XSS
Monthly
DOM-based cross-site scripting in the GiveWP WordPress donation plugin (versions up to and including 4.14.5) allows remote attackers to execute arbitrary JavaScript in a victim's browser session after the victim interacts with an attacker-supplied link or page element. The flaw carries a CVSS 7.1 score driven by changed scope (S:C), meaning impact extends beyond the vulnerable component into the surrounding WordPress site context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected cross-site scripting in Vitest browser mode (@vitest/browser) allows attackers to execute arbitrary JavaScript in the Vitest server origin by luring a developer to a crafted /__vitest_test__/ URL with a malicious otelCarrier query parameter. Because the same page embeds VITEST_API_TOKEN used to authenticate the Vitest WebSocket API, the XSS chains into full Node-side remote code execution by writing to vite.config.ts and triggering a config reload. Publicly available exploit code exists in the vendor's GHSA-2h32-95rg-cppp advisory, though no public exploit identified at time of analysis in CISA KEV.
Cross-site scripting via sanitizer bypass affects DOMPurify 3.4.4, the widely used npm HTML sanitization library maintained by cure53. The flaw stems from `<selectedcontent>` being permitted by default, allowing attackers to leverage browser re-cloning behavior so that an XSS payload is reinjected into a subtree DOMPurify has already walked. No public exploit identified at time of analysis in the form of in-the-wild attacks, but a fully working PoC is published in the GHSA advisory and active exploitation status is not listed in CISA KEV.
Cross-site scripting in Firefox for iOS Reader View allows unauthenticated remote attackers to inject arbitrary markup via maliciously crafted JSON-LD metadata on attacker-controlled pages. When a victim activates Reader View on such a page, injected HTML executes in the context of an internal Firefox origin, leaking sensitive URL parameters that can be leveraged to access internal pages and achieve arbitrary JavaScript execution with elevated browser-origin trust. Mozilla patched this in Firefox for iOS 151.2 per MFSA2026-53; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Reader View in Firefox for iOS executes arbitrary JavaScript due to an incorrect template substitution order, enabling cross-site scripting via JSON-LD data injection. The flaw affects all Firefox for iOS versions prior to 151.2 running on Apple iOS devices; unauthenticated remote attackers can exploit this by luring users to a malicious page and having them activate Reader View, after which attacker-controlled placeholder strings embedded in the page's structured data are processed as executable script. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and no-auth-required access vector (per CVSS PR:N) make it feasible for opportunistic campaigns targeting iOS Firefox users.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the generic_name parameter of the create_generic_name function at /ShowForm/create_generic_name/main. Exploitation requires victim user interaction (UI:R) to trigger script execution, limiting impact to low integrity loss with no confidentiality or availability impact (CVSS 3.5). Publicly available exploit code exists per the GitHub issue tracker reference, though this CVE is not listed in the CISA KEV catalog and EPSS data was not provided in source intelligence.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated remote attacker to inject malicious JavaScript via the `medicine_presentation` argument in the `create_medicine_presentation` function at `/ShowForm/create_medicine_presentation/main`. Exploitation requires a victim user to interact with the affected page, limiting blast radius but still enabling session hijacking, credential theft, or UI redirection against authenticated users. Publicly available exploit code exists per a GitHub issue disclosure; no CISA KEV listing is present.
Stored or reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a remote, low-privileged attacker to inject arbitrary JavaScript via the company_name argument in the create_supplier function at /ShowForm/create_supplier/main. Successful exploitation requires a victim user to interact with the malicious content, limiting blast radius, but the CVSS temporal metric confirms a proof-of-concept exploit is publicly available via GitHub. No active exploitation has been identified in CISA KEV, though the low attack complexity and public POC make this a credible risk for unpatched deployments handling sensitive pharmaceutical inventory data.
Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Stored cross-site scripting in Dassault Systèmes DELMIA Service Process Engineer (Process Experience Studio component) across releases 3DEXPERIENCE R2024x through R2026x allows an authenticated low-privilege attacker to inject persistent script payloads that execute in another user's browser session. With a CVSS 3.1 base of 8.7 driven by scope change and high confidentiality/integrity impact, successful exploitation can compromise the victim's 3DEXPERIENCE session data and authority across trust boundaries. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in the Stormshield Network Security (SNS) appliance login API allows network-accessible attackers to inject and execute arbitrary scripts in a victim's browser session. Affected versions span three distinct release branches: 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5. Successful exploitation can result in session cookie theft, sensitive data exfiltration, or redirection to attacker-controlled sites. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
HTTP response header injection in Apache ActiveMQ's web console MessageServlet exposes users to security header override and cross-site scripting attacks. The servlet copies every JMS message property directly into HTTP response headers without sanitization, meaning an attacker who can publish crafted JMS messages to a broker queue can override headers such as Content-Security-Policy or X-Frame-Options when a web console user views those messages. No public exploit has been identified at time of analysis, and EPSS of 0.03% (9th percentile) reflects low observed exploitation probability, though the no-privilege-required CVSS vector and Scope:Changed score signal meaningful impact on browser security posture if exploited.
Reflected XSS in SOPlanning 1.55 and below allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of authenticated SOPlanning users by delivering a crafted malicious URL containing a payload in the `taches` parameter. The vulnerability stems from insufficient output sanitization of user-supplied input before it is reflected in the HTTP response. No public exploit code or CISA KEV listing exists at time of analysis; this was reported by CERT Poland (CERT.PL) and carries a CVSS 4.0 score of 5.1 (Medium).
Stored XSS in SOPlanning 1.55 and earlier allows an authenticated low-privileged attacker to persist malicious JavaScript inside the application by uploading a crafted backup archive through the /process/upload_backup endpoint. The payload, embedded in a user.csv file within a ZIP, executes in a victim's browser when they click the Edit button on the affected backup entry - enabling session hijacking or UI manipulation against any user who interacts with the backup management interface. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.1 correctly reflects the constrained impact ceiling imposed by required authentication and passive user interaction.
Cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `medicine_name` parameter at the `/ShowForm/create_medicine_name/main` endpoint, executing arbitrary scripts in the browsers of other users who view the affected page. The CVSS 4.0 score of 2.0 reflects a narrow impact profile - no confidentiality loss and only low integrity impact - but a publicly available proof-of-concept exploit exists (E:P), lowering the barrier to abuse in multi-user deployments such as shared pharmacy management environments. No active exploitation has been confirmed via CISA KEV.
Stored or reflected cross-site scripting in sendportal's Campaign Handler allows an authenticated low-privilege remote attacker to inject malicious script via the 'content' argument at the /webview/ endpoint, affecting all versions up to and including 3.0.1. A victim user must interact with the crafted content for the payload to execute, resulting in low-integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis is incorrect here - publicly available exploit code exists (E:P in CVSS temporal), and the vendor has not responded to the coordinated disclosure, leaving no patch available.
Reflected or stored cross-site scripting (XSS) in raisulislamg4's student_management_system_by_php allows authenticated remote attackers to inject malicious scripts via the Message argument in admission_form_check.php. The vulnerability requires a victim to interact with a crafted link or page, triggering script execution in the context of another user's browser session. A public exploit exists per the GitHub issue report; however, the vendor has not responded to disclosure and no patch has been released.
Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.
Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized `remote-source` query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. Publicly available exploit code exists per VulDB and a referenced GitHub issue, and an upstream patch commit has been issued, though no officially tagged patched release has been independently confirmed from the canonical repository.
Reflected cross-site scripting in westboy CicadasCMS allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser via the unvalidated 's' search parameter in the Search function. All code up to and including commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab is affected, with no patch released as of analysis - the vendor has not responded to the responsible disclosure. A publicly available exploit exists (CVSS E:P confirmed), elevating the urgency despite the moderate CVSS base score of 4.3.
Cross-site scripting in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 allows a high-privileged authenticated attacker to inject malicious script into the Name argument on the Dashboard Page, which executes in the browser of any user who subsequently views the affected page. The vulnerability requires both elevated privileges and victim interaction, placing real-world impact firmly in the low-to-negligible range despite network reachability. No public exploit identified at time of analysis as actively weaponized (no CISA KEV listing), though publicly available exploit code exists via a GitHub issue disclosure.
Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.
Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites.
Stored XSS in JetBrains PyCharm's Jupyter notebook Markdown cell renderer allows a remote, unauthenticated attacker to execute arbitrary JavaScript in the context of a victim's PyCharm session by delivering a crafted notebook file. All PyCharm versions prior to 2025.3.4 are affected. The vulnerability carries no KEV listing and no public exploit has been identified at time of analysis, though the low attack complexity and lack of required privileges make opportunistic abuse via shared or repository-hosted notebooks plausible.
Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.
Stored cross-site scripting in JetBrains YouTrack versions prior to 2026.1.13162 allows an authenticated project-level user to inject persistent JavaScript into project notification templates, which executes in the browsers of other users who receive or view those notifications. The scope-changed CVSS 8.7 reflects that injected scripts can pivot beyond the vulnerable component to compromise the sessions and data of higher-privileged recipients. No public exploit identified at time of analysis and no KEV listing, but the issue was disclosed and patched directly by the vendor.
Remote code execution in TriliumNext Trilium Notes desktop client prior to 0.102.2 allows attackers to achieve arbitrary code execution by tricking a user into importing a malicious ZIP archive with safe import enabled. The flaw chains a #docName path traversal (CWE-22) with stored XSS, and the Electron renderer's nodeIntegration=true setting elevates the XSS into full host RCE. No public exploit identified at time of analysis, but the vendor advisory describes a complete working chain and the CVSS 4.0 score of 9.3 reflects subsequent-system impact.
Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored or reflected Cross-Site Scripting in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious JavaScript through the user registration form in register.php. When a privileged user such as an administrator views the submitted registration data, the script executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public disclosure write-up is available on GitHub; no vendor patch has been identified at this time.
Cross-site scripting in QuickCMS allows a network-adjacent unauthenticated attacker to inject and execute arbitrary JavaScript in a victim user's browser by intercepting the CMS's unencrypted HTTP request to the opensolution.org plugin list endpoint. Any QuickCMS deployment running an unpatched version of 6.8 that fetches plugin listings over plain HTTP is affected. No public exploit code or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects the adjacent-network and MITM prerequisites that significantly constrain realistic attacker reach.
Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.
Stored XSS privilege escalation in Group-Office (enterprise CRM/groupware by Intermesh) allows any low-privileged authenticated user to execute arbitrary JavaScript in an administrator's browser by chaining two distinct flaws. The attack exploits a missing ownership check on the legacy settings API (index.php?r=core/saveSetting) - permitting writes to any user's settings regardless of identity - combined with an unsafe JavaScript sink in the email module that injects the email_font_size setting directly into rendered script without sanitization. No confirmed active exploitation exists (not in CISA KEV), but SSVC confirms a proof-of-concept exists, making this a credible privilege-escalation path for any attacker with a low-privileged account.
Stored cross-site scripting in HAX CMS (haxcms-nodejs and haxcms-php) through version 26.0.0 allows authenticated page editors to bypass the HTML sanitizer via the /system/api/saveNode endpoint by omitting whitespace before an event handler attribute name. Successful exploitation executes attacker-controlled JavaScript in the browsers of other users viewing the affected microsite, with scope change enabling impact beyond the attacker's own privilege level. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored XSS in Mautic 7's project selector component allows an authenticated low-privileged user to inject malicious script payloads via unsanitized project names rendered through AJAX into DOM option fields. When an administrative user subsequently opens an entity editor containing the affected project selector, the payload executes in the admin's browser session with a changed scope (S:C per CVSS), enabling session hijacking, unauthorized state manipulation, or organizational data exfiltration within the dashboard. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present, though the stored, persistent nature of the payload and low attack complexity make this a credible privilege-escalation pivot for internal threat actors.
Stored cross-site scripting in Mautic 7's Projects component allows authenticated low-privilege users with project create/edit permissions to inject script payloads into project names that execute when administrators hover over project tags or popovers on campaign, email, or form detail views. Exploitation yields script execution in an administrator's authenticated session, enabling configuration tampering, privilege escalation through administrative actions, and exfiltration of sensitive data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables authenticated, high-privileged remote attackers to inject persistent JavaScript payloads that execute in the browsers of other users upon page load. The changed scope (S:C in CVSS) indicates the injected script breaks out of the attacker's session context and affects victim users browsing the same application, potentially enabling session hijacking, credential theft, or lateral movement within the SCADA management interface. No public exploit code has been identified at time of analysis, and no confirmed active exploitation is on record.
Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables privileged remote attackers to inject persistent JavaScript payloads into the application that execute automatically in other users' browsers upon page load. Affected are all versions per CPE data (cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:*), meaning the entire product line carries this exposure. This vulnerability is not confirmed actively exploited (CISA KEV), no public exploit code has been identified, and EPSS data was not provided in available intelligence.
Stored cross-site scripting in the Link Whisper Free WordPress plugin (versions through 0.9.0) allows unauthenticated remote attackers to inject persistent JavaScript via the user_id parameter, which executes in the browser of any user who visits an affected page. The flaw stems from insufficient input sanitization and output escaping in the plugin's settings handler, and no public exploit identified at time of analysis. With a CVSS 7.2 score reflecting Scope:Changed impact, the bug is notable because exploitation requires no authentication despite affecting an administrative-adjacent plugin component.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Simple Divi Shortcode WordPress plugin (versions up to and including 1.2) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into WordPress pages via the unsanitized 'id' parameter of the [showmodule] shortcode. The injected payload executes in the browser of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects within the victim's authenticated session context. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Automotive Car Dealership Business WordPress Theme (all versions through 13.4.1) enables authenticated contributors to permanently embed arbitrary JavaScript via the 'project_details' custom field in Portfolio Items. Because the CVSS scope is Changed (S:C), injected scripts execute in the victim's browser context - not just the WordPress admin panel - enabling session hijacking, credential harvesting, or drive-by malware delivery against site visitors. No public exploit code has been identified at time of analysis, though contributor-level access is routinely available in multi-author dealership or agency WordPress deployments, making the authentication barrier practically low.
Stored cross-site scripting in the StatCounter - Free Real Time Visitor Stats WordPress plugin (versions up to and including 2.1.1) allows authenticated users with Author-level access or higher to inject arbitrary JavaScript into post pages by setting a crafted WordPress profile nickname. The unescaped nickname is embedded directly into a JavaScript string context within a <script> block rendered on every post page via the wp_head hook, causing the payload to execute in the browser of any visitor - including unauthenticated users - who loads a post authored by the attacker. No public exploit has been identified at time of analysis, but the low attack complexity (AC:L) and broad exposure surface (every post page on affected sites) make this a practical risk wherever sites permit untrusted Author-level accounts.
Stored Cross-Site Scripting in the Post Snippets WordPress plugin (≤4.0.19) allows authenticated administrators on multisite installations to inject persistent JavaScript into the post editor via a crafted import file, exploiting a commented-out quote-escaping routine in WPEditor.php. The injected payload executes silently in the browser of any administrator who subsequently opens any post editor page, enabling session hijacking or further lateral movement within the multisite network. No public exploit identified at time of analysis; real-world impact is bounded by the Administrator-level access prerequisite and the explicit exclusion of single-site WordPress installations.
Universal Cross-Site Scripting (UXSS) in Google Chrome on iOS prior to 148.0.7778.216 enables a remote unauthenticated attacker to inject arbitrary scripts or HTML into the browser context by convincing a target user to perform specific UI gestures on a crafted HTML page. The vulnerability stems from an inappropriate implementation in Chrome's iOS-specific code layer (CWE-79), and while UXSS attacks typically carry cross-origin escalation potential, the CVSS S:U (Unchanged scope) rating suggests cross-origin impact is not confirmed by the scoring authority. No public exploit or active exploitation has been identified at time of analysis; EPSS at 0.06% places this in the 17th percentile of exploitation likelihood.
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persistent JavaScript payload in the administrator-facing audit log via their OAuth display name and a subsequent API token creation. When an admin visits /system/audit, the payload executes in their browser, enabling session cookie theft, CSRF token exfiltration from the la-app-data meta tag, and full impersonation of admin privileges. No public exploit identified at time of analysis, but a vendor patch (2.5.6) and GitHub Security Advisory GHSA-jx4g-ph82-x9mm are available.
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.
Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index to persist crafted markup that is insufficiently sanitized when rendered in an affected Kibana view. When a second user opens the compromised view, their browser processes the unsanitized content, enabling unauthorized manipulation of the Kibana UI and issuing outbound network requests from the victim's browser session. No public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided in source intelligence.
Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.
Stored XSS via bypass in Symfony's HtmlSanitizer component allows `javascript:` URIs to survive sanitization when applications use permissive configurations that admit `action`, `formaction`, `poster`, or `cite` attributes. The root cause is an incomplete attribute list in `UrlAttributeSanitizer::getSupportedAttributes()`, which caused `DomVisitor` to skip URI scheme validation entirely for those four attribute types. No public exploit identified at time of analysis and no CVSS score has been assigned, but successful exploitation enables JavaScript execution in victims' browsers - with the attack gated behind non-default sanitizer configuration choices made by the integrating application.
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.
Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.
Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored cross-site scripting in the SlimStat Analytics WordPress plugin (versions through 5.4.11) allows unauthenticated attackers to inject arbitrary JavaScript via the User-Agent request header, which is persisted unsanitized and later rendered inside the admin Browsers report tooltip. Exploitation requires the non-default 'show_complete_user_agent_tooltip' setting to be enabled by an administrator, after which any admin viewing the affected report executes the attacker's script. No public exploit identified at time of analysis and no EPSS or CISA KEV signal is provided in the supplied data.
Stored XSS in MISP CTI Transmute's notification bell dropdown allows an attacker who can control convert names to inject arbitrary JavaScript that executes in authenticated users' browsers upon opening the notification panel. The vulnerability, tracked as EUVD-2026-32728 and reported by CIRCL, stems from innerHTML-based rendering of user-controlled notification content in base.html and affects all versions prior to upstream commit cf42409 - critically, only on the development branch, not production releases. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P reflects that exploitation requires the attacker to first influence a convert name surfaced in a notification.
Stored Cross-Site Scripting in the LiveSmart Video Chat WordPress plugin (all versions through 1.2) allows authenticated contributors to inject persistent malicious scripts via the 'livesmart_widget' shortcode attribute, which execute in any visitor's browser upon page load. The CVSS Scope:Changed rating confirms cross-user impact - a contributor's injected payload can hijack administrator sessions, exfiltrate cookies, or perform unauthorized actions on behalf of higher-privileged victims. No public exploit code and no CISA KEV confirmation exist at time of analysis, but the low privilege bar (contributor-level) meaningfully widens the realistic attacker pool on multi-author WordPress deployments.
Stored cross-site scripting in the Login No Captcha reCAPTCHA WordPress plugin (versions up to and including 1.8.0) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in an administrator's browser session. The flaw, reported by Wordfence, stems from unsanitized handling of the PHP_SELF superglobal during failed logins via non-standard endpoints such as xmlrpc.php, with no public exploit identified at time of analysis and no CISA KEV listing.
HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier expose a misconfigured Content Security Policy that omits fallback directives, permitting browsers to bypass intended origin restrictions and load unauthorized external resources. The Changed Scope (S:C) in the CVSS vector confirms that exploitation can affect resources or contexts beyond the vulnerable WebUI component itself - consistent with the XSS tag indicating potential cross-origin script injection. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the high-privilege and user-interaction prerequisites substantially constrain the realistic attack surface.
Stored XSS in Symfony's WebProfiler `CodeExtension::fileExcerpt()` allows JavaScript execution in a developer's browser when the profiler renders non-PHP files containing attacker-controlled content. Affected are symfony/symfony 6.4.24-6.4.39, 7.2.9-7.4.11, and 8.0.0-8.0.11, along with symfony/twig-bridge 6.4.24-6.4.39. The attack requires a separate write primitive to any file under the project root - log poisoning via `var/log/dev.log` is the canonical vector - after which exploitation is reliable and requires only developer interaction with the profiler. No public exploit has been identified at time of analysis, and the vulnerability is scoped to development environments only.
Stored cross-site scripting in the RELATE web courseware lets any enrolled student inject JavaScript that executes in an administrator's authenticated browser session, enabling full admin account takeover. The payload is planted via the freely editable first_name/last_name fields on the /profile/ page and fires when an admin opens the Participation list in the Django admin panel. No public exploit has been identified, but the root cause is confirmed in source and fixed upstream; with a CVSS of 8.7 and a scope-changing impact, this is a high-severity privilege-escalation issue.
Stored cross-site scripting in Budibase before 3.39.0 lets any low-privileged BASIC app user with WRITE access to a table inject persistent JavaScript that executes in the browser of anyone who later views the data. The flaw lives in the Text component's Markdown rendering, where untrusted column values are converted to HTML and written directly to the DOM without sanitization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the issue is fixed in 3.39.0.
Stored cross-site scripting in Kirby CMS (versions before 4.9.1 and 5.4.1) lets a low-privileged, authenticated Panel user inject dangerous-scheme links (javascript:, vbscript:, data:, livescript:, mocha:, jar:) through the (link:) and (image: link:) KirbyTags, the image block link field, or the blocks HTML importer. When a visitor or admin clicks the injected link on the site frontend, script runs in the site origin — typically the same origin as the Panel — enabling session hijack and escalation to admin. No public exploit is identified at time of analysis and EPSS is very low (0.06%), but exploitation is straightforward on any affected site that accepts content from partially-trusted authors.
Stored cross-site scripting in creatorsofcode's simplephp admin panel allows authenticated low-privileged users to inject persistent malicious scripts via the /admin/config-module.php configuration endpoint. When an administrator or privileged user subsequently views the affected page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exists per SSVC intelligence; this CVE is not currently listed in CISA KEV.
Stored cross-site scripting in Webmin's mailboxes component (detach.cgi) allows a remote unauthenticated attacker to execute arbitrary JavaScript in the browser session of an authenticated Webmin user by sending an email containing a crafted SVG attachment. Because detach.cgi served SVG files with the image/svg+xml content type instead of a safe type, browsers treated the SVG as an active document on the Webmin origin, enabling script execution with full same-origin access to the Webmin interface. No public exploit has been identified and CISA has not listed this in KEV, but the attack surface is straightforward given the ubiquity of email as a delivery channel and Webmin's privileged system-administration context.
Stored Cross-Site Scripting in the Advanced Custom Fields: Font Awesome Field WordPress plugin (versions through 5.0.2) allows authenticated low-privileged users to inject persistent malicious scripts into web pages viewed by other users. The changed scope (S:C in CVSS) confirms that injected payloads execute in victims' browsers, potentially enabling session hijacking, credential theft, or unauthorized admin-level actions on the WordPress site. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation as none with partial technical impact.
Stored cross-site scripting in Jenkins buildgraph-view Plugin 1.8 and earlier allows authenticated attackers with job or view configuration privileges to inject persistent malicious scripts via an unescaped build URL. Any Jenkins user who subsequently views the affected build graph page triggers execution of the attacker-controlled script in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is known; SSVC rates exploitation status as none with partial technical impact.
Stored cross-site scripting in Agent Zero before version 1.15 enables arbitrary JavaScript execution in the application origin by exploiting the image_get API endpoint's failure to set Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers when serving SVG files. An unauthenticated attacker (CVSS PR:N) who can write a crafted SVG to any filesystem path readable by the agent-zero process can then socially engineer an authenticated user into visiting the endpoint, causing the browser to execute embedded scripts, exfiltrate the csrf_token cookie, and issue unauthorized API calls on the victim's behalf. No public exploit has been identified at time of analysis, and SSVC classifies exploitation as none with automatable set to no, reflecting the mandatory user-interaction prerequisite.
Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.
Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.
DOM-based cross-site scripting in the VikBooking Hotel Booking Engine & PMS WordPress plugin (all versions up to and including 1.8.9) lets a remote, unauthenticated attacker run arbitrary JavaScript in a victim's browser when the victim is lured into interacting with a crafted link or page. Because the script executes client-side with changed scope (S:C), it can affect resources beyond the vulnerable component, such as the WordPress admin or booking sessions. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, so this is a real but lower-urgency client-side issue rather than a mass-exploitation threat.
Stored cross-site scripting in the Affiliate Super Assistent WordPress plugin (slug: amazonsimpleadmin, by Timo) affects all versions from initial release through 1.10.1, letting attackers persist malicious JavaScript that runs in the browser of any user who later loads the affected page. With a scope-changed CVSS of 7.1 (AV:N/AC:L/PR:N/UI:R), the payload can be planted without authentication but only fires when a victim views the rendered content. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, consistent with CISA's SSVC rating of no observed exploitation.
Reflected cross-site scripting in the Favicon plugin by RealFaviconGenerator (phbernard) for WordPress affects all releases up to and including version 1.3.46, allowing unauthenticated attackers to deliver a crafted link that, when opened by a victim, executes attacker-controlled JavaScript in that user's browser session. The CVSS 3.1 base score is 7.1, driven largely by a scope change (S:C) that lets the injected script reach resources beyond the plugin itself, though exploitation requires user interaction. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS is very low at 0.03% (10th percentile), indicating little observed exploitation interest so far.
Stored XSS in the Booking Manager WordPress plugin (wpdevelop) versions through 2.1.18 allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The CVSS scope change (S:C) indicates injected scripts can affect resources beyond the plugin itself - most critically, administrator sessions viewing booking data. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals minimal observed exploitation interest currently.
Stored Cross-Site Scripting in the WPComplete WordPress plugin (all versions through 2.9.5.4) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers upon viewing affected content. The CVSS changed scope (S:C) is the critical risk factor: a contributor- or author-level account can craft payloads that execute in the session of higher-privileged users, including administrators, enabling session hijacking or unauthorized admin actions. No public exploit identified at time of analysis, and an EPSS score of 0.03% (10th percentile) reflects low broad exploitation probability, though the admin-targeting potential elevates real-world concern for multi-user WordPress deployments.
DOM-based cross-site scripting in the Advanced IP Blocker WordPress plugin (IniLerm) affects all versions from initial release through 8.10.7, letting an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser when that victim is lured into triggering crafted input. Because the CVSS scope is marked changed (S:C), the injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible at 0.03% (10th percentile).
Stored cross-site scripting in the Smart Online Order for Clover WordPress plugin by ZAYTECH (versions up to and including 1.6.0) lets attackers inject persistent JavaScript that executes when a victim - typically a store administrator - loads the affected page. Because the CVSS vector marks privileges as none (PR:N) but user interaction as required (UI:R), the malicious input can be planted without authentication and is triggered later when a privileged user views it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 10th percentile), indicating exploitation is not currently widespread.
Reflected cross-site scripting in the Geo Mashup WordPress plugin (Dylan Kuhn) affects all versions up to and including 1.13.19, letting an unauthenticated attacker inject script that executes in a victim's browser when they click a crafted link. The CVSS 3.1 base score is 7.1 with a changed scope, reflecting that injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis.
DOM-Based cross-site scripting in RealMag777's WPCS (Currency Switcher) WordPress plugin affects all versions through 1.3.1 (EUVD-2026-32184), allowing remote unauthenticated attackers to inject script that executes in a victim's browser when the victim is lured into a crafted interaction. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) reflects network-reachable, no-privilege exploitation that requires user interaction but crosses a security scope boundary. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 10th percentile), indicating little observed real-world targeting.
DOM-based cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.2) lets a remote, unauthenticated attacker inject script that executes in a victim's browser when they interact with a crafted link or page element. Reported through Patchstack's audit program and tracked as EUVD-2026-32180, the flaw carries a CVSS 7.1 rating driven largely by its changed scope, but EPSS rates exploitation probability at just 0.03% (10th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the HT Contact Form 7 (ht-contactform) WordPress plugin by HT Plugins, affecting all versions up to and including 2.8.2, lets a remote unauthenticated attacker persist malicious script that later executes in the browser of a privileged user who views the stored data. The CVSS 3.1 base score is 7.1, elevated by a changed scope (S:C), but EPSS is only 0.03% (10th percentile) and there is no public exploit identified at time of analysis. Disclosed via Patchstack (audit@patchstack.com) and tracked as ENISA EUVD-2026-32186.
Reflected Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions ≤ 3.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'url' parameter on the plugin's redirect page. Successful exploitation requires tricking a WordPress user into clicking a specially crafted link, after which the malicious script executes in the victim's browser within the scope of the WordPress site - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit has been identified at time of analysis; EPSS stands at 0.06% (19th percentile) and CISA SSVC rates exploitation status as none, indicating minimal real-world exploitation activity at this time.
DOM-based cross-site scripting in the GiveWP WordPress donation plugin (versions up to and including 4.14.5) allows remote attackers to execute arbitrary JavaScript in a victim's browser session after the victim interacts with an attacker-supplied link or page element. The flaw carries a CVSS 7.1 score driven by changed scope (S:C), meaning impact extends beyond the vulnerable component into the surrounding WordPress site context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected cross-site scripting in Vitest browser mode (@vitest/browser) allows attackers to execute arbitrary JavaScript in the Vitest server origin by luring a developer to a crafted /__vitest_test__/ URL with a malicious otelCarrier query parameter. Because the same page embeds VITEST_API_TOKEN used to authenticate the Vitest WebSocket API, the XSS chains into full Node-side remote code execution by writing to vite.config.ts and triggering a config reload. Publicly available exploit code exists in the vendor's GHSA-2h32-95rg-cppp advisory, though no public exploit identified at time of analysis in CISA KEV.
Cross-site scripting via sanitizer bypass affects DOMPurify 3.4.4, the widely used npm HTML sanitization library maintained by cure53. The flaw stems from `<selectedcontent>` being permitted by default, allowing attackers to leverage browser re-cloning behavior so that an XSS payload is reinjected into a subtree DOMPurify has already walked. No public exploit identified at time of analysis in the form of in-the-wild attacks, but a fully working PoC is published in the GHSA advisory and active exploitation status is not listed in CISA KEV.
Cross-site scripting in Firefox for iOS Reader View allows unauthenticated remote attackers to inject arbitrary markup via maliciously crafted JSON-LD metadata on attacker-controlled pages. When a victim activates Reader View on such a page, injected HTML executes in the context of an internal Firefox origin, leaking sensitive URL parameters that can be leveraged to access internal pages and achieve arbitrary JavaScript execution with elevated browser-origin trust. Mozilla patched this in Firefox for iOS 151.2 per MFSA2026-53; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Reader View in Firefox for iOS executes arbitrary JavaScript due to an incorrect template substitution order, enabling cross-site scripting via JSON-LD data injection. The flaw affects all Firefox for iOS versions prior to 151.2 running on Apple iOS devices; unauthenticated remote attackers can exploit this by luring users to a malicious page and having them activate Reader View, after which attacker-controlled placeholder strings embedded in the page's structured data are processed as executable script. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and no-auth-required access vector (per CVSS PR:N) make it feasible for opportunistic campaigns targeting iOS Firefox users.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the generic_name parameter of the create_generic_name function at /ShowForm/create_generic_name/main. Exploitation requires victim user interaction (UI:R) to trigger script execution, limiting impact to low integrity loss with no confidentiality or availability impact (CVSS 3.5). Publicly available exploit code exists per the GitHub issue tracker reference, though this CVE is not listed in the CISA KEV catalog and EPSS data was not provided in source intelligence.
Stored or reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated remote attacker to inject malicious JavaScript via the `medicine_presentation` argument in the `create_medicine_presentation` function at `/ShowForm/create_medicine_presentation/main`. Exploitation requires a victim user to interact with the affected page, limiting blast radius but still enabling session hijacking, credential theft, or UI redirection against authenticated users. Publicly available exploit code exists per a GitHub issue disclosure; no CISA KEV listing is present.
Stored or reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a remote, low-privileged attacker to inject arbitrary JavaScript via the company_name argument in the create_supplier function at /ShowForm/create_supplier/main. Successful exploitation requires a victim user to interact with the malicious content, limiting blast radius, but the CVSS temporal metric confirms a proof-of-concept exploit is publicly available via GitHub. No active exploitation has been identified in CISA KEV, though the low attack complexity and public POC make this a credible risk for unpatched deployments handling sensitive pharmaceutical inventory data.
Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Stored cross-site scripting in Dassault Systèmes DELMIA Service Process Engineer (Process Experience Studio component) across releases 3DEXPERIENCE R2024x through R2026x allows an authenticated low-privilege attacker to inject persistent script payloads that execute in another user's browser session. With a CVSS 3.1 base of 8.7 driven by scope change and high confidentiality/integrity impact, successful exploitation can compromise the victim's 3DEXPERIENCE session data and authority across trust boundaries. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in the Stormshield Network Security (SNS) appliance login API allows network-accessible attackers to inject and execute arbitrary scripts in a victim's browser session. Affected versions span three distinct release branches: 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5. Successful exploitation can result in session cookie theft, sensitive data exfiltration, or redirection to attacker-controlled sites. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
HTTP response header injection in Apache ActiveMQ's web console MessageServlet exposes users to security header override and cross-site scripting attacks. The servlet copies every JMS message property directly into HTTP response headers without sanitization, meaning an attacker who can publish crafted JMS messages to a broker queue can override headers such as Content-Security-Policy or X-Frame-Options when a web console user views those messages. No public exploit has been identified at time of analysis, and EPSS of 0.03% (9th percentile) reflects low observed exploitation probability, though the no-privilege-required CVSS vector and Scope:Changed score signal meaningful impact on browser security posture if exploited.
Reflected XSS in SOPlanning 1.55 and below allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of authenticated SOPlanning users by delivering a crafted malicious URL containing a payload in the `taches` parameter. The vulnerability stems from insufficient output sanitization of user-supplied input before it is reflected in the HTTP response. No public exploit code or CISA KEV listing exists at time of analysis; this was reported by CERT Poland (CERT.PL) and carries a CVSS 4.0 score of 5.1 (Medium).
Stored XSS in SOPlanning 1.55 and earlier allows an authenticated low-privileged attacker to persist malicious JavaScript inside the application by uploading a crafted backup archive through the /process/upload_backup endpoint. The payload, embedded in a user.csv file within a ZIP, executes in a victim's browser when they click the Edit button on the affected backup entry - enabling session hijacking or UI manipulation against any user who interacts with the backup management interface. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.1 correctly reflects the constrained impact ceiling imposed by required authentication and passive user interaction.
Cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `medicine_name` parameter at the `/ShowForm/create_medicine_name/main` endpoint, executing arbitrary scripts in the browsers of other users who view the affected page. The CVSS 4.0 score of 2.0 reflects a narrow impact profile - no confidentiality loss and only low integrity impact - but a publicly available proof-of-concept exploit exists (E:P), lowering the barrier to abuse in multi-user deployments such as shared pharmacy management environments. No active exploitation has been confirmed via CISA KEV.
Stored or reflected cross-site scripting in sendportal's Campaign Handler allows an authenticated low-privilege remote attacker to inject malicious script via the 'content' argument at the /webview/ endpoint, affecting all versions up to and including 3.0.1. A victim user must interact with the crafted content for the payload to execute, resulting in low-integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis is incorrect here - publicly available exploit code exists (E:P in CVSS temporal), and the vendor has not responded to the coordinated disclosure, leaving no patch available.
Reflected or stored cross-site scripting (XSS) in raisulislamg4's student_management_system_by_php allows authenticated remote attackers to inject malicious scripts via the Message argument in admission_form_check.php. The vulnerability requires a victim to interact with a crafted link or page, triggering script execution in the context of another user's browser session. A public exploit exists per the GitHub issue report; however, the vendor has not responded to disclosure and no patch has been released.
Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.
Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized `remote-source` query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. Publicly available exploit code exists per VulDB and a referenced GitHub issue, and an upstream patch commit has been issued, though no officially tagged patched release has been independently confirmed from the canonical repository.
Reflected cross-site scripting in westboy CicadasCMS allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser via the unvalidated 's' search parameter in the Search function. All code up to and including commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab is affected, with no patch released as of analysis - the vendor has not responded to the responsible disclosure. A publicly available exploit exists (CVSS E:P confirmed), elevating the urgency despite the moderate CVSS base score of 4.3.
Cross-site scripting in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 allows a high-privileged authenticated attacker to inject malicious script into the Name argument on the Dashboard Page, which executes in the browser of any user who subsequently views the affected page. The vulnerability requires both elevated privileges and victim interaction, placing real-world impact firmly in the low-to-negligible range despite network reachability. No public exploit identified at time of analysis as actively weaponized (no CISA KEV listing), though publicly available exploit code exists via a GitHub issue disclosure.
Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.
Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites.
Stored XSS in JetBrains PyCharm's Jupyter notebook Markdown cell renderer allows a remote, unauthenticated attacker to execute arbitrary JavaScript in the context of a victim's PyCharm session by delivering a crafted notebook file. All PyCharm versions prior to 2025.3.4 are affected. The vulnerability carries no KEV listing and no public exploit has been identified at time of analysis, though the low attack complexity and lack of required privileges make opportunistic abuse via shared or repository-hosted notebooks plausible.
Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.
Stored cross-site scripting in JetBrains YouTrack versions prior to 2026.1.13162 allows an authenticated project-level user to inject persistent JavaScript into project notification templates, which executes in the browsers of other users who receive or view those notifications. The scope-changed CVSS 8.7 reflects that injected scripts can pivot beyond the vulnerable component to compromise the sessions and data of higher-privileged recipients. No public exploit identified at time of analysis and no KEV listing, but the issue was disclosed and patched directly by the vendor.
Remote code execution in TriliumNext Trilium Notes desktop client prior to 0.102.2 allows attackers to achieve arbitrary code execution by tricking a user into importing a malicious ZIP archive with safe import enabled. The flaw chains a #docName path traversal (CWE-22) with stored XSS, and the Electron renderer's nodeIntegration=true setting elevates the XSS into full host RCE. No public exploit identified at time of analysis, but the vendor advisory describes a complete working chain and the CVSS 4.0 score of 9.3 reflects subsequent-system impact.
Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored or reflected Cross-Site Scripting in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious JavaScript through the user registration form in register.php. When a privileged user such as an administrator views the submitted registration data, the script executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public disclosure write-up is available on GitHub; no vendor patch has been identified at this time.
Cross-site scripting in QuickCMS allows a network-adjacent unauthenticated attacker to inject and execute arbitrary JavaScript in a victim user's browser by intercepting the CMS's unencrypted HTTP request to the opensolution.org plugin list endpoint. Any QuickCMS deployment running an unpatched version of 6.8 that fetches plugin listings over plain HTTP is affected. No public exploit code or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects the adjacent-network and MITM prerequisites that significantly constrain realistic attacker reach.
Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.
Stored XSS privilege escalation in Group-Office (enterprise CRM/groupware by Intermesh) allows any low-privileged authenticated user to execute arbitrary JavaScript in an administrator's browser by chaining two distinct flaws. The attack exploits a missing ownership check on the legacy settings API (index.php?r=core/saveSetting) - permitting writes to any user's settings regardless of identity - combined with an unsafe JavaScript sink in the email module that injects the email_font_size setting directly into rendered script without sanitization. No confirmed active exploitation exists (not in CISA KEV), but SSVC confirms a proof-of-concept exists, making this a credible privilege-escalation path for any attacker with a low-privileged account.
Stored cross-site scripting in HAX CMS (haxcms-nodejs and haxcms-php) through version 26.0.0 allows authenticated page editors to bypass the HTML sanitizer via the /system/api/saveNode endpoint by omitting whitespace before an event handler attribute name. Successful exploitation executes attacker-controlled JavaScript in the browsers of other users viewing the affected microsite, with scope change enabling impact beyond the attacker's own privilege level. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored XSS in Mautic 7's project selector component allows an authenticated low-privileged user to inject malicious script payloads via unsanitized project names rendered through AJAX into DOM option fields. When an administrative user subsequently opens an entity editor containing the affected project selector, the payload executes in the admin's browser session with a changed scope (S:C per CVSS), enabling session hijacking, unauthorized state manipulation, or organizational data exfiltration within the dashboard. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present, though the stored, persistent nature of the payload and low attack complexity make this a credible privilege-escalation pivot for internal threat actors.
Stored cross-site scripting in Mautic 7's Projects component allows authenticated low-privilege users with project create/edit permissions to inject script payloads into project names that execute when administrators hover over project tags or popovers on campaign, email, or form detail views. Exploitation yields script execution in an administrator's authenticated session, enabling configuration tampering, privilege escalation through administrative actions, and exfiltration of sensitive data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables authenticated, high-privileged remote attackers to inject persistent JavaScript payloads that execute in the browsers of other users upon page load. The changed scope (S:C in CVSS) indicates the injected script breaks out of the attacker's session context and affects victim users browsing the same application, potentially enabling session hijacking, credential theft, or lateral movement within the SCADA management interface. No public exploit code has been identified at time of analysis, and no confirmed active exploitation is on record.
Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables privileged remote attackers to inject persistent JavaScript payloads into the application that execute automatically in other users' browsers upon page load. Affected are all versions per CPE data (cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:*), meaning the entire product line carries this exposure. This vulnerability is not confirmed actively exploited (CISA KEV), no public exploit code has been identified, and EPSS data was not provided in available intelligence.
Stored cross-site scripting in the Link Whisper Free WordPress plugin (versions through 0.9.0) allows unauthenticated remote attackers to inject persistent JavaScript via the user_id parameter, which executes in the browser of any user who visits an affected page. The flaw stems from insufficient input sanitization and output escaping in the plugin's settings handler, and no public exploit identified at time of analysis. With a CVSS 7.2 score reflecting Scope:Changed impact, the bug is notable because exploitation requires no authentication despite affecting an administrative-adjacent plugin component.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Simple Divi Shortcode WordPress plugin (versions up to and including 1.2) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into WordPress pages via the unsanitized 'id' parameter of the [showmodule] shortcode. The injected payload executes in the browser of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects within the victim's authenticated session context. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Automotive Car Dealership Business WordPress Theme (all versions through 13.4.1) enables authenticated contributors to permanently embed arbitrary JavaScript via the 'project_details' custom field in Portfolio Items. Because the CVSS scope is Changed (S:C), injected scripts execute in the victim's browser context - not just the WordPress admin panel - enabling session hijacking, credential harvesting, or drive-by malware delivery against site visitors. No public exploit code has been identified at time of analysis, though contributor-level access is routinely available in multi-author dealership or agency WordPress deployments, making the authentication barrier practically low.
Stored cross-site scripting in the StatCounter - Free Real Time Visitor Stats WordPress plugin (versions up to and including 2.1.1) allows authenticated users with Author-level access or higher to inject arbitrary JavaScript into post pages by setting a crafted WordPress profile nickname. The unescaped nickname is embedded directly into a JavaScript string context within a <script> block rendered on every post page via the wp_head hook, causing the payload to execute in the browser of any visitor - including unauthenticated users - who loads a post authored by the attacker. No public exploit has been identified at time of analysis, but the low attack complexity (AC:L) and broad exposure surface (every post page on affected sites) make this a practical risk wherever sites permit untrusted Author-level accounts.
Stored Cross-Site Scripting in the Post Snippets WordPress plugin (≤4.0.19) allows authenticated administrators on multisite installations to inject persistent JavaScript into the post editor via a crafted import file, exploiting a commented-out quote-escaping routine in WPEditor.php. The injected payload executes silently in the browser of any administrator who subsequently opens any post editor page, enabling session hijacking or further lateral movement within the multisite network. No public exploit identified at time of analysis; real-world impact is bounded by the Administrator-level access prerequisite and the explicit exclusion of single-site WordPress installations.
Universal Cross-Site Scripting (UXSS) in Google Chrome on iOS prior to 148.0.7778.216 enables a remote unauthenticated attacker to inject arbitrary scripts or HTML into the browser context by convincing a target user to perform specific UI gestures on a crafted HTML page. The vulnerability stems from an inappropriate implementation in Chrome's iOS-specific code layer (CWE-79), and while UXSS attacks typically carry cross-origin escalation potential, the CVSS S:U (Unchanged scope) rating suggests cross-origin impact is not confirmed by the scoring authority. No public exploit or active exploitation has been identified at time of analysis; EPSS at 0.06% places this in the 17th percentile of exploitation likelihood.
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persistent JavaScript payload in the administrator-facing audit log via their OAuth display name and a subsequent API token creation. When an admin visits /system/audit, the payload executes in their browser, enabling session cookie theft, CSRF token exfiltration from the la-app-data meta tag, and full impersonation of admin privileges. No public exploit identified at time of analysis, but a vendor patch (2.5.6) and GitHub Security Advisory GHSA-jx4g-ph82-x9mm are available.
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.
Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index to persist crafted markup that is insufficiently sanitized when rendered in an affected Kibana view. When a second user opens the compromised view, their browser processes the unsanitized content, enabling unauthorized manipulation of the Kibana UI and issuing outbound network requests from the victim's browser session. No public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided in source intelligence.
Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.
Stored XSS via bypass in Symfony's HtmlSanitizer component allows `javascript:` URIs to survive sanitization when applications use permissive configurations that admit `action`, `formaction`, `poster`, or `cite` attributes. The root cause is an incomplete attribute list in `UrlAttributeSanitizer::getSupportedAttributes()`, which caused `DomVisitor` to skip URI scheme validation entirely for those four attribute types. No public exploit identified at time of analysis and no CVSS score has been assigned, but successful exploitation enables JavaScript execution in victims' browsers - with the attack gated behind non-default sanitizer configuration choices made by the integrating application.
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.
Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.
Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored cross-site scripting in the SlimStat Analytics WordPress plugin (versions through 5.4.11) allows unauthenticated attackers to inject arbitrary JavaScript via the User-Agent request header, which is persisted unsanitized and later rendered inside the admin Browsers report tooltip. Exploitation requires the non-default 'show_complete_user_agent_tooltip' setting to be enabled by an administrator, after which any admin viewing the affected report executes the attacker's script. No public exploit identified at time of analysis and no EPSS or CISA KEV signal is provided in the supplied data.
Stored XSS in MISP CTI Transmute's notification bell dropdown allows an attacker who can control convert names to inject arbitrary JavaScript that executes in authenticated users' browsers upon opening the notification panel. The vulnerability, tracked as EUVD-2026-32728 and reported by CIRCL, stems from innerHTML-based rendering of user-controlled notification content in base.html and affects all versions prior to upstream commit cf42409 - critically, only on the development branch, not production releases. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P reflects that exploitation requires the attacker to first influence a convert name surfaced in a notification.
Stored Cross-Site Scripting in the LiveSmart Video Chat WordPress plugin (all versions through 1.2) allows authenticated contributors to inject persistent malicious scripts via the 'livesmart_widget' shortcode attribute, which execute in any visitor's browser upon page load. The CVSS Scope:Changed rating confirms cross-user impact - a contributor's injected payload can hijack administrator sessions, exfiltrate cookies, or perform unauthorized actions on behalf of higher-privileged victims. No public exploit code and no CISA KEV confirmation exist at time of analysis, but the low privilege bar (contributor-level) meaningfully widens the realistic attacker pool on multi-author WordPress deployments.
Stored cross-site scripting in the Login No Captcha reCAPTCHA WordPress plugin (versions up to and including 1.8.0) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in an administrator's browser session. The flaw, reported by Wordfence, stems from unsanitized handling of the PHP_SELF superglobal during failed logins via non-standard endpoints such as xmlrpc.php, with no public exploit identified at time of analysis and no CISA KEV listing.
HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier expose a misconfigured Content Security Policy that omits fallback directives, permitting browsers to bypass intended origin restrictions and load unauthorized external resources. The Changed Scope (S:C) in the CVSS vector confirms that exploitation can affect resources or contexts beyond the vulnerable WebUI component itself - consistent with the XSS tag indicating potential cross-origin script injection. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the high-privilege and user-interaction prerequisites substantially constrain the realistic attack surface.
Stored XSS in Symfony's WebProfiler `CodeExtension::fileExcerpt()` allows JavaScript execution in a developer's browser when the profiler renders non-PHP files containing attacker-controlled content. Affected are symfony/symfony 6.4.24-6.4.39, 7.2.9-7.4.11, and 8.0.0-8.0.11, along with symfony/twig-bridge 6.4.24-6.4.39. The attack requires a separate write primitive to any file under the project root - log poisoning via `var/log/dev.log` is the canonical vector - after which exploitation is reliable and requires only developer interaction with the profiler. No public exploit has been identified at time of analysis, and the vulnerability is scoped to development environments only.
Stored cross-site scripting in the RELATE web courseware lets any enrolled student inject JavaScript that executes in an administrator's authenticated browser session, enabling full admin account takeover. The payload is planted via the freely editable first_name/last_name fields on the /profile/ page and fires when an admin opens the Participation list in the Django admin panel. No public exploit has been identified, but the root cause is confirmed in source and fixed upstream; with a CVSS of 8.7 and a scope-changing impact, this is a high-severity privilege-escalation issue.
Stored cross-site scripting in Budibase before 3.39.0 lets any low-privileged BASIC app user with WRITE access to a table inject persistent JavaScript that executes in the browser of anyone who later views the data. The flaw lives in the Text component's Markdown rendering, where untrusted column values are converted to HTML and written directly to the DOM without sanitization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the issue is fixed in 3.39.0.
Stored cross-site scripting in Kirby CMS (versions before 4.9.1 and 5.4.1) lets a low-privileged, authenticated Panel user inject dangerous-scheme links (javascript:, vbscript:, data:, livescript:, mocha:, jar:) through the (link:) and (image: link:) KirbyTags, the image block link field, or the blocks HTML importer. When a visitor or admin clicks the injected link on the site frontend, script runs in the site origin — typically the same origin as the Panel — enabling session hijack and escalation to admin. No public exploit is identified at time of analysis and EPSS is very low (0.06%), but exploitation is straightforward on any affected site that accepts content from partially-trusted authors.
Stored cross-site scripting in creatorsofcode's simplephp admin panel allows authenticated low-privileged users to inject persistent malicious scripts via the /admin/config-module.php configuration endpoint. When an administrator or privileged user subsequently views the affected page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exists per SSVC intelligence; this CVE is not currently listed in CISA KEV.
Stored cross-site scripting in Webmin's mailboxes component (detach.cgi) allows a remote unauthenticated attacker to execute arbitrary JavaScript in the browser session of an authenticated Webmin user by sending an email containing a crafted SVG attachment. Because detach.cgi served SVG files with the image/svg+xml content type instead of a safe type, browsers treated the SVG as an active document on the Webmin origin, enabling script execution with full same-origin access to the Webmin interface. No public exploit has been identified and CISA has not listed this in KEV, but the attack surface is straightforward given the ubiquity of email as a delivery channel and Webmin's privileged system-administration context.
Stored Cross-Site Scripting in the Advanced Custom Fields: Font Awesome Field WordPress plugin (versions through 5.0.2) allows authenticated low-privileged users to inject persistent malicious scripts into web pages viewed by other users. The changed scope (S:C in CVSS) confirms that injected payloads execute in victims' browsers, potentially enabling session hijacking, credential theft, or unauthorized admin-level actions on the WordPress site. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation as none with partial technical impact.
Stored cross-site scripting in Jenkins buildgraph-view Plugin 1.8 and earlier allows authenticated attackers with job or view configuration privileges to inject persistent malicious scripts via an unescaped build URL. Any Jenkins user who subsequently views the affected build graph page triggers execution of the attacker-controlled script in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is known; SSVC rates exploitation status as none with partial technical impact.
Stored cross-site scripting in Agent Zero before version 1.15 enables arbitrary JavaScript execution in the application origin by exploiting the image_get API endpoint's failure to set Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers when serving SVG files. An unauthenticated attacker (CVSS PR:N) who can write a crafted SVG to any filesystem path readable by the agent-zero process can then socially engineer an authenticated user into visiting the endpoint, causing the browser to execute embedded scripts, exfiltrate the csrf_token cookie, and issue unauthorized API calls on the victim's behalf. No public exploit has been identified at time of analysis, and SSVC classifies exploitation as none with automatable set to no, reflecting the mandatory user-interaction prerequisite.
Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.
Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.
DOM-based cross-site scripting in the VikBooking Hotel Booking Engine & PMS WordPress plugin (all versions up to and including 1.8.9) lets a remote, unauthenticated attacker run arbitrary JavaScript in a victim's browser when the victim is lured into interacting with a crafted link or page. Because the script executes client-side with changed scope (S:C), it can affect resources beyond the vulnerable component, such as the WordPress admin or booking sessions. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, so this is a real but lower-urgency client-side issue rather than a mass-exploitation threat.
Stored cross-site scripting in the Affiliate Super Assistent WordPress plugin (slug: amazonsimpleadmin, by Timo) affects all versions from initial release through 1.10.1, letting attackers persist malicious JavaScript that runs in the browser of any user who later loads the affected page. With a scope-changed CVSS of 7.1 (AV:N/AC:L/PR:N/UI:R), the payload can be planted without authentication but only fires when a victim views the rendered content. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, consistent with CISA's SSVC rating of no observed exploitation.
Reflected cross-site scripting in the Favicon plugin by RealFaviconGenerator (phbernard) for WordPress affects all releases up to and including version 1.3.46, allowing unauthenticated attackers to deliver a crafted link that, when opened by a victim, executes attacker-controlled JavaScript in that user's browser session. The CVSS 3.1 base score is 7.1, driven largely by a scope change (S:C) that lets the injected script reach resources beyond the plugin itself, though exploitation requires user interaction. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS is very low at 0.03% (10th percentile), indicating little observed exploitation interest so far.
Stored XSS in the Booking Manager WordPress plugin (wpdevelop) versions through 2.1.18 allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The CVSS scope change (S:C) indicates injected scripts can affect resources beyond the plugin itself - most critically, administrator sessions viewing booking data. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals minimal observed exploitation interest currently.
Stored Cross-Site Scripting in the WPComplete WordPress plugin (all versions through 2.9.5.4) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers upon viewing affected content. The CVSS changed scope (S:C) is the critical risk factor: a contributor- or author-level account can craft payloads that execute in the session of higher-privileged users, including administrators, enabling session hijacking or unauthorized admin actions. No public exploit identified at time of analysis, and an EPSS score of 0.03% (10th percentile) reflects low broad exploitation probability, though the admin-targeting potential elevates real-world concern for multi-user WordPress deployments.
DOM-based cross-site scripting in the Advanced IP Blocker WordPress plugin (IniLerm) affects all versions from initial release through 8.10.7, letting an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser when that victim is lured into triggering crafted input. Because the CVSS scope is marked changed (S:C), the injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible at 0.03% (10th percentile).
Stored cross-site scripting in the Smart Online Order for Clover WordPress plugin by ZAYTECH (versions up to and including 1.6.0) lets attackers inject persistent JavaScript that executes when a victim - typically a store administrator - loads the affected page. Because the CVSS vector marks privileges as none (PR:N) but user interaction as required (UI:R), the malicious input can be planted without authentication and is triggered later when a privileged user views it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 10th percentile), indicating exploitation is not currently widespread.
Reflected cross-site scripting in the Geo Mashup WordPress plugin (Dylan Kuhn) affects all versions up to and including 1.13.19, letting an unauthenticated attacker inject script that executes in a victim's browser when they click a crafted link. The CVSS 3.1 base score is 7.1 with a changed scope, reflecting that injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis.
DOM-Based cross-site scripting in RealMag777's WPCS (Currency Switcher) WordPress plugin affects all versions through 1.3.1 (EUVD-2026-32184), allowing remote unauthenticated attackers to inject script that executes in a victim's browser when the victim is lured into a crafted interaction. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) reflects network-reachable, no-privilege exploitation that requires user interaction but crosses a security scope boundary. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 10th percentile), indicating little observed real-world targeting.
DOM-based cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.2) lets a remote, unauthenticated attacker inject script that executes in a victim's browser when they interact with a crafted link or page element. Reported through Patchstack's audit program and tracked as EUVD-2026-32180, the flaw carries a CVSS 7.1 rating driven largely by its changed scope, but EPSS rates exploitation probability at just 0.03% (10th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the HT Contact Form 7 (ht-contactform) WordPress plugin by HT Plugins, affecting all versions up to and including 2.8.2, lets a remote unauthenticated attacker persist malicious script that later executes in the browser of a privileged user who views the stored data. The CVSS 3.1 base score is 7.1, elevated by a changed scope (S:C), but EPSS is only 0.03% (10th percentile) and there is no public exploit identified at time of analysis. Disclosed via Patchstack (audit@patchstack.com) and tracked as ENISA EUVD-2026-32186.
Reflected Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions ≤ 3.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'url' parameter on the plugin's redirect page. Successful exploitation requires tricking a WordPress user into clicking a specially crafted link, after which the malicious script executes in the victim's browser within the scope of the WordPress site - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit has been identified at time of analysis; EPSS stands at 0.06% (19th percentile) and CISA SSVC rates exploitation status as none, indicating minimal real-world exploitation activity at this time.