XSS
Monthly
A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. [CVSS 2.4 LOW]
wpForo Forum 2.4.14 fails to properly sanitize forum description fields, enabling authenticated administrators to store malicious JavaScript that executes in the browsers of all users viewing forum listings. On multisite installations or when admin credentials are compromised, attackers can leverage this stored XSS to conduct persistent attacks against forum users. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated administrators to inject malicious scripts into forum slugs that execute in all visitors' browsers due to improper JSON encoding. An attacker with high-level privileges can craft a forum URL containing unescaped characters to break out of JavaScript context and achieve arbitrary script execution. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated users to inject malicious code through SVG profile avatars, which executes when other users view the attacker's profile. An authenticated attacker can leverage this to steal session tokens, redirect victims, or perform actions on their behalf with no user interaction required. No patch is currently available for this vulnerability.
Microchip TimePictra versions 11.0 through 11.3 SP2 contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through query parameters. Successful exploitation requires user interaction and can result in session hijacking, credential theft, or unauthorized information disclosure. No patch is currently available.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with.
Cross-site scripting (XSS) in PMD's legacy vbhtml and yahtml report formats allows arbitrary JavaScript execution when HTML reports are opened in a browser, triggered by analyzing malicious source code containing crafted string literals. Public exploit code exists for this vulnerability affecting PMD versions prior to 7.22.0. The impact is limited since these legacy formats are rarely used and the default html format is properly escaped.
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. No patch is currently available for this vulnerability.
Stored cross-site scripting in ClipBucket v5 prior to version 5.5.3 #59 allows authenticated users to inject malicious scripts that execute when viewed by administrators, enabling session hijacking or credential theft. Public exploit code exists for this vulnerability, which affects the open-source video sharing platform and has been patched in the latest release.
Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site scripting (xss) (CVSS 6.1).
CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation of postMessage events, allowing attackers to inject malicious scripts through crafted subdomains. Public exploit code exists for this vulnerability, which affects all users of the affected SDK versions. An attacker can execute arbitrary JavaScript in the context of a victim's browser session to steal sensitive data or perform unauthorized actions.
CleverTap Web SDK through version 1.15.2 contains a cross-site scripting vulnerability in its postMessage handler that fails to properly validate message origins, allowing attackers to inject malicious scripts by exploiting subdomain bypass techniques. Public exploit code exists for this vulnerability, and affected applications can be compromised through user interaction. A patch is available to address the insufficient origin validation in the nativeDisplay.js component.
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. [CVSS 6.3 MEDIUM]
PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.
Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.
Omega Psir contains a reflected cross-site scripting (XSS) vulnerability in the lang parameter that allows attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. The vulnerability affects unauthenticated users who click on attacker-controlled links, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this MEDIUM severity flaw.
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.
Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.
Cross-site scripting (XSS) in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Email parameter in the /register.php Sign Up Page. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The lack of an available patch leaves affected systems vulnerable to session hijacking and credential theft.
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Stored XSS in Initiative project management platform versions before 0.32.4 allows authenticated users with upload permissions to execute arbitrary JavaScript by uploading malicious HTML files that are served without sandboxing under the application's origin. An attacker can exploit this to steal authentication tokens, session cookies, and other sensitive data from other users, or trick them into executing malicious scripts by sharing direct file links. Public exploit code exists and no patch is currently available.
Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]
A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.
A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.
Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.
A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025. [CVSS 7.6 HIGH]
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]
Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.
Pcvue's web server fails to set proper HTTP security headers in its responses, enabling cross-site scripting (XSS) attacks against users who interact with the application. An unauthenticated attacker can exploit this through a user interaction to execute malicious scripts, potentially compromising confidentiality and integrity. No patch is currently available.
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.
Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Angular versions before 21.2.0, 21.1.16, 20.3.17, and 19.2.19 contain a cross-site scripting vulnerability in the i18n pipeline where translated ICU messages fail to properly sanitize HTML content, allowing attackers to inject and execute arbitrary JavaScript. Applications using Angular's internationalization features with externally translated content are at risk, particularly when translations are provided by third parties. A patch is available for affected versions.
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.
Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Injection vulnerability in Storybook frontend workshop before 7.6.23 allows injecting malicious content through component stories. Patch available.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Stored XSS in Rucio's WebUI Custom RSE Attribute field allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes for any user viewing affected pages, potentially leading to session hijacking or unauthorized actions. Public exploit code exists for this vulnerability, which affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1. No patch is currently available for all affected versions.
Stored XSS in Rucio's WebUI Identity Name field allows authenticated attackers to inject malicious scripts that execute in users' browsers, enabling session hijacking or unauthorized actions. The vulnerability affects versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. Administrators should upgrade immediately as no patch availability timeline has been announced for unpatched versions.
Stored XSS in Rucio's WebUI RSE metadata allows authenticated attackers to inject malicious scripts that execute in users' browsers when viewing affected pages, potentially leading to session hijacking or unauthorized actions. The vulnerability affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. A security update is available in the patched versions listed above.
Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. Patches are available in the affected version branches.
Session hijacking in Rucio's WebUI error page allows unauthenticated attackers to steal user login tokens via reflected cross-site scripting in specially crafted URLs, affecting versions prior to 35.8.3, 38.5.4, and 39.3.1. Public exploit code exists for this vulnerability. Users should upgrade to patched versions immediately as no workarounds are available.
Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.
Stored XSS in OpenEMR prior to version 8.0.0 allows authenticated users with "Forms administration" role to inject malicious JavaScript into patient encounter forms, which executes when other users with the same role view the affected data. Public exploit code exists for this vulnerability. The issue is resolved in version 8.0.0.
web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
Reflected XSS in SPIP jeux plugin before version 4.1.1 allows unauthenticated remote attackers to inject malicious scripts through unencoded request parameters in the pre_propre pipeline. An attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim's browser with access to the page's context. A patch is available for affected installations.
Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other users' browsers by injecting malicious payloads into entity fields like contact points. The vulnerability exploits improperly escaped Blade template directives, enabling attackers to compromise administrator accounts and perform actions with their privileges. A patch is available in version 2026.02.22.
Stored cross-site scripting in Karakeep 0.30.0 allows remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious HTML through the Reddit metascraper plugin, which bypasses sanitization that is applied to other content sources. The vulnerability exists because the Reddit plugin's HTML output is rendered directly via dangerouslySetInnerHTML without DOMPurify filtering, and public exploit code is available. Version 0.31.0 contains the patch.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Stored XSS in TypiCMS prior to version 16.1.7 allows authenticated users to upload malicious SVG files that execute JavaScript in administrators' browsers, compromising their sessions through unsanitized file content. Public exploit code exists for this vulnerability affecting Laravel-based TypiCMS installations. The flaw stems from insufficient validation of SVG file contents despite MIME type checks being present.
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Cross-site scripting (XSS) in OpenEMR prior to version 8.0.0 allows unauthenticated attackers to inject malicious scripts through the translation database, as the `xl()` function returns unescaped strings that are used directly in the application without proper context-specific escaping. An attacker with database access could exploit this to execute arbitrary JavaScript in users' browsers and compromise sensitive patient data or application functionality. The vulnerability is resolved in OpenEMR 8.0.0 and later versions.
OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.7 HIGH]
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. [CVSS 5.4 MEDIUM]
Stored XSS in GetSimpleCMS Community Edition 3.3.16 allows authenticated administrators to inject malicious JavaScript through the component slug field, which persists in XML storage and executes when other users access the Components page. An attacker with admin privileges can exploit this to hijack sessions, perform unauthorized administrative actions, and persistently compromise the CMS interface for all authenticated users. The vulnerability affects PHP-based GetSimpleCMS installations and currently has no available patch.
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]
Dell Wyse Management Suite versions before 5.5 contain a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts into web pages. An attacker with low privileges and user interaction can exploit this to execute arbitrary JavaScript in the context of other users' sessions. A patch is available to remediate this vulnerability.
Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.
Reflected XSS in SourceCodester Modern Image Gallery App 1.0 allows unauthenticated remote attackers to inject malicious scripts through the filename parameter in upload.php. Public exploit code exists for this vulnerability, though it requires user interaction to succeed. No patch is currently available.
Cross-site scripting (XSS) via the hint parameter in Alinto SOGo 5.12.3/5.12.4 allows unauthenticated remote attackers to inject malicious scripts through a user-interactive attack vector. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. The impact is limited to integrity compromise with no confidentiality or availability impact.
Stored XSS in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allows high-privileged administrators to inject malicious scripts into HTML-type table columns that execute in other users' browsers. Exploitation requires admin-level access and the `allowAdminChanges` setting enabled in production, limiting the risk to environments with already-compromised administrative accounts. Patches are available in versions 4.16.19 and 5.8.23.
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. [CVSS 3.5 LOW]
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
Reflected cross-site scripting in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /admin/navbar.php. Public exploit code exists for this vulnerability, enabling attackers to steal session tokens or perform actions on behalf of administrators. No patch is currently available.
A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and ...
Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.
Stored XSS in Bludit 3.16.2 allows authenticated users to inject malicious JavaScript into post content that executes when viewed by other users, enabling session hijacking and credential theft. The vulnerability exists because the application relies solely on client-side input validation while failing to sanitize or encode content server-side. Public exploit code is available, though no patch has been released yet.
Reflected cross-site scripting in Jeewms up to version 3.7 exists in the UEditor component's getContent.jsp file through unsanitized input in the myEditor parameter, allowing remote attackers to inject malicious scripts. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification.
A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. [CVSS 2.4 LOW]
wpForo Forum 2.4.14 fails to properly sanitize forum description fields, enabling authenticated administrators to store malicious JavaScript that executes in the browsers of all users viewing forum listings. On multisite installations or when admin credentials are compromised, attackers can leverage this stored XSS to conduct persistent attacks against forum users. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated administrators to inject malicious scripts into forum slugs that execute in all visitors' browsers due to improper JSON encoding. An attacker with high-level privileges can craft a forum URL containing unescaped characters to break out of JavaScript context and achieve arbitrary script execution. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated users to inject malicious code through SVG profile avatars, which executes when other users view the attacker's profile. An authenticated attacker can leverage this to steal session tokens, redirect victims, or perform actions on their behalf with no user interaction required. No patch is currently available for this vulnerability.
Microchip TimePictra versions 11.0 through 11.3 SP2 contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through query parameters. Successful exploitation requires user interaction and can result in session hijacking, credential theft, or unauthorized information disclosure. No patch is currently available.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with.
Cross-site scripting (XSS) in PMD's legacy vbhtml and yahtml report formats allows arbitrary JavaScript execution when HTML reports are opened in a browser, triggered by analyzing malicious source code containing crafted string literals. Public exploit code exists for this vulnerability affecting PMD versions prior to 7.22.0. The impact is limited since these legacy formats are rarely used and the default html format is properly escaped.
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. No patch is currently available for this vulnerability.
Stored cross-site scripting in ClipBucket v5 prior to version 5.5.3 #59 allows authenticated users to inject malicious scripts that execute when viewed by administrators, enabling session hijacking or credential theft. Public exploit code exists for this vulnerability, which affects the open-source video sharing platform and has been patched in the latest release.
Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site scripting (xss) (CVSS 6.1).
CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation of postMessage events, allowing attackers to inject malicious scripts through crafted subdomains. Public exploit code exists for this vulnerability, which affects all users of the affected SDK versions. An attacker can execute arbitrary JavaScript in the context of a victim's browser session to steal sensitive data or perform unauthorized actions.
CleverTap Web SDK through version 1.15.2 contains a cross-site scripting vulnerability in its postMessage handler that fails to properly validate message origins, allowing attackers to inject malicious scripts by exploiting subdomain bypass techniques. Public exploit code exists for this vulnerability, and affected applications can be compromised through user interaction. A patch is available to address the insufficient origin validation in the nativeDisplay.js component.
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. [CVSS 6.3 MEDIUM]
PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.
Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.
Omega Psir contains a reflected cross-site scripting (XSS) vulnerability in the lang parameter that allows attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. The vulnerability affects unauthenticated users who click on attacker-controlled links, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this MEDIUM severity flaw.
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.
Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.
Cross-site scripting (XSS) in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Email parameter in the /register.php Sign Up Page. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The lack of an available patch leaves affected systems vulnerable to session hijacking and credential theft.
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Stored XSS in Initiative project management platform versions before 0.32.4 allows authenticated users with upload permissions to execute arbitrary JavaScript by uploading malicious HTML files that are served without sandboxing under the application's origin. An attacker can exploit this to steal authentication tokens, session cookies, and other sensitive data from other users, or trick them into executing malicious scripts by sharing direct file links. Public exploit code exists and no patch is currently available.
Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]
A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.
A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.
Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.
A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025. [CVSS 7.6 HIGH]
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]
Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.
Pcvue's web server fails to set proper HTTP security headers in its responses, enabling cross-site scripting (XSS) attacks against users who interact with the application. An unauthenticated attacker can exploit this through a user interaction to execute malicious scripts, potentially compromising confidentiality and integrity. No patch is currently available.
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.
Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Angular versions before 21.2.0, 21.1.16, 20.3.17, and 19.2.19 contain a cross-site scripting vulnerability in the i18n pipeline where translated ICU messages fail to properly sanitize HTML content, allowing attackers to inject and execute arbitrary JavaScript. Applications using Angular's internationalization features with externally translated content are at risk, particularly when translations are provided by third parties. A patch is available for affected versions.
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.
Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Injection vulnerability in Storybook frontend workshop before 7.6.23 allows injecting malicious content through component stories. Patch available.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Stored XSS in Rucio's WebUI Custom RSE Attribute field allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes for any user viewing affected pages, potentially leading to session hijacking or unauthorized actions. Public exploit code exists for this vulnerability, which affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1. No patch is currently available for all affected versions.
Stored XSS in Rucio's WebUI Identity Name field allows authenticated attackers to inject malicious scripts that execute in users' browsers, enabling session hijacking or unauthorized actions. The vulnerability affects versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. Administrators should upgrade immediately as no patch availability timeline has been announced for unpatched versions.
Stored XSS in Rucio's WebUI RSE metadata allows authenticated attackers to inject malicious scripts that execute in users' browsers when viewing affected pages, potentially leading to session hijacking or unauthorized actions. The vulnerability affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. A security update is available in the patched versions listed above.
Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. Patches are available in the affected version branches.
Session hijacking in Rucio's WebUI error page allows unauthenticated attackers to steal user login tokens via reflected cross-site scripting in specially crafted URLs, affecting versions prior to 35.8.3, 38.5.4, and 39.3.1. Public exploit code exists for this vulnerability. Users should upgrade to patched versions immediately as no workarounds are available.
Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.
Stored XSS in OpenEMR prior to version 8.0.0 allows authenticated users with "Forms administration" role to inject malicious JavaScript into patient encounter forms, which executes when other users with the same role view the affected data. Public exploit code exists for this vulnerability. The issue is resolved in version 8.0.0.
web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
Reflected XSS in SPIP jeux plugin before version 4.1.1 allows unauthenticated remote attackers to inject malicious scripts through unencoded request parameters in the pre_propre pipeline. An attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim's browser with access to the page's context. A patch is available for affected installations.
Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other users' browsers by injecting malicious payloads into entity fields like contact points. The vulnerability exploits improperly escaped Blade template directives, enabling attackers to compromise administrator accounts and perform actions with their privileges. A patch is available in version 2026.02.22.
Stored cross-site scripting in Karakeep 0.30.0 allows remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious HTML through the Reddit metascraper plugin, which bypasses sanitization that is applied to other content sources. The vulnerability exists because the Reddit plugin's HTML output is rendered directly via dangerouslySetInnerHTML without DOMPurify filtering, and public exploit code is available. Version 0.31.0 contains the patch.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Stored XSS in TypiCMS prior to version 16.1.7 allows authenticated users to upload malicious SVG files that execute JavaScript in administrators' browsers, compromising their sessions through unsanitized file content. Public exploit code exists for this vulnerability affecting Laravel-based TypiCMS installations. The flaw stems from insufficient validation of SVG file contents despite MIME type checks being present.
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Cross-site scripting (XSS) in OpenEMR prior to version 8.0.0 allows unauthenticated attackers to inject malicious scripts through the translation database, as the `xl()` function returns unescaped strings that are used directly in the application without proper context-specific escaping. An attacker with database access could exploit this to execute arbitrary JavaScript in users' browsers and compromise sensitive patient data or application functionality. The vulnerability is resolved in OpenEMR 8.0.0 and later versions.
OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.7 HIGH]
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. [CVSS 5.4 MEDIUM]
Stored XSS in GetSimpleCMS Community Edition 3.3.16 allows authenticated administrators to inject malicious JavaScript through the component slug field, which persists in XML storage and executes when other users access the Components page. An attacker with admin privileges can exploit this to hijack sessions, perform unauthorized administrative actions, and persistently compromise the CMS interface for all authenticated users. The vulnerability affects PHP-based GetSimpleCMS installations and currently has no available patch.
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]
Dell Wyse Management Suite versions before 5.5 contain a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts into web pages. An attacker with low privileges and user interaction can exploit this to execute arbitrary JavaScript in the context of other users' sessions. A patch is available to remediate this vulnerability.
Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.
Reflected XSS in SourceCodester Modern Image Gallery App 1.0 allows unauthenticated remote attackers to inject malicious scripts through the filename parameter in upload.php. Public exploit code exists for this vulnerability, though it requires user interaction to succeed. No patch is currently available.
Cross-site scripting (XSS) via the hint parameter in Alinto SOGo 5.12.3/5.12.4 allows unauthenticated remote attackers to inject malicious scripts through a user-interactive attack vector. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. The impact is limited to integrity compromise with no confidentiality or availability impact.
Stored XSS in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allows high-privileged administrators to inject malicious scripts into HTML-type table columns that execute in other users' browsers. Exploitation requires admin-level access and the `allowAdminChanges` setting enabled in production, limiting the risk to environments with already-compromised administrative accounts. Patches are available in versions 4.16.19 and 5.8.23.
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. [CVSS 3.5 LOW]
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
Reflected cross-site scripting in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /admin/navbar.php. Public exploit code exists for this vulnerability, enabling attackers to steal session tokens or perform actions on behalf of administrators. No patch is currently available.
A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and ...
Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.
Stored XSS in Bludit 3.16.2 allows authenticated users to inject malicious JavaScript into post content that executes when viewed by other users, enabling session hijacking and credential theft. The vulnerability exists because the application relies solely on client-side input validation while failing to sanitize or encode content server-side. Public exploit code is available, though no patch has been released yet.
Reflected cross-site scripting in Jeewms up to version 3.7 exists in the UEditor component's getContent.jsp file through unsanitized input in the myEditor parameter, allowing remote attackers to inject malicious scripts. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification.