending a crafted password-reset link. The vulnerability stems from the EJS server-side template rendering the reset token directly into a JavaScript string literal without escaping single quotes or backslashes, enabling string-context escape. Any NocoDB instance running versions prior to 2026.04.1 is affected; no public exploit identified at time of analysis, though the advisory includes a functional proof-of-concept payload.

XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-11337 LOW POC Monitor

Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-50235 MEDIUM This Month

Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. No public exploit identified at time of analysis and no CISA KEV listing, but the ZeroScience Lab advisory reference is a known PoC-publishing outlet - PoC availability should be treated as likely pending confirmation.

XSS Lyrion Music Server
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-50232 MEDIUM This Month

Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. No public exploit identified at time of analysis, and no CISA KEV listing.

XSS Lyrion Music Server
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-50231 MEDIUM This Month

Stored cross-site scripting in Lyrion Music Server 9.2.0's log viewer allows unauthenticated remote attackers to inject persistent JavaScript via unescaped template variables, executing arbitrary scripts in the browsers of administrators or other users who view the logs. Injection vectors include the search, lines, and path query parameters as well as indirect channels such as URLs, User-Agent headers, stream titles, and player names that get written to the server log. No public exploit identified at time of analysis, but the CVSS 7.2 score reflects a scope-changed impact (S:C) due to the cross-origin nature of XSS.

XSS Lyrion Music Server
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-50230 MEDIUM POC This Month

Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.

XSS Lyrion Music Server
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject malicious JavaScript that executes entirely within the victim's browser by manipulating client-side DOM sinks. The CVSS scope change (S:C) signal indicates successful exploitation can affect browser components beyond the AEM instance itself - enabling session hijacking or unauthorized actions on behalf of the victim. Adobe PSIRT has issued Security Bulletin APSB26-56 covering this issue; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH Exploit Unlikely This Month

Cross-site scripting in Microsoft SharePoint enables network-based spoofing attacks by injecting malicious scripts into web page output. The vulnerability (CWE-79) targets users of the SharePoint web interface and, when triggered via user interaction, allows an attacker to manipulate page content or impersonate legitimate UI elements - degrading both confidentiality and integrity. No public exploit or active exploitation has been identified at time of analysis, though the low-complexity network vector lowers the bar for opportunistic abuse.

XSS Microsoft Sharepoint Server
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

XSS Adobe
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.

XSS Adobe Adobe Experience Manager Forms Jee
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in Adobe Experience Manager Forms JEE LTS SP1 and 6.5.24.0 and earlier allows remote unauthenticated attackers to inject malicious JavaScript into vulnerable form fields that executes in victims' browsers when they visit the affected page. The scope-changed CVSS 9.3 reflects that the injected script can pivot beyond the vulnerable component to compromise the victim's authenticated session or account. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

XSS Adobe
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

XSS Authentication Bypass Logseq
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.

XSS RCE Logseq
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Logseq
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection +1
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored Cross-Site Scripting in TYPO3 CMS allows authenticated editors to embed raw HTML and JavaScript payloads into page titles that are written to the search index without sanitization. When the EXT:indexed_search (Indexed Search) plugin renders frontend search results, these unsanitized titles are output directly into the HTML response, executing attacker-controlled scripts in the browsers of any user who views those results. No public exploit or CISA KEV listing is identified at time of analysis, but the stored nature of the XSS - requiring only a single malicious edit to affect many users over time - elevates practical impact beyond what the medium CVSS 4.0 score of 5.1 might suggest.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in Vinna Process Monitor 4.0 Service Pack 1 (Build 63255) allows authenticated low-privilege users to inject persistent JavaScript that executes in other users' browsers, enabling theft of administrative session tokens and credentials. The CVSS 4.0 score of 9.3 reflects the cross-scope impact whereby a low-privileged attacker can escalate to administrative control. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Vinna Process Monitor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. No public exploit code has been identified at time of analysis, and CVSS scoring is not yet available.

XSS Path Traversal Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress Elementor
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

{id}-slug/) enforces a Content-Security-Policy header that blocks all inline scripts, meaning the attack surface is exclusively the WordPress admin dashboard preview context. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unsanitized rendering of AI-generated response content in Apache Answer through 2.0.0 enables cross-site scripting (XSS) execution in the browsers of any user viewing affected AI-generated answers. The vulnerability (CWE-87, Improper Neutralization of Alternate XSS Syntax) arises because the AI answer rendering pipeline passes output directly to the browser DOM without stripping or encoding malicious script constructs. No public exploit code has been identified at time of analysis, and CISA KEV listing has not been confirmed, but the critical severity designation and vendor-confirmed patch at 2.0.1 indicate this is a high-priority remediation target for all deployments using the AI answer feature.

XSS Apache
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

HTML content injection in Apache Answer's email notification system allows authenticated users to embed arbitrary HTML markup into notification emails delivered to other platform users. All versions through 2.0.0 are affected. Because no CVSS vector was published at time of analysis, authentication requirements are confirmed from the description rather than from a CVSS PR component - an attacker must have a valid platform account to submit the content that triggers the malicious notification. No public exploit code and no CISA KEV listing have been identified.

XSS Apache
NVD VulDB
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Stored cross-site scripting in the Custom Block Builder WordPress plugin (versions before 4.3.0) allows authenticated administrators to inject persistent JavaScript into block template code fields that executes in every visitor's browser on pages embedding the affected block. The vulnerability is specifically scoped to multisite WordPress installations or single-site deployments where DISALLOW_UNFILTERED_HTML is defined - environments that are supposed to restrict the unfiltered_html capability from lower-trust administrators. The root cause is inconsistent capability enforcement: certain code paths writing to block template fields bypass the unfiltered_html check that should gate raw HTML/JS input. No public exploit identified at time of analysis, and the CVSS score of 3.5 reflects the high-privilege prerequisite and limited confidentiality/integrity impact.

XSS WordPress
NVD WPScan VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms and read application data when an authenticated user interacts with attacker-supplied content. The flaw carries a CVSS 4.0 score of 8.7 driven by network reachability, low attack complexity, no required privileges, and high impact across confidentiality, integrity, and availability of the NAS management surface. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Qnap Qts +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Spring Framework's MVC JSP form tags allows unauthenticated remote attackers to inject arbitrary HTML or JavaScript into rendered pages by supplying malicious values through the cssClass, cssErrorClass, or cssStyle tag attributes. Applications across four active Spring Framework release lines (5.3.x through 7.0.x) are affected when they pass user-controlled input directly into these tag attributes. No public exploit code has been identified at time of analysis, and CISA has not listed this CVE in the Known Exploited Vulnerabilities catalog, but the broad installed base of Spring MVC in enterprise Java environments and the high confidentiality impact (session hijacking, credential theft) warrant prompt patching.

XSS Java Spring Framework
NVD HeroDevs VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Spring Framework versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 allows remote attackers to inject JavaScript into victim browsers when applications rely on JavaScriptUtils.javaScriptEscape() for output encoding. The flaw stems from incomplete escaping in this utility method, and successful exploitation requires user interaction (UI:R) such as visiting a crafted page. No public exploit has been identified at time of analysis and the issue is not in CISA KEV.

XSS Java Spring Framework
NVD HeroDevs VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java +1
NVD HeroDevs VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.

PHP XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the jQuery Hover Footnotes WordPress plugin (all versions up to and including 1.4) enables unauthenticated remote attackers to chain CSRF into persistent stored Cross-Site Scripting affecting every visitor on the compromised site. The plugin's jqFootnotes_options_subpanel function lacks proper nonce validation, allowing a forged request to overwrite settings such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title with arbitrary HTML or JavaScript. Because these values are persisted via WordPress's update_option() without sanitization and rendered unescaped in frontend page output, a single successful social-engineering action against one administrator produces site-wide persistent XSS. No public exploit code is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

{{...}}). The attack exploits an attribute-breakout technique - a double-quote followed by an event handler - that contains no angle brackets and therefore evades WordPress core's wp_kses_post() filter, which only strips disallowed HTML tags rather than sanitizing attribute injection contexts. The changed scope (S:C in the CVSS vector) means injected scripts execute in any victim's browser upon visiting a page containing the malicious footnote, enabling session theft, credential harvesting, or defacement at scale across site visitors. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP ApplicantStack Jobs Display WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. Because the CVSS vector reflects Changed Scope (S:C), successful injection impacts the browsers of any user - including administrators - who subsequently load the affected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP GDPR Cookie Consent WordPress plugin (versions up to and including 1.0.0, by techjewel) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into pages served to all site visitors. The vulnerability chains three distinct weaknesses in the handleAjaxCalls() function: absent capability verification, missing nonce validation, and unsanitized gdprConfig values that are echoed verbatim by generateCSS() into a <style> block on wp_head. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber-level) and changed scope (S:C) make this a meaningful risk for multi-user WordPress sites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the ePaperFlip Publisher WordPress plugin (all versions up to and including 1) permits authenticated Contributors to inject arbitrary JavaScript via the 'publicationid' attribute of the epaperflip_embed shortcode, which is written unsanitized directly into inline JavaScript on rendered pages. The CVSS Changed scope (S:C) reflects that the injected payload executes in the browser context of any visitor who loads the compromised page, crossing trust boundaries beyond the plugin itself. No public exploit code has been identified at time of analysis and this vulnerability is not currently listed in the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the RomanCart Ecommerce WordPress plugin (versions ≤2.0.8) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'blclass' attribute - and other attributes - of the romancart_button shortcode. The injected payload executes in any visitor's browser upon page load, enabling session hijacking, credential theft, or administrative account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and changed scope (S:C) elevate real-world concern for multi-author WordPress deployments.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the TinyMCE Shortcode Addon WordPress plugin (all versions ≤ 1.0.0) allows authenticated attackers with contributor-level access or higher to inject persistent JavaScript via the unsanitized 'btnrel' shortcode attribute. The injected script is stored server-side and executes in the browser of every subsequent visitor to the affected page, including administrators - enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Global Body Mass Index Calculator WordPress plugin (versions up to and including 1.2) allows authenticated contributors to persistently inject arbitrary JavaScript into any page rendering the 'gbmicalc' shortcode. The vulnerability arises from PHP's @extract() call on unsanitized shortcode attributes followed by unescaped output into both an HTML style attribute context and an HTML body context inside GBMI_Calc_Widget::widget(), enabling attribute-breakout payloads. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence-confirmed contributor-level requirement makes this a realistic risk for any multi-author WordPress installation.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Extra Settings for RocketChat WordPress plugin (versions up to and including 0.1) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript via the 'title' attribute of the [rocketchat] shortcode. The injected script persists in the database and executes in the browser of any site visitor who loads an affected page, enabling session hijacking, credential theft, or further privilege escalation depending on victim role. No public exploit code identified at time of analysis, and this CVE does not appear on the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the FV Flowplayer Video Player WordPress plugin (versions through 7.5.49.7212) allows remote attackers to inject persistent JavaScript via the comment text field, which executes in any visitor's browser when the affected page is loaded. The flaw stems from insufficient input sanitization and output escaping in the comment-parsing routine and is reachable only when the non-default 'Parse Vimeo and YouTube links' (parse_comments) option is enabled and an administrator approves the malicious comment. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Enable Media Replace WordPress plugin (all versions through 4.1.8) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts via the unsanitized 'location_dir' parameter. The injected payload executes in the browser of any user who accesses an affected page, with scope changed (S:C) indicating cross-boundary impact - most critically, a low-privileged Author can compromise higher-privileged sessions including administrators. No public exploit identified at time of analysis, and no CISA KEV listing, but the low attack complexity and broad WordPress install base elevate practical risk.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Accordions plugin for WordPress (all versions through 2.3.23) enables authenticated attackers holding Custom-level roles or higher to permanently embed malicious JavaScript into Accordion body fields. The injected scripts execute in the browser of any user who subsequently visits an affected page, enabling session token theft, credential harvesting, or drive-by malware delivery within the WordPress site context. No public exploit has been identified at time of analysis, though an upstream fix commit is available in the plugin Trac repository.

XSS WordPress
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Reflected cross-site scripting in SAP Wily Introscope Enterprise Manager allows an unauthenticated remote attacker to craft a malicious URL that, when accessed by a victim user, executes injected JavaScript within the application's browser context. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network-reachable delivery requiring no attacker credentials, but demands both high attack complexity and victim interaction, capping real-world exploitability. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a lower-urgency tier despite the cross-scope impact.

XSS SAP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in SAP NetWeaver JAVA's JDBC Test Servlet enables unauthenticated remote attackers to craft malicious URLs that execute arbitrary JavaScript in a victim's browser upon interaction. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect browser context beyond the vulnerable origin, enabling session theft, credential harvesting, or unauthorized modification of webclient data. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS SAP Java
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Markdown-based XSS in FastapiAdmin v2.2.0's AI assistant chat function allows unauthenticated remote attackers to inject crafted markdown payloads that execute arbitrary JavaScript in a victim's browser. The Changed scope (S:C) in the CVSS vector confirms the vulnerability crosses the application trust boundary into the browser security context. A public proof-of-concept exists via the researcher disclosure repository, and no vendor-released patch has been identified at time of analysis.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting via unsanitized markdown rendering in FastapiAdmin v2.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript or HTML through the notice_content parameter of the /system/notice/create endpoint. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in a browser security context distinct from the vulnerable component itself, enabling session hijacking, credential theft, or defacement against any user who views the crafted notice. No confirmed active exploitation (CISA KEV) exists at time of analysis, though a researcher-published reference on GitHub likely documents a proof-of-concept payload.

XSS
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

CSRF XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.

XSS Html Sanitizer
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Html Sanitizer
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in imvks786/student_management_system allows a low-privileged remote attacker to inject malicious scripts via the name, address, or fname parameters in /add.php. The payload executes in a victim's browser when the affected page is viewed, enabling session hijacking, credential theft, or UI redress attacks against other users of the application. A public exploit is available via a GitHub issue report; the vendor has not responded to the coordinated disclosure.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Apache HTTP Server's mod_proxy_ftp module allows a network-accessible attacker to inject malicious scripts into HTML directory listings generated when the server proxies FTP directory contents. Affected are all versions of Apache HTTP Server up to and including 2.4.67, in both forward and reverse proxy configurations. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the Changed scope (S:C) in the CVSS vector means injected scripts execute in victims' browsers under the origin of the proxy host, elevating the effective impact beyond the medium base score.

XSS Apache Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Stored cross-site scripting in QloApps through 1.7.0 enables authenticated administrators to inject persistent JavaScript into the application by uploading SVG files containing malicious event handlers (e.g., onload) via the admin file manager. Any user who subsequently views the uploaded file triggers the embedded script in their browser, crossing a security boundary (S:C) from the admin upload context into arbitrary victim sessions. Publicly available exploit code exists per VulnCheck and a linked GitHub issue; no active exploitation has been confirmed by CISA KEV.

XSS Qloapps
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Reflected cross-site scripting in SourceCodester Inventory System 1.0 allows remote authenticated attackers to inject arbitrary JavaScript into victim browsers via unsanitized parameters in header.php. The attack requires low-level authentication and victim interaction with a crafted URL, limiting scope to integrity impact only (no confidentiality or availability impact per CVSS). Publicly available exploit code exists (CVSS E:P), though no active exploitation has been confirmed via CISA KEV, and the overall CVSS score of 3.5 (Low) reflects the constrained attack conditions.

PHP XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting in SourceCodester Inventory System 1.0 allows remote unauthenticated attackers to inject persistent malicious scripts via the fullname and username parameters in /users.php on the User Management Page. When an authenticated user - likely an administrator - visits the affected page, the injected script executes in their browser session, enabling session hijacking, credential theft, or unauthorized UI manipulation. Publicly available exploit code exists (GitHub PoC by Xmyronn); this is not listed in CISA KEV but the low-complexity, no-authentication submission path elevates practical risk above the CVSS 4.3 score suggests.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's service discovery active check output allows a high-privileged administrator to inject persistent malicious HTML or JavaScript that executes in the browsers of other administrators or users with host read permissions when they run checks on the service discovery page. Affected versions span all currently maintained branches: Checkmk below 2.5.0p5, below 2.4.0p31, below 2.3.0p48, and all 2.2.0 releases with no patch for that branch. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the stored nature of the XSS and its targeting of privileged user sessions make it a meaningful lateral-privilege and session-compromise vector within Checkmk deployments.

XSS Checkmk
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored/reflected cross-site scripting in Checkmk monitoring platform versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases allows authenticated users to bypass URL validation by leveraging HTML-encoded characters, enabling injection of javascript: URIs that execute in another user's browser session. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability when a victim interacts with a crafted link, though no public exploit identified at time of analysis and the issue requires both low-privilege authentication and user interaction.

XSS Checkmk
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's global settings change log enables a high-privileged administrator to persist malicious HTML or JavaScript within changelog messages, which then executes silently in the browsers of other authenticated users who view the Activate Changes page or Audit log. Affected versions span all 2.2.0 releases and builds prior to 2.5.0p5, 2.4.0p31, and 2.3.0p48. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the insider-threat angle - an already-privileged admin targeting peer users - is the realistic concern here.

XSS Checkmk
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Checkmk monitoring platform allows a low-privileged user with dashboard editing rights to embed a javascript: URI inside the URL dashboard widget, which then executes in the browser of any other user viewing that dashboard. The flaw affects Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases, and carries a CVSS 4.0 score of 8.5 due to the high confidentiality and integrity impact achievable against higher-privileged operators. No public exploit identified at time of analysis, but the prerequisite (dashboard edit permission) is commonly granted to operations staff.

XSS Checkmk
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in itsourcecode Hospital Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `patientid` parameter in `/billing.php`, executing in the context of a victim user's browser session upon interaction with a crafted URL. A publicly available proof-of-concept exploit exists, referenced in GitHub issue #13 of the ltranquility/vuln_submit repository, lowering the barrier for opportunistic exploitation. This CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects limited impact scope - low integrity effect only, no confidentiality or availability loss - constrained further by the passive user interaction requirement.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

HTML injection in Bolt CMS 3.7.5 and earlier allows authenticated remote attackers to inject arbitrary HTML by manipulating the `style` argument within the HTML Attribute Handler component (`src/Storage/Field/Type/TextType.php`). The vulnerability requires low-privilege credentials and passive victim interaction for injected content to render, producing low-severity but persistent integrity exposure. Publicly available exploit code exists (CVSS E:P confirmed), and because the project repository has been archived as read-only by the maintainer, no vendor patch will ever be released - any remaining deployment faces permanent unpatched exposure.

PHP XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WPZOOM's Recipe Card Blocks Lite WordPress plugin (all versions through 3.4.13) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts into published posts and recipe print views. The vulnerability is a sanitization bypass: the `WPZOOM_Helpers::deserialize_block_attributes` method re-decodes unicode-escaped character sequences back into raw HTML after WordPress's sanitization pipeline has already run, permitting crafted payloads in the recipe block's 'summary' and 'notes' attributes to survive sanitization and execute in victims' browsers. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Changed Scope (S:C) rating reflects cross-user impact, including potential administrator session hijacking.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Red Hat Quay 3.x allows an authenticated user with repository write access to upload a malicious SVG file via the filedrop endpoint, which lacks MIME type validation. The uploaded file is persisted and served inline through the CDN, meaning any victim who visits the archive URL will have attacker-controlled JavaScript execute in their browser. No public exploit has been identified at time of analysis, and exploitation requires both repository write privileges and victim interaction, limiting opportunistic mass exploitation.

XSS Red Hat Quay 3 Red Hat
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in VMware Cloud Foundation Operations (and the related Aria Operations / Telco Cloud Platform builds) lets an authenticated user who can create policies, views, or text-widgets inject script that executes in the browser of any user who later views the affected object, including administrators. Because the CVSS vector marks Confidentiality, Integrity, and Availability as High with Scope:Unchanged, a successful payload effectively lets a low-privileged operator escalate to administrative actions inside the Operations console. No public exploit identified at time of analysis and not currently listed in CISA KEV, but a vendor advisory has been issued by Broadcom.

XSS VMware Vcf Operations +2
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Stored cross-site scripting in VMware Cloud Foundation Operations (formerly Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject malicious scripts that execute in other users' browsers, including administrators. Affected products include VCF Operations 5.x through 9.1.x, VMware Aria Operations 8.18.x, and VMware Telco Cloud Platform 5.x. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS VMware Vcf Operations +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in VMware Cloud Foundation Operations (formerly VMware Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject scripts that execute in the browser context of other users, including administrators. The flaw spans VCF Operations 9.x, the legacy 5.x/Aria Operations 8.18.x line, and VMware Telco Cloud Platform 5.x, with a CVSS of 8.0 driven by high impact across confidentiality, integrity, and availability when a victim admin renders the malicious content. No public exploit identified at time of analysis and no EPSS or KEV signal is provided in the input.

XSS VMware Vcf Operations +2
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 enables a high-privileged authenticated attacker to inject persistent malicious script via the Notice Title parameter in the Notice Board Management component, executing in the browsers of any user who subsequently views the affected notice. The publicly available proof-of-concept on GitHub demonstrates exploitation via an SVG onload payload submitted through a POST request to /notice/All_notice. Despite remote accessibility, real-world severity is constrained by the requirement for prior high-privilege authentication and the need for victim interaction - reflected in the low CVSS score of 2.4 - and no public exploitation campaign has been identified at time of analysis.

XSS Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored or reflected cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, authenticated administrator to inject malicious client-side scripts via the unvalidated `room` argument at the `/admin/?page=room_types` endpoint. The CVSS score of 2.4 (Low) accurately reflects the constrained conditions: exploitation requires admin-level credentials (PR:H) and victim interaction (UI:R), limiting blast radius to the admin panel. A publicly available proof-of-concept exploit exists via a GitHub issue, but no active exploitation has been confirmed by CISA KEV.

XSS Hospitals Patient Records Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting in Mage AI's sign-in flow (versions up to and including 0.9.79) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the query.redirect_url parameter passed to the useMutation hook in the SignForm component. A public proof-of-concept exploit exists (referenced via GitHub gist), elevating real-world risk despite the low CVSS 4.0 score of 2.1. The vendor was notified prior to disclosure but did not respond, meaning no patch is currently available.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting in FluentCMS 0.0.5 allows a remote, highly-privileged attacker to inject malicious JavaScript via the /admin/blocks endpoint of the Blocks Plugin. The attack requires high privileges (admin-level authentication) and victim user interaction, constraining real-world impact significantly - the CVSS base score of 2.4 reflects this narrow exploitation surface. A publicly available proof-of-concept exists per HackMD, and the vendor has not responded to disclosure, leaving no official patch in place. No public exploit identified at time of analysis as reaching CISA KEV status.

XSS Fluentcms
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Maps (all versions through 4.9.4) allows authenticated attackers holding the wpgmp_manage_location capability - granted to administrators by default but delegable to lower-privileged roles - to inject persistent malicious scripts via the 'location_messages' parameter. The CVSS scope change (S:C) confirms the injected payload executes across victim browser sessions on any page rendering the affected shortcode, enabling session hijacking or unauthorized actions on behalf of site visitors. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the delegable capability expands the potential attacker pool beyond pure administrators.

XSS Google WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the EmbedPress WordPress plugin (all versions through 4.5.3) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript via the block 'url' attribute, executing in the browsers of any user who visits an affected page. The vulnerability originates in insufficient sanitization within EmbedPressBlockRenderer.php and Helper.php, as confirmed by Wordfence and traceable to specific lines in the plugin's source repository. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Scope:Changed CVSS designation reflects that successful exploitation affects resources beyond the vulnerable component itself - namely, victim browser sessions.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the Ad Inserter - Ad Manager & AdSense Ads WordPress plugin (all versions through 2.8.15) enables unauthenticated attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs targeting pages where iframe mode is active. The vulnerability exists because URL parameters passed through the plugin's iframe rendering path (class.php lines 3460, 3462, 3470) are insufficiently sanitized before output. Exploitation is contingent on a non-default configuration (iframe mode enabled) and requires social engineering to make a user click a crafted link, but no public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (all versions through 1.3.9.7) allows authenticated administrators to persist malicious JavaScript via the 'drag_n_drop_text' and 'drag_n_drop_browse_text' plugin settings fields, which subsequently execute in the browsers of any site visitor accessing a page containing an affected CF7 upload form. The CVSS Scope:Changed designation reflects this cross-user impact - a compromised or rogue admin can silently weaponize public-facing forms without further interaction. No public exploit or CISA KEV listing exists at time of analysis, and the CVSS score of 4.4 reflects the high privilege and high complexity prerequisites that substantially limit opportunistic exploitation.

XSS File Upload WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Simple SEO Slideshow WordPress plugin (all versions through 1.2.8) allows authenticated attackers holding contributor-level roles to inject persistent JavaScript payloads via unsanitized shortcode attributes. Because WordPress KSES does not strip malicious values from shortcode attributes during post save, the payload survives sanitization and executes for every subsequent visitor - including administrators reviewing the post - making privilege escalation a realistic downstream impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the Wordfence intelligence platform has formally catalogued it.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Express Payment For Stripe WordPress plugin (versions up to and including 1.28.0) allows authenticated contributors to permanently embed malicious JavaScript into site pages via the unsanitized 'type' attribute of the [stripe-express] shortcode. The root defect is in register_shortcode() within wp-stripe-shortcodes.php, where the attribute value is concatenated directly into an HTML attribute without passing through WordPress's esc_attr() or any equivalent escaping function. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV; however, the CVSS Changed Scope (S:C) signals that successful exploitation escapes the contributor's own security context and can compromise higher-privileged users such as administrators who visit the injected page.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in Twig's profiler HtmlDumper component (twig/twig >= 3.0.0, < 3.26.0) allows an attacker who can control template names - via an ArrayLoader key, a database-backed loader row ID, or similar - to inject arbitrary HTML that executes in any browser rendering the profiler output. The root cause is a missing htmlspecialchars() call in HtmlDumper::formatTemplate() and related methods before writing Profile::getTemplate() and Profile::getName() into the HTML response. No public exploit or CISA KEV listing has been identified at time of analysis, but the vendor confirmed the issue and shipped a fix in v3.26.0 as part of a coordinated batch of security releases.

PHP XSS
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored XSS, IDOR, and credential disclosure in Shopper Framework admin Livewire components (versions < 2.8.0) allow authenticated admin users to tamper with arbitrary records, harvest plaintext customer passwords from the page DOM, and persist JavaScript payloads in product barcode fields that execute against any admin viewing the product. The combined issues enable session hijacking and privileged-action chaining within the Laravel-based e-commerce admin panel; no public exploitation has been reported and no public exploit identified at time of analysis.

XSS Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.

XSS Open Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Cross-site scripting in the Arista Edge Threat Management Next Generation Firewall web UI dashboard allows a high-privileged attacker to inject unvalidated input that is reflected back into administrative profiles, enabling script execution in the context of other administrative sessions. The vulnerability carries a CVSS 4.0 score of 5.8 (Medium), with confidentiality impact rated High on the vulnerable system - consistent with session token or credential harvesting from targeted admin accounts. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Ng Firewall
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Stored cross-site scripting in NocoDB through 2026.05.0 allows a base editor to plant a `javascript:` URL in a form view's `redirect_url`, which executes same-origin in any authenticated viewer's browser when they submit the shared form. The payload can exfiltrate the session token from `localStorage["nocodb-gui-v2"]` and call NocoDB APIs as the victim. No public exploit identified at time of analysis, EPSS 0.07% (21st percentile), but a vendor patch is available in release 2026.05.1.

XSS
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Stored Cross-Site Scripting in NocoDB <= 2026.05.0 allows authenticated commenters to inject HTML payloads into row comments that execute as JavaScript when other users hover over the comment in the expanded form view. Successful exploitation runs script in the NocoDB origin under the victim's session, enabling theft of the auth JWT from localStorage. No public exploit identified at time of analysis; EPSS is low (0.11%, 29th percentile) and the issue is not listed in CISA KEV.

XSS
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. No public exploit identified at time of analysis as a KEV-confirmed threat, but publicly available exploit code exists via a published Medium article and VulDB report.

XSS Ship Ferry Ticket Reservation System
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in NocoDB's password-reset flow allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser within the NocoDB origin by sending a crafted password-reset link. The vulnerability stems from the EJS server-side template rendering the reset token directly into a JavaScript string literal without escaping single quotes or backslashes, enabling string-context escape. Any NocoDB instance running versions prior to 2026.04.1 is affected; no public exploit identified at time of analysis, though the advisory includes a functional proof-of-concept payload.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. No public exploit identified at time of analysis and no CISA KEV listing, but the ZeroScience Lab advisory reference is a known PoC-publishing outlet - PoC availability should be treated as likely pending confirmation.

XSS Lyrion Music Server
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. No public exploit identified at time of analysis, and no CISA KEV listing.

XSS Lyrion Music Server
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Lyrion Music Server 9.2.0's log viewer allows unauthenticated remote attackers to inject persistent JavaScript via unescaped template variables, executing arbitrary scripts in the browsers of administrators or other users who view the logs. Injection vectors include the search, lines, and path query parameters as well as indirect channels such as URLs, User-Agent headers, stream titles, and player names that get written to the server log. No public exploit identified at time of analysis, but the CVSS 7.2 score reflects a scope-changed impact (S:C) due to the cross-origin nature of XSS.

XSS Lyrion Music Server
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.

XSS Lyrion Music Server
NVD VulDB
Prev Page 12 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy