Skip to main content

XSS

38827 CVEs technique

Monthly

CVE-2026-3348 MEDIUM This Month

Stored Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions through 3.6.1) allows authenticated administrators to persist malicious JavaScript payloads via the plugin's settings fields - including Description and Title - which then execute in the browsers of any user who accesses the plugin's redirect pages. The attack is constrained to multi-site WordPress deployments or single-site installations where unfiltered_html has been explicitly disabled, and requires Administrator-level credentials, substantially narrowing real-world exposure. No public exploit code has been identified at time of analysis, and EPSS stands at a very low 0.03% (8th percentile), consistent with the narrow exploitation window.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2288 MEDIUM This Month

Stored Cross-Site Scripting in the myLinksDump WordPress plugin (all versions ≤1.6) allows authenticated administrators to permanently inject arbitrary JavaScript into pages via the unsanitized 'link_title' parameter, executing in any victim's browser upon page access. Exploitation is constrained to WordPress multi-site environments or single-site installs with unfiltered_html disabled, and requires administrator-level credentials plus victim interaction. EPSS is 0.03% (9th percentile) and SSVC confirms no known exploitation, placing this firmly in a low-priority tier despite the stored XSS class.

XSS WordPress
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2280 MEDIUM This Month

Stored Cross-Site Scripting in the rexCrawler WordPress plugin (versions ≤ 1.0.15) allows authenticated administrators to inject persistent malicious scripts into settings pages, which then execute in the browsers of any user who accesses those pages. The vulnerability originates in admin_main.php at two distinct injection points (lines 108 and 239) and is constrained to multi-site WordPress environments or single-site installs where the unfiltered_html capability has been explicitly disabled. With an EPSS of 0.02% (7th percentile), no CISA KEV listing, and SSVC exploitation status of 'none', this represents a low-urgency finding despite its network-accessible attack vector. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-48968 MEDIUM This Month

DOM-Based Cross-Site Scripting in the Averta Master Slider WordPress plugin (versions through 3.10.8) enables authenticated low-privilege users to inject persistent malicious scripts that execute in the browsers of other site visitors. The CVSS Scope:Changed flag (S:C) confirms the injected payload can escape the plugin's context and affect the broader browser environment, enabling session hijacking or admin action forgery against higher-privileged users. No public exploit code exists and EPSS at 0.03% (10th percentile) aligns with SSVC's 'Exploitation: none' classification - this is a real but moderate-priority finding gated behind authentication and victim interaction requirements.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-52747 HIGH This Week

Reflected cross-site scripting in Jthemes' Themebox - Digital Products Ecommerce WordPress theme (versions through 1.4.2) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. With CVSS 7.1 (scope-changed, low impact across confidentiality, integrity and availability), successful exploitation can hijack session context or perform actions in the WordPress admin/store context, though it requires the victim to click an attacker-supplied URL. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), indicating minimal observed exploitation interest.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-22741 HIGH This Week

Reflected cross-site scripting in the RiceTheme Felan Framework WordPress plugin (all versions through 1.1.3) lets a remote unauthenticated attacker inject script that executes in a victim's browser when the victim follows a crafted link. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity, network-reachable flaw requiring user interaction with a changed scope, scored 7.1. There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), consistent with the CISA SSVC assessment of no observed exploitation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-13167 MEDIUM PATCH This Month

Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

XSS Synology
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-10466 MEDIUM PATCH This Month

Stored XSS in Synology Safe Access before 1.3.1-0329 on SRM (Synology Router Manager) allows remote authenticated administrators to inject malicious scripts that execute in the SRM context, enabling limited reads or writes of non-sensitive files and constrained denial-of-service conditions. The CVSS Scope:Changed rating confirms cross-component impact - the vulnerability originates in the Safe Access module but affects the broader SRM platform. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% and SSVC exploitation status of 'none' collectively indicate negligible current threat in the wild.

XSS Synology
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-8143 HIGH This Week

Stored cross-site scripting in the HBook hotel booking plugin for WordPress (all versions through 2.1.6) lets unauthenticated attackers persist arbitrary JavaScript through the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' booking parameters. The payload is stored server-side and fires in the privileged context of the HBook Customers admin page, so a no-privilege injection escalates into the administrator's browser session (reflected in the Scope:Changed rating that drives the 7.2 score). There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%, 17th percentile).

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-8042 MEDIUM This Month

Stored Cross-Site Scripting in the Github Shortcode plugin for WordPress (all versions through 0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'repo' attribute of the 'github' shortcode. Any user who subsequently visits the injected page triggers execution of the attacker-controlled script in their browser context. No public exploit has been identified at time of analysis and EPSS places exploitation probability at 0.03% (9th percentile), though the low barrier to exploitation for any site permitting contributor accounts warrants attention.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3897 MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3896 MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3895 MEDIUM This Month

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3375 HIGH This Week

Stored cross-site scripting in the LiteSpeed Cache plugin for WordPress (all versions through 7.7) lets attackers persist arbitrary JavaScript into a site's frontend by abusing the unauthenticated /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST endpoints, which store QUIC.cloud-supplied CSS to disk and later render it inline without escaping. Exploitation is conditional: the endpoints are protected by IP-based access control that only becomes bypassable in certain reverse-proxy, load-balancer, or CDN deployments. No public exploit identified at time of analysis, and EPSS is low (0.07%, 20th percentile), consistent with CISA SSVC marking exploitation status as 'none' despite 'automatable: yes'.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3001 MEDIUM This Month

Reflected Cross-Site Scripting in the Gutenverse plugin for WordPress (all versions through 3.4.6) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious search URL. The vulnerability arises from the plugin's search-result-title block outputting the raw search query string directly into page HTML without sanitization. Exploitation requires user interaction (victim must click a crafted link) and the gutenverse/search-result-title block must be present on the site's search results template. No public exploit code has been identified at time of analysis, and CISA KEV confirmation of active exploitation is absent.

XSS PHP WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2030 MEDIUM This Month

Stored XSS in WPBakery Page Builder Addons by Livemesh (all versions through 3.9.4) allows authenticated WordPress contributors to inject persistent JavaScript into site pages via malformed shortcode attributes on the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcodes. The flaw arises from using `wp_json_encode()` instead of `esc_attr()` when embedding shortcode attributes into single-quoted HTML `data-settings` attributes, enabling an attacker to inject a literal single quote and escape the attribute boundary. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) reflects low current exploitation interest, and the practical attack surface is constrained to WordPress sites where untrusted users hold Contributor-level access.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8899 MEDIUM This Month

Stored Cross-Site Scripting in the Auto Thumbnail WordPress plugin (all versions up to and including 1.0) enables authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'width' and 'height' attributes of the 'thumbnails' shortcode. The injected payload executes in the browser of any subsequent visitor who loads the affected page, crossing trust boundaries from the WordPress server context into victims' sessions (CVSS S:C). No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog; EPSS of 0.03% (9th percentile) reflects low predicted exploitation probability, though the stored nature of the flaw amplifies impact relative to reflected XSS.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8898 MEDIUM This Month

Stored Cross-Site Scripting in the Events In City WordPress plugin (versions ≤3.0) allows contributor-level authenticated users to inject persistent JavaScript payloads via unsanitized 'org-events' shortcode attributes handled by the org_event_scode() function. The CVSS scope is Changed (S:C), meaning injected scripts execute in victims' browsers outside the plugin's own context, enabling session hijacking, credential theft, or unauthorized actions against any user who views an affected page. No public exploit identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low current exploitation likelihood, though the contributor-level access requirement is a realistic attack surface on multi-author WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8897 MEDIUM This Month

Stored Cross-Site Scripting in the Shortcode Buddy WordPress plugin (all versions ≤ 0.1.9.5) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into pages via unsanitized shortcode attributes, executing in any visitor's browser upon page load. The Changed scope (S:C) in the CVSS vector confirms the injected payload escapes the plugin's context and affects users browsing the site, including administrators whose sessions could be hijacked. No public exploit code has been identified at time of analysis, and EPSS sits at 0.03% (9th percentile), indicating low observed exploitation probability, though the contributor-level entry bar makes this a realistic risk on sites with multiple editors.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8894 MEDIUM This Month

Stored Cross-Site Scripting in the iWR Tooltip WordPress plugin (versions up to and including 1.0) permits authenticated attackers holding contributor-level accounts or higher to plant persistent malicious scripts via the plugin's `iwrtooltip` shortcode. The root cause is direct string concatenation of the user-supplied `title` attribute into an HTML attribute inside the `iwr_tooltip()` handler at lines 37 and 41 of iwr-tooltip.php, with no call to `esc_attr()` or equivalent escaping. Any site visitor who subsequently loads a page containing the poisoned shortcode will execute the injected script in their browser, with scope-changed impact that can target session tokens, credentials, or site administrative functions. EPSS is 0.03% (9th percentile), and no public exploit or CISA KEV listing exists at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8891 MEDIUM This Month

Stored Cross-Site Scripting in the BitForm WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers with contributor-level access or above to inject persistent malicious scripts via unsanitized 'width' and 'height' shortcode attributes in the Shortcode::shortcode() function, which are written directly into the style attribute of an iframe element without escaping. Any user who subsequently views a page containing the injected shortcode will trigger execution of the attacker's script in their browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS places current exploitation probability at 0.03% (9th percentile), indicating this is currently a low-activity finding despite its network-accessible attack vector.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8887 MEDIUM This Month

Stored Cross-Site Scripting in the Listen Shortcode WordPress plugin (versions ≤ 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via unsanitized shortcode attributes. The vulnerability exists in the listenEmbedJS() function, which echoes user-supplied src, start, and end attributes directly into a single-quoted HTML attribute context without escaping, enabling script injection that executes in the browsers of any user who later visits the affected page. EPSS is low (0.03%, 9th percentile) and no public exploit or CISA KEV listing has been identified at time of analysis, suggesting limited current exploitation activity.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8886 MEDIUM This Month

Stored Cross-Site Scripting in the hk_shortcode WordPress plugin (versions ≤1.0) enables authenticated contributors to inject persistent malicious scripts via the unsanitized 'title' attribute of the 'title-plane' shortcode. The vulnerability stems from direct HTML concatenation of unescaped user input inside the huankong_post_short_title_plane() function - once a crafted post is saved, the payload executes in the browsers of all users who visit the affected page, crossing into their sessions (CVSS S:C). No public exploit code has been identified at time of analysis, and with an EPSS of 0.03% (9th percentile), mass automated exploitation is unlikely; however, multi-author WordPress sites with open contributor registration carry meaningful exposure.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8884 MEDIUM This Month

Stored Cross-Site Scripting in the Instant-Quote.co Quotation Page WordPress plugin (all versions ≤1.3.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. The changed-scope CVSS vector (S:C) reflects that injected scripts execute in victim browsers rather than the server, and the plugin's shortcode is exploitable through the WordPress post review workflow - a contributor can embed a malicious shortcode in a draft submitted for editor or administrator review, causing the payload to execute when a privileged user previews the post. No public exploit has been identified and EPSS is very low at 0.04% (12th percentile), indicating limited opportunistic exploitation risk, though the cross-privilege escalation path warrants attention on multi-author WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8877 MEDIUM This Month

Stored Cross-Site Scripting in the Responsive Video Embedder WordPress plugin (versions ≤ 0.1) allows authenticated attackers with contributor-level access or above to persistently inject arbitrary JavaScript into WordPress pages via unsanitized shortcode attributes. The root cause is direct, unescaped concatenation of user-supplied 'id' and 'list' attributes into an HTML iframe src attribute inside the video_shortcode() function. Because the CVSS scope is Changed (S:C), injected scripts execute in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No active exploitation has been confirmed and EPSS is very low (0.03%, 9th percentile), but the contributor-level entry bar makes this relevant on multi-author WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8875 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Prism Syntax Highlighter WordPress plugin (versions ≤1.0.2) enables authenticated attackers with Contributor-level access to inject persistent JavaScript into WordPress pages via the 'code' or 'c' shortcode. The flaw resides in the shortcode() function, which concatenates the first positional shortcode attribute directly into the class attribute of generated <pre> and <code> HTML elements without invoking esc_attr() or any equivalent escaping - enabling HTML attribute breakout and arbitrary script injection. No public exploit has been identified and EPSS is very low (0.03%, 9th percentile), but the Contributor-level authentication threshold makes this accessible on any multi-author WordPress site without additional barrier.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8873 MEDIUM This Month

Stored Cross-Site Scripting in the Content Slideshow WordPress plugin (all versions through 2.4.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes. The vulnerability resides in slideshow-widget-shortcode.php at multiple points (lines 14 and 143) where shortcode attribute values are passed without adequate sanitization or output escaping. The CVSS scope is Changed (S:C), meaning injected scripts execute in the victim's browser context and can affect resources beyond the plugin itself, such as stealing session tokens or performing actions as the visiting user. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS sits at a very low 0.03%.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8872 MEDIUM This Month

Stored Cross-Site Scripting in the Animate Your Content WordPress plugin (versions ≤ 1.0.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via the 'animation-set' shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS (0.03%, 9th percentile) together with SSVC exploitation status of 'none' indicate this is currently a low-priority, low-activity vulnerability.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8871 MEDIUM This Month

Stored Cross-Site Scripting in the Formidable Kinetic WordPress plugin (versions ≤1.1.01) allows authenticated attackers with contributor-level access to permanently inject malicious scripts into pages via the 'kinetic_link' shortcode. The FrmKinetic::link() function concatenates user-supplied shortcode attributes ('window', 'class', 'label') directly into anchor tag HTML attributes without sanitization or output escaping, meaning any visitor who loads an injected page triggers execution of the attacker's payload in their browser. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) reflects low automated exploitation probability, but the Changed scope (S:C) in the CVSS vector indicates the impact crosses the plugin's security boundary into the broader WordPress page context.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8870 MEDIUM This Month

Stored Cross-Site Scripting in the Team Master WordPress plugin (all versions ≤ 1.1.2) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes into WordPress pages, executing against any visitor who subsequently loads the affected page. The scope change (S:C in CVSS) reflects cross-session impact - a low-privileged contributor can compromise higher-privileged users including administrators. No public exploit identified at time of analysis, and EPSS of 0.03% (9th percentile) indicates low current exploitation probability.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8869 MEDIUM This Month

Stored Cross-Site Scripting in the Mutual Funds Data WordPress plugin (versions ≤ 1.2.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into any page using the affected shortcode. The unsanitized 'title' attribute in the mfd_shortcode() function is written directly into a HTML caption element without escaping, meaning injected payloads execute in the browsers of any user who subsequently views the affected page. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects a low current probability of widespread exploitation.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8868 MEDIUM This Month

Stored Cross-Site Scripting in the Single Mailchimp WordPress plugin (all versions through 1.4) allows authenticated attackers with contributor-level access to inject persistent JavaScript into WordPress pages via unsanitized shortcode attributes. The six affected attributes - autocomplete, label, placeholder, btn_text, success_msg, and error_msg - are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php without sanitization or output escaping. No public exploit code exists and EPSS places exploitation probability at 0.03% (9th percentile), indicating low real-world exploitation pressure at this time.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8867 MEDIUM This Month

Stored Cross-Site Scripting in the Post Category Gallery WordPress plugin (versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via unsanitized shortcode attributes. The injected payload executes in the browsers of any user who visits the affected page, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) indicates very low automated exploitation probability.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8866 MEDIUM This Month

Stored Cross-Site Scripting in the jQuery googleslides WordPress plugin (all versions through 1.3) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious scripts via the 'googleslides' shortcode. The vulnerability is confirmed by Wordfence (ENISA EUVD-2026-32069) and traces to the `googleslides_handler()` function directly interpolating ten shortcode attribute values into HTML without the WordPress-standard `esc_attr()` sanitization. The CVSS Changed Scope (S:C) reflects that injected scripts execute in victims' browsers outside the plugin's own domain; EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate no public exploit or confirmed active exploitation at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8847 MEDIUM This Month

Stored Cross-Site Scripting in the Dideo plugin for WordPress version 1.0 allows authenticated contributors to inject persistent malicious scripts into any page using the 'dideo' shortcode. The 'id' shortcode attribute is interpolated directly into an HTML iframe 'src' attribute without sanitization or output escaping in the dideo() handler, meaning injected payloads execute automatically in the browser of any user who visits the affected page. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects low current exploitation interest, but the stored nature and scope-changed CVSS vector (S:C) elevate concern for multi-author WordPress deployments.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8846 MEDIUM This Month

Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The `tuxquote_build_format()` function concatenates user-supplied `title`, `align`, and `width` attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in `esc_attr()` or `esc_html()` escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8845 MEDIUM This Month

Stored Cross-Site Scripting in the Islamic Database WordPress plugin (versions ≤ 1.0) allows authenticated contributors to persistently inject arbitrary JavaScript into WordPress pages via the 'islamicDB-roqya' shortcode's 'width' and 'height' attributes. The flaw originates in the islamicDB_sc_quran_qari_roqya() function, which concatenates these shortcode attribute values directly into HTML iframe attribute values without sanitization or output escaping. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation probability, though the contributor-level access requirement is a realistic barrier given how many WordPress sites grant that role to content editors.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8844 MEDIUM This Month

Stored Cross-Site Scripting in the Responsive Check WordPress plugin (versions ≤ 0.0.3) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'url' and 'button' attributes of the [rspcheck] shortcode. The payload executes in the browser of any user who visits an affected page, with a CVSS scope-change designation (S:C) reflecting cross-user impact. No public exploit has been identified and the EPSS score of 0.03% (9th percentile) places real-world exploitation probability firmly at the low end, though sites with open contributor registration remain meaningfully exposed.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8842 MEDIUM This Month

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'gplusnamelink' shortcode's 'id' and 'name' attributes. The root cause is the absence of WordPress output-escaping functions (esc_attr() or esc_html()) in the gplusnamelink_generate() function, permitting raw attribute values to be concatenated directly into rendered HTML. Scope is Changed (S:C) per CVSS, meaning the injected script executes in victims' browser sessions outside the plugin's own security context. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low observed exploitation probability.

XSS WordPress Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8837 MEDIUM This Month

Stored Cross-Site Scripting in the WP Iframe Geo Style for Amazon affiliates WordPress plugin (all versions ≤1.1) allows authenticated attackers holding contributor-level roles to persist malicious JavaScript in page content via the unsanitized 'adid' shortcode attribute. The injected script executes automatically in any visitor's browser upon page load, with changed scope (S:C) confirming the payload crosses the attacker's own security boundary to impact other users. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects low current exploitation probability, though the contributor-level access requirement is achievable on many open-registration WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8707 MEDIUM This Month

Reflected Cross-Site Scripting in the NS Product icon badge WordPress plugin (all versions through 1.2.4) enables unauthenticated remote attackers to inject arbitrary JavaScript via the PHP_SELF superglobal, which is reflected into page output without sanitization or escaping across at least four code locations in ns_addNewOptionsPage.php. Exploitation requires convincing a victim (typically an authenticated WordPress admin) to click a crafted link, limiting mass exploitation but enabling targeted session hijacking or credential theft against site administrators. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.09% (26th percentile) indicates low current exploitation probability.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8703 MEDIUM This Month

Stored Cross-Site Scripting in the Endless Scroll WordPress plugin (all versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via shortcode attributes, which execute in any visitor's browser upon page load. The CVSS scope change (S:C) confirms the payload crosses security boundaries - executing outside the WordPress application context - enabling session theft, credential harvesting, or malicious redirects against site visitors. No public exploit has been identified at time of analysis, and EPSS at 0.03% (9th percentile) reflects very low current exploitation probability, though the low privilege bar (contributor role) elevates risk on sites with open or loosely managed user registration.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8702 MEDIUM This Month

Stored Cross-Site Scripting in the GBI To Print WordPress plugin version 1.0 allows authenticated attackers with contributor-level access to inject persistent malicious scripts into WordPress pages via the unsanitized 'div' attribute of the 'gbitoprint' shortcode. The root cause is a direct concatenation of raw shortcode attribute input into HTML output inside gbi_toprint_shortcode() at gbitoprint.php line 86, with no call to esc_attr() or equivalent WordPress sanitization. Any site visitor loading a page containing the injected shortcode will execute the attacker-controlled script in their browser, enabling session theft, credential harvesting, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS signals low near-term mass exploitation probability.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8701 MEDIUM This Month

Stored cross-site scripting in the GNTT Post Title Ticker WordPress plugin version 1.0 allows authenticated contributors to inject persistent malicious JavaScript via unsanitized shortcode attributes across three display functions. The vulnerability arises from direct HTML concatenation of user-controlled values - including border, width, height, header_background, header_text_color, and id - without any escaping in gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing(). No public exploit has been identified at time of analysis, and the EPSS exploitation probability stands at a low 0.03%, suggesting limited real-world interest despite an accessible contributor-level attack surface on multi-author WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8698 MEDIUM This Month

Stored Cross-Site Scripting in the Cryptocurrency Prijsvergelijking Widget WordPress plugin (version 1.0) allows authenticated attackers holding contributor-level access to inject persistent JavaScript into any page where the plugin shortcode is placed, executing silently in the browsers of all subsequent visitors including administrators. The root cause is the as_get_coin_shortcode() function writing user-controlled 'width' and 'height' shortcode attributes directly into an iframe's HTML style attribute without calling esc_attr(), enabling style-context breakout via crafted attribute-termination payloads. No public exploit has been independently listed at time of analysis and EPSS stands at 0.03% (9th percentile), indicating low observed exploitation probability, though the CVSS Changed Scope designation means a single injected payload can compromise sessions of any user - including site administrators - who loads the affected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8048 MEDIUM This Month

Stored Cross-Site Scripting in the My Email Shortcode WordPress plugin (versions up to and including 0.91) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'subject' attribute of the 'my-email' shortcode. The Changed scope in the CVSS vector (S:C) confirms that successful exploitation crosses security boundaries, affecting visiting users' browser sessions regardless of their own privilege level. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.03% at the 9th percentile indicates low observed exploitation probability at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8040 MEDIUM This Month

Stored Cross-Site Scripting in the faq shortcode WordPress plugin (all versions up to and including 1.0) permits authenticated contributors to persist arbitrary JavaScript into site pages via the unsanitized 'color' attribute of the [faq] shortcode, with the payload executing in any visitor's browser upon page load. The vulnerability stems from missing input sanitization and output escaping in faq.php at line 65, and the changed scope (S:C in CVSS) confirms cross-user impact beyond the attacker's own session. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation activity.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6268 HIGH PATCH This Week

Reflected cross-site scripting in the EventPress WordPress theme (all versions before 22.2) lets unauthenticated attackers inject arbitrary JavaScript by abusing the unsanitized 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, which echoes the value back into the response without escaping. An attacker who lures a logged-in user (typically an administrator working in the Customizer/admin context) to a crafted link executes script in that user's session, enabling actions such as session/cookie theft or admin-context operations. EPSS exploitation probability is very low (0.05%, 17th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS WordPress
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-6287 MEDIUM This Month

Stored Cross-Site Scripting in ShopLentor (WordPress plugin, versions ≤ 3.3.8) allows authenticated contributors to permanently embed malicious JavaScript into WordPress pages via the 'blockUniqId' attribute of Product Grid blocks. Any user who subsequently visits an injected page triggers script execution in their browser, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. EPSS is negligible at 0.03% (9th percentile), no CISA KEV listing exists, and no public exploit has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-9022 MEDIUM This Month

Stored Cross-Site Scripting in the Splide Carousel Block WordPress plugin (all versions ≤ 1.7.1) allows authenticated attackers with contributor-level access to inject persistent JavaScript via the 'url' block attribute, executing against any visitor of the affected page. The attack requires the malicious post to be published by an editor or administrator before the payload fires, adding a social-engineering or workflow-abuse dependency. With an EPSS of 0.03% (9th percentile) and no current CISA KEV listing, real-world exploitation risk is low but non-negligible on sites permitting untrusted contributors to submit content.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-48999 MEDIUM This Month

Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.

XSS Zte Zxunipos Nds Lte
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-9608 LOW Monitor

Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.

XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6565 MEDIUM This Month

Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-44644 npm MEDIUM GHSA This Month

XSS sanitizer bypass in LiquidJS's strip_html filter (all versions through 10.25.7) allows stored or reflected cross-site scripting via newline-embedded HTML tags. The filter's catch-all regex branch uses JavaScript's dot operator without the dotAll flag, causing tags containing literal newline or carriage-return characters (e.g., <img\nsrc=x\nonerror=alert(1)>) to pass through unmodified - while browsers parse such tags as fully valid HTML elements and execute embedded event handlers. Publicly available exploit code exists; no vendor-released patch has been identified at time of analysis.

Node.js CSRF XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44587 Ruby MEDIUM PATCH GHSA This Month

CarrierWave's `content_type_denylist` silently fails to block MIME types containing regex metacharacters - most critically `image/svg+xml` - because string entries are interpolated directly into a regex without `Regexp.quote` or anchoring, causing the `+` character to be treated as a quantifier rather than a literal. Any Ruby application relying on this denylist to prevent SVG uploads for stored XSS protection is completely unprotected despite believing the control is active. A publicly available proof-of-concept exploit demonstrates successful SVG bypass; no public exploit identified at time of analysis for active KEV-level exploitation.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44175 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Kirby CMS (versions before 4.9.1 and 5.4.1) allows an authenticated Panel user with update permission to a list field or list block to inject unsanitized HTML directly via Kirby's API, which is later rendered and executed in the browsers of frontend visitors and logged-in users. Because the list field intentionally stores formatted HTML and was not sanitized on save, an attacker can plant auto-firing JavaScript that runs when affected pages load. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%), consistent with a privilege-gated, non-KEV issue rather than mass exploitation.

XSS
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-44903 Go MEDIUM PATCH This Month

Stored cross-site scripting in Prometheus versions 2.49.0 through 3.5.2/3.11.2 allows a low-privileged attacker who can inject crafted histogram metrics to execute arbitrary JavaScript in the browser of any user who views the affected metric in the legacy heatmap chart UI. Exploitation requires the non-default `--enable-feature=old-ui` flag to be set and the victim to navigate to the specific heatmap view. No public exploit code has been identified at time of analysis, but the vulnerability is technically straightforward - a missing `escapeHTML()` call on `le` label values rendered as axis tick labels in Graph.tsx. This is the third stored DOM XSS in Prometheus's web UI in recent years, following CVE-2019-10215 and CVE-2026-40179.

XSS Prometheus
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-44669 HIGH PATCH This Week

Stored cross-site scripting in Faction (a penetration testing report generation and collaboration framework) versions prior to 1.8.3 allows authenticated low-privilege users to persist attacker-controlled JavaScript via attachment filenames that are later rendered without output encoding when other users preview assessment files. Because payloads execute in privileged victims' browsers under the application origin, an attacker can hijack manager or admin sessions; SSVC rates technical impact as total though EPSS sits at 0.03% (10th percentile) and no public exploit identified at time of analysis.

XSS Faction
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44667 HIGH PATCH This Week

Stored cross-site scripting in Faction penetration testing platform versions prior to 1.8.3 allows authenticated users to inject JavaScript via crafted attachment filenames in remediation verification flows, which then executes in the browser of any user viewing the affected verification or remediation views. With CVSS scope-changed impact (S:C) and high confidentiality and integrity impact, exploitation can hijack privileged manager or assessor sessions; no public exploit identified at time of analysis and EPSS sits at 0.03% (10th percentile).

XSS Faction
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-9566 LOW POC PATCH Monitor

Cross-site scripting in Teable's authentication redirect flow (versions 1.0-1.9.x) allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by crafting a login URL with a malicious `redirect` parameter using javascript: or data: URI schemes. The vulnerable component is LoginPage.tsx in the Next.js frontend and the social auth controller adapter in the NestJS backend, neither of which validated the redirect destination before navigating. Publicly available exploit code exists (GitHub gist), but the vulnerability is not listed in CISA KEV and EPSS probability is very low at 0.04% (11th percentile), indicating no confirmed widespread exploitation.

XSS Teable
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-44729 HIGH This Week

Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScript files that the application then serves without security headers, enabling execution in the CRM's origin. Successful exploitation leads to session hijacking, account takeover, and theft of CRM data. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.03% (10th percentile), though SSVC rates technical impact as total.

XSS Twenty
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-48903 MEDIUM This Month

Cross-site scripting in the Joomla! Framework Filter package exposes applications to script injection through inadequately sanitized HTML attribute values in the checkAttribute methods. Authenticated users holding high-level privileges can inject malicious content that executes in the browser of any user who subsequently views the affected page. No public exploit has been identified at time of analysis, and an EPSS score of 0.01% at the 0th percentile confirms minimal current exploitation interest across the security community.

XSS Joomla Framework Filter Package
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48905 MEDIUM This Month

Inadequate HTML attribute sanitization in the cleanattributes() function of the Joomla! Framework Filter package exposes a cross-site scripting (XSS) vector across versions 1.0.0-3.0.5 and 4.0.0-4.0.1. An attacker holding high-privileged (administrative) access can inject malicious script content through unfiltered HTML attributes; when a victim user passively views that content, the payload executes in their browser, yielding high confidentiality impact (VC:H) consistent with session token or credential theft. No public exploit code exists and this vulnerability is not listed in CISA KEV, placing real-world risk well below what the CVSS 6.9 base score might initially suggest.

XSS Joomla Framework Filter Package
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-25901 MEDIUM This Month

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated high-privilege attacker to inject malicious scripts that execute in another user's browser session, yielding high confidentiality impact on the vulnerable system. Affected installations span Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. SSVC assessment lists exploitation as none, EPSS is 0.04% (13th percentile), and no public exploit code or CISA KEV listing exists, indicating this is a low-urgency but genuine privilege-escalation-adjacent risk in multi-administrator Joomla environments.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-25900 MEDIUM This Month

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-30895 MEDIUM This Month

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to inject unescaped output into readmore links, executing arbitrary JavaScript in a victim's browser upon interaction. Affected releases span Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0. No public exploit code has been identified and CISA KEV does not list this vulnerability, but a vendor security advisory has been published at the Joomla Security Centre.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-30894 MEDIUM This Month

Cross-site scripting in Joomla! CMS content history component (com_contenthistory) allows a high-privileged attacker to inject persistent malicious scripts due to missing output escaping, leading to confidentiality compromise of the vulnerable system when a victim views affected history entries. Confirmed affected versions span Joomla! CMS 3.0.0-5.4.5 and 6.0.0-6.1.0 across an exceptionally wide installed base. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; EPSS of 0.04% (13th percentile) confirms no observed widespread exploitation at time of analysis.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-9564 LOW POC Monitor

Stored cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, high-privileged attacker to inject malicious script via the Remarks argument on the /admin/?page=patients/view_patient endpoint, resulting in low-integrity impact when a victim administrator views the affected patient record. A public proof-of-concept exploit exists (GitHub issue), though the CVSS 4.0 base score of 1.9 and EPSS of 0.03% (8th percentile) indicate low real-world exploitation likelihood. This is not listed in the CISA KEV catalog and SSVC classifies it as non-automatable with partial technical impact.

XSS Hospitals Patient Records Management System
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-36126 MEDIUM PATCH This Month

Stored cross-site scripting in IBM Cognos Analytics and Cognos Transformer's Administration interface allows an authenticated low-privileged user to inject persistent JavaScript payloads into the Web UI, which then execute in the browser sessions of other users - including higher-privileged administrators - potentially leading to credential theft or session hijacking. Affected are Cognos Analytics versions 11.2.0, 12.0, and 12.1.0, and Cognos Transformer versions 11.2.4, 12.0, and 12.1.0. No public exploit identified at time of analysis, and the EPSS score of 0.03% (8th percentile) combined with SSVC exploitation status of 'none' indicates very low observed exploitation pressure.

XSS IBM Cognos Analytics Cognos Transformer
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-36148 MEDIUM PATCH This Month

Cross-site scripting in IBM Financial Transaction Manager for SWIFT Services for Multiplatforms versions 3.2.4.0 through 3.2.4.15 permits injection of arbitrary JavaScript into the Web UI, creating a pathway to credential disclosure within an authenticated operator's session. The Changed Scope (S:C) in the CVSS vector confirms the injected script executes in the victim's browser beyond the originating application boundary, elevating real-world impact in a SWIFT financial messaging context. No public exploit has been identified and EPSS stands at 0.05% (16th percentile), reflecting low immediate exploitation probability, though a discrepancy between the CVE description characterizing the attacker as unauthenticated and the CVSS PR:L vector warrants vendor clarification before finalizing risk posture.

XSS IBM Financial Transaction Manager For Swift Services For Multiplatforms
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27427 MEDIUM This Month

Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.

XSS Geo Mashup
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39642 MEDIUM This Month

Basic XSS via arbitrary shortcode execution in the Nyla WordPress theme (versions through 1.7) allows unauthenticated remote attackers to inject script-bearing HTML tags into rendered web pages, resulting in limited confidentiality impact against site visitors. The vulnerability is classified under CWE-80 and was disclosed by Patchstack, who titled the finding 'Arbitrary Shortcode Execution' - indicating that the XSS payload is delivered through unsanitized shortcode rendering rather than a conventional input field. No public exploit code exists and no active exploitation has been confirmed at time of analysis.

XSS Nyla
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9527 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).

PHP XSS Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9520 npm LOW POC Monitor

Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. Publicly available exploit code exists (GitHub Gist), though EPSS stands at 0.03% (9th percentile) indicating low observed exploitation probability, and it is not listed in CISA KEV. The vendor did not respond to responsible disclosure, meaning no patch has been released.

XSS Blitz
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-71310 LOW PATCH Monitor

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

XSS Gdpr Cookies Module For Backdrop Cms
NVD VulDB
CVSS 4.0
1.8
EPSS
0.0%
CVE-2026-9519 LOW POC Monitor

Reflected cross-site scripting in pingvin-share's sign-in auto-redirect feature allows remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `redirect` query parameter. All releases from 1.0 through 1.13.0 (the full release history) are affected. A publicly available proof-of-concept exploit exists on GitHub, and the vendor has not responded to responsible disclosure — meaning no patch has been issued and no vendor advisory exists.

XSS Pingvin Share
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9518 LOW POC Monitor

Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.

PHP XSS Codeigniter Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-36239 MEDIUM This Month

Cross-site scripting (XSS) in PbootCMS v.3.2.11 allows a high-privileged authenticated attacker to inject malicious JavaScript into the site configuration functionality, which executes in the browser of any user who subsequently views the affected configuration page. Despite the description using the term 'code injection,' CWE-79 and the XSS tag confirm this is a stored or reflected XSS class vulnerability, not arbitrary server-side code execution. A GitHub-hosted proof-of-concept exists (TazmiDev/CVE-2026-36239), and no public patch has been identified at time of analysis; no active exploitation has been confirmed by CISA KEV.

XSS N A
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68709 MEDIUM This Month

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app sending a crafted VIEW intent with a javascript: URI to the exposed BrowserMainActivity component. Because AppLock operates with elevated permissions by design (it restricts access to other apps), this unsafe WebView navigation path creates a changed-scope impact: script execution occurs within AppLock's privilege context, enabling UI spoofing and potential privilege escalation beyond what a normal app could achieve. No public exploit identified at time of analysis beyond the publicly available proof-of-concept published by the reporter on GitHub.

XSS Google Privilege Escalation N A
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-45435 MEDIUM This Month

DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals low observed exploitation probability.

XSS Wp Activity Log
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62745 MEDIUM This Month

Stored cross-site scripting in the PickPlugins Team Showcase WordPress plugin (versions up to and including 1.22.28) enables authenticated low-privileged users to inject persistent malicious scripts that execute in the browsers of other site users who view the affected content. The CVSS Changed scope (S:C) reflects this cross-user impact boundary - typical of stored XSS in WordPress plugins where contributor-level accounts can craft content consumed by administrators or visitors. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) combined with SSVC exploitation status of 'none' indicates negligible active threat currently.

XSS Team Showcase
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48849 MEDIUM PATCH This Month

Stored XSS and HTML/CSS injection in Roundcube Webmail 1.6.x and 1.7.x allows an authenticated attacker to plant a malicious payload in a draft message's subject field, which then executes in the browsers of other users when they encounter the draft restore dialog on a shared mailbox. Fixed in versions 1.6.16 and 1.7.1 per vendor advisory published 2026-05-24. No public exploit identified at time of analysis, and EPSS sits at 0.03% (10th percentile), indicating minimal observed exploitation interest.

XSS Webmail
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-48848 HIGH PATCH This Week

CSS injection in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) allows remote attackers to bypass the HTML sanitizer by embedding an SVG document with an animate element whose attributeName references style, enabling cross-site scripting style attacks against mail recipients. The flaw carries a CVSS 7.2 (changed scope) with no privileges or user interaction required beyond viewing a crafted message, no public exploit identified at time of analysis, and an EPSS of 0.04% (14th percentile) indicating low predicted exploitation volume despite the trivially-triggerable attack vector.

XSS Webmail
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-9485 LOW POC Monitor

Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.

PHP XSS Student Grades Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9471 LOW POC Monitor

Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.

PHP XSS Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9448 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-45249 npm MEDIUM PATCH This Month

Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.

XSS Apache Apache Echarts
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-9419 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9418 LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.

PHP XSS Employee Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6059 MEDIUM This Month

A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network.

XSS Aterm Wx1800Hp Aterm Wx5400Hp Aterm Wx7800T8 Aterm Wx11000T12 +5
NVD
CVSS 4.0
4.8
EPSS
0.0%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions through 3.6.1) allows authenticated administrators to persist malicious JavaScript payloads via the plugin's settings fields - including Description and Title - which then execute in the browsers of any user who accesses the plugin's redirect pages. The attack is constrained to multi-site WordPress deployments or single-site installations where unfiltered_html has been explicitly disabled, and requires Administrator-level credentials, substantially narrowing real-world exposure. No public exploit code has been identified at time of analysis, and EPSS stands at a very low 0.03% (8th percentile), consistent with the narrow exploitation window.

XSS WordPress
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in the myLinksDump WordPress plugin (all versions ≤1.6) allows authenticated administrators to permanently inject arbitrary JavaScript into pages via the unsanitized 'link_title' parameter, executing in any victim's browser upon page access. Exploitation is constrained to WordPress multi-site environments or single-site installs with unfiltered_html disabled, and requires administrator-level credentials plus victim interaction. EPSS is 0.03% (9th percentile) and SSVC confirms no known exploitation, placing this firmly in a low-priority tier despite the stored XSS class.

XSS WordPress
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in the rexCrawler WordPress plugin (versions ≤ 1.0.15) allows authenticated administrators to inject persistent malicious scripts into settings pages, which then execute in the browsers of any user who accesses those pages. The vulnerability originates in admin_main.php at two distinct injection points (lines 108 and 239) and is constrained to multi-site WordPress environments or single-site installs where the unfiltered_html capability has been explicitly disabled. With an EPSS of 0.02% (7th percentile), no CISA KEV listing, and SSVC exploitation status of 'none', this represents a low-urgency finding despite its network-accessible attack vector. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-Based Cross-Site Scripting in the Averta Master Slider WordPress plugin (versions through 3.10.8) enables authenticated low-privilege users to inject persistent malicious scripts that execute in the browsers of other site visitors. The CVSS Scope:Changed flag (S:C) confirms the injected payload can escape the plugin's context and affect the broader browser environment, enabling session hijacking or admin action forgery against higher-privileged users. No public exploit code exists and EPSS at 0.03% (10th percentile) aligns with SSVC's 'Exploitation: none' classification - this is a real but moderate-priority finding gated behind authentication and victim interaction requirements.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in Jthemes' Themebox - Digital Products Ecommerce WordPress theme (versions through 1.4.2) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. With CVSS 7.1 (scope-changed, low impact across confidentiality, integrity and availability), successful exploitation can hijack session context or perform actions in the WordPress admin/store context, though it requires the victim to click an attacker-supplied URL. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), indicating minimal observed exploitation interest.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the RiceTheme Felan Framework WordPress plugin (all versions through 1.1.3) lets a remote unauthenticated attacker inject script that executes in a victim's browser when the victim follows a crafted link. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity, network-reachable flaw requiring user interaction with a changed scope, scored 7.1. There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), consistent with the CISA SSVC assessment of no observed exploitation.

XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

XSS Synology
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Stored XSS in Synology Safe Access before 1.3.1-0329 on SRM (Synology Router Manager) allows remote authenticated administrators to inject malicious scripts that execute in the SRM context, enabling limited reads or writes of non-sensitive files and constrained denial-of-service conditions. The CVSS Scope:Changed rating confirms cross-component impact - the vulnerability originates in the Safe Access module but affects the broader SRM platform. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% and SSVC exploitation status of 'none' collectively indicate negligible current threat in the wild.

XSS Synology
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the HBook hotel booking plugin for WordPress (all versions through 2.1.6) lets unauthenticated attackers persist arbitrary JavaScript through the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' booking parameters. The payload is stored server-side and fires in the privileged context of the HBook Customers admin page, so a no-privilege injection escalates into the administrator's browser session (reflected in the Scope:Changed rating that drives the 7.2 score). There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%, 17th percentile).

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Github Shortcode plugin for WordPress (all versions through 0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'repo' attribute of the 'github' shortcode. Any user who subsequently visits the injected page triggers execution of the attacker-controlled script in their browser context. No public exploit has been identified at time of analysis and EPSS places exploitation probability at 0.03% (9th percentile), though the low barrier to exploitation for any site permitting contributor accounts warrants attention.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

XSS WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

XSS WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

XSS WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the LiteSpeed Cache plugin for WordPress (all versions through 7.7) lets attackers persist arbitrary JavaScript into a site's frontend by abusing the unauthenticated /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST endpoints, which store QUIC.cloud-supplied CSS to disk and later render it inline without escaping. Exploitation is conditional: the endpoints are protected by IP-based access control that only becomes bypassable in certain reverse-proxy, load-balancer, or CDN deployments. No public exploit identified at time of analysis, and EPSS is low (0.07%, 20th percentile), consistent with CISA SSVC marking exploitation status as 'none' despite 'automatable: yes'.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Gutenverse plugin for WordPress (all versions through 3.4.6) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious search URL. The vulnerability arises from the plugin's search-result-title block outputting the raw search query string directly into page HTML without sanitization. Exploitation requires user interaction (victim must click a crafted link) and the gutenverse/search-result-title block must be present on the site's search results template. No public exploit code has been identified at time of analysis, and CISA KEV confirmation of active exploitation is absent.

XSS PHP WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WPBakery Page Builder Addons by Livemesh (all versions through 3.9.4) allows authenticated WordPress contributors to inject persistent JavaScript into site pages via malformed shortcode attributes on the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcodes. The flaw arises from using `wp_json_encode()` instead of `esc_attr()` when embedding shortcode attributes into single-quoted HTML `data-settings` attributes, enabling an attacker to inject a literal single quote and escape the attribute boundary. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) reflects low current exploitation interest, and the practical attack surface is constrained to WordPress sites where untrusted users hold Contributor-level access.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Auto Thumbnail WordPress plugin (all versions up to and including 1.0) enables authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'width' and 'height' attributes of the 'thumbnails' shortcode. The injected payload executes in the browser of any subsequent visitor who loads the affected page, crossing trust boundaries from the WordPress server context into victims' sessions (CVSS S:C). No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog; EPSS of 0.03% (9th percentile) reflects low predicted exploitation probability, though the stored nature of the flaw amplifies impact relative to reflected XSS.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Events In City WordPress plugin (versions ≤3.0) allows contributor-level authenticated users to inject persistent JavaScript payloads via unsanitized 'org-events' shortcode attributes handled by the org_event_scode() function. The CVSS scope is Changed (S:C), meaning injected scripts execute in victims' browsers outside the plugin's own context, enabling session hijacking, credential theft, or unauthorized actions against any user who views an affected page. No public exploit identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low current exploitation likelihood, though the contributor-level access requirement is a realistic attack surface on multi-author WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Shortcode Buddy WordPress plugin (all versions ≤ 0.1.9.5) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into pages via unsanitized shortcode attributes, executing in any visitor's browser upon page load. The Changed scope (S:C) in the CVSS vector confirms the injected payload escapes the plugin's context and affects users browsing the site, including administrators whose sessions could be hijacked. No public exploit code has been identified at time of analysis, and EPSS sits at 0.03% (9th percentile), indicating low observed exploitation probability, though the contributor-level entry bar makes this a realistic risk on sites with multiple editors.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the iWR Tooltip WordPress plugin (versions up to and including 1.0) permits authenticated attackers holding contributor-level accounts or higher to plant persistent malicious scripts via the plugin's `iwrtooltip` shortcode. The root cause is direct string concatenation of the user-supplied `title` attribute into an HTML attribute inside the `iwr_tooltip()` handler at lines 37 and 41 of iwr-tooltip.php, with no call to `esc_attr()` or equivalent escaping. Any site visitor who subsequently loads a page containing the poisoned shortcode will execute the injected script in their browser, with scope-changed impact that can target session tokens, credentials, or site administrative functions. EPSS is 0.03% (9th percentile), and no public exploit or CISA KEV listing exists at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the BitForm WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers with contributor-level access or above to inject persistent malicious scripts via unsanitized 'width' and 'height' shortcode attributes in the Shortcode::shortcode() function, which are written directly into the style attribute of an iframe element without escaping. Any user who subsequently views a page containing the injected shortcode will trigger execution of the attacker's script in their browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS places current exploitation probability at 0.03% (9th percentile), indicating this is currently a low-activity finding despite its network-accessible attack vector.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Listen Shortcode WordPress plugin (versions ≤ 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via unsanitized shortcode attributes. The vulnerability exists in the listenEmbedJS() function, which echoes user-supplied src, start, and end attributes directly into a single-quoted HTML attribute context without escaping, enabling script injection that executes in the browsers of any user who later visits the affected page. EPSS is low (0.03%, 9th percentile) and no public exploit or CISA KEV listing has been identified at time of analysis, suggesting limited current exploitation activity.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the hk_shortcode WordPress plugin (versions ≤1.0) enables authenticated contributors to inject persistent malicious scripts via the unsanitized 'title' attribute of the 'title-plane' shortcode. The vulnerability stems from direct HTML concatenation of unescaped user input inside the huankong_post_short_title_plane() function - once a crafted post is saved, the payload executes in the browsers of all users who visit the affected page, crossing into their sessions (CVSS S:C). No public exploit code has been identified at time of analysis, and with an EPSS of 0.03% (9th percentile), mass automated exploitation is unlikely; however, multi-author WordPress sites with open contributor registration carry meaningful exposure.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Instant-Quote.co Quotation Page WordPress plugin (all versions ≤1.3.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. The changed-scope CVSS vector (S:C) reflects that injected scripts execute in victim browsers rather than the server, and the plugin's shortcode is exploitable through the WordPress post review workflow - a contributor can embed a malicious shortcode in a draft submitted for editor or administrator review, causing the payload to execute when a privileged user previews the post. No public exploit has been identified and EPSS is very low at 0.04% (12th percentile), indicating limited opportunistic exploitation risk, though the cross-privilege escalation path warrants attention on multi-author WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Responsive Video Embedder WordPress plugin (versions ≤ 0.1) allows authenticated attackers with contributor-level access or above to persistently inject arbitrary JavaScript into WordPress pages via unsanitized shortcode attributes. The root cause is direct, unescaped concatenation of user-supplied 'id' and 'list' attributes into an HTML iframe src attribute inside the video_shortcode() function. Because the CVSS scope is Changed (S:C), injected scripts execute in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No active exploitation has been confirmed and EPSS is very low (0.03%, 9th percentile), but the contributor-level entry bar makes this relevant on multi-author WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Easy Prism Syntax Highlighter WordPress plugin (versions ≤1.0.2) enables authenticated attackers with Contributor-level access to inject persistent JavaScript into WordPress pages via the 'code' or 'c' shortcode. The flaw resides in the shortcode() function, which concatenates the first positional shortcode attribute directly into the class attribute of generated <pre> and <code> HTML elements without invoking esc_attr() or any equivalent escaping - enabling HTML attribute breakout and arbitrary script injection. No public exploit has been identified and EPSS is very low (0.03%, 9th percentile), but the Contributor-level authentication threshold makes this accessible on any multi-author WordPress site without additional barrier.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Content Slideshow WordPress plugin (all versions through 2.4.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes. The vulnerability resides in slideshow-widget-shortcode.php at multiple points (lines 14 and 143) where shortcode attribute values are passed without adequate sanitization or output escaping. The CVSS scope is Changed (S:C), meaning injected scripts execute in the victim's browser context and can affect resources beyond the plugin itself, such as stealing session tokens or performing actions as the visiting user. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS sits at a very low 0.03%.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Animate Your Content WordPress plugin (versions ≤ 1.0.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via the 'animation-set' shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS (0.03%, 9th percentile) together with SSVC exploitation status of 'none' indicate this is currently a low-priority, low-activity vulnerability.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Formidable Kinetic WordPress plugin (versions ≤1.1.01) allows authenticated attackers with contributor-level access to permanently inject malicious scripts into pages via the 'kinetic_link' shortcode. The FrmKinetic::link() function concatenates user-supplied shortcode attributes ('window', 'class', 'label') directly into anchor tag HTML attributes without sanitization or output escaping, meaning any visitor who loads an injected page triggers execution of the attacker's payload in their browser. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) reflects low automated exploitation probability, but the Changed scope (S:C) in the CVSS vector indicates the impact crosses the plugin's security boundary into the broader WordPress page context.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Team Master WordPress plugin (all versions ≤ 1.1.2) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes into WordPress pages, executing against any visitor who subsequently loads the affected page. The scope change (S:C in CVSS) reflects cross-session impact - a low-privileged contributor can compromise higher-privileged users including administrators. No public exploit identified at time of analysis, and EPSS of 0.03% (9th percentile) indicates low current exploitation probability.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Mutual Funds Data WordPress plugin (versions ≤ 1.2.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into any page using the affected shortcode. The unsanitized 'title' attribute in the mfd_shortcode() function is written directly into a HTML caption element without escaping, meaning injected payloads execute in the browsers of any user who subsequently views the affected page. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects a low current probability of widespread exploitation.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Single Mailchimp WordPress plugin (all versions through 1.4) allows authenticated attackers with contributor-level access to inject persistent JavaScript into WordPress pages via unsanitized shortcode attributes. The six affected attributes - autocomplete, label, placeholder, btn_text, success_msg, and error_msg - are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php without sanitization or output escaping. No public exploit code exists and EPSS places exploitation probability at 0.03% (9th percentile), indicating low real-world exploitation pressure at this time.

XSS WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Post Category Gallery WordPress plugin (versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via unsanitized shortcode attributes. The injected payload executes in the browsers of any user who visits the affected page, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) indicates very low automated exploitation probability.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the jQuery googleslides WordPress plugin (all versions through 1.3) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious scripts via the 'googleslides' shortcode. The vulnerability is confirmed by Wordfence (ENISA EUVD-2026-32069) and traces to the `googleslides_handler()` function directly interpolating ten shortcode attribute values into HTML without the WordPress-standard `esc_attr()` sanitization. The CVSS Changed Scope (S:C) reflects that injected scripts execute in victims' browsers outside the plugin's own domain; EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate no public exploit or confirmed active exploitation at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Dideo plugin for WordPress version 1.0 allows authenticated contributors to inject persistent malicious scripts into any page using the 'dideo' shortcode. The 'id' shortcode attribute is interpolated directly into an HTML iframe 'src' attribute without sanitization or output escaping in the dideo() handler, meaning injected payloads execute automatically in the browser of any user who visits the affected page. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects low current exploitation interest, but the stored nature and scope-changed CVSS vector (S:C) elevate concern for multi-author WordPress deployments.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The `tuxquote_build_format()` function concatenates user-supplied `title`, `align`, and `width` attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in `esc_attr()` or `esc_html()` escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Islamic Database WordPress plugin (versions ≤ 1.0) allows authenticated contributors to persistently inject arbitrary JavaScript into WordPress pages via the 'islamicDB-roqya' shortcode's 'width' and 'height' attributes. The flaw originates in the islamicDB_sc_quran_qari_roqya() function, which concatenates these shortcode attribute values directly into HTML iframe attribute values without sanitization or output escaping. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation probability, though the contributor-level access requirement is a realistic barrier given how many WordPress sites grant that role to content editors.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Responsive Check WordPress plugin (versions ≤ 0.0.3) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'url' and 'button' attributes of the [rspcheck] shortcode. The payload executes in the browser of any user who visits an affected page, with a CVSS scope-change designation (S:C) reflecting cross-user impact. No public exploit has been identified and the EPSS score of 0.03% (9th percentile) places real-world exploitation probability firmly at the low end, though sites with open contributor registration remain meaningfully exposed.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'gplusnamelink' shortcode's 'id' and 'name' attributes. The root cause is the absence of WordPress output-escaping functions (esc_attr() or esc_html()) in the gplusnamelink_generate() function, permitting raw attribute values to be concatenated directly into rendered HTML. Scope is Changed (S:C) per CVSS, meaning the injected script executes in victims' browser sessions outside the plugin's own security context. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low observed exploitation probability.

XSS WordPress Google
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP Iframe Geo Style for Amazon affiliates WordPress plugin (all versions ≤1.1) allows authenticated attackers holding contributor-level roles to persist malicious JavaScript in page content via the unsanitized 'adid' shortcode attribute. The injected script executes automatically in any visitor's browser upon page load, with changed scope (S:C) confirming the payload crosses the attacker's own security boundary to impact other users. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects low current exploitation probability, though the contributor-level access requirement is achievable on many open-registration WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the NS Product icon badge WordPress plugin (all versions through 1.2.4) enables unauthenticated remote attackers to inject arbitrary JavaScript via the PHP_SELF superglobal, which is reflected into page output without sanitization or escaping across at least four code locations in ns_addNewOptionsPage.php. Exploitation requires convincing a victim (typically an authenticated WordPress admin) to click a crafted link, limiting mass exploitation but enabling targeted session hijacking or credential theft against site administrators. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.09% (26th percentile) indicates low current exploitation probability.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Endless Scroll WordPress plugin (all versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via shortcode attributes, which execute in any visitor's browser upon page load. The CVSS scope change (S:C) confirms the payload crosses security boundaries - executing outside the WordPress application context - enabling session theft, credential harvesting, or malicious redirects against site visitors. No public exploit has been identified at time of analysis, and EPSS at 0.03% (9th percentile) reflects very low current exploitation probability, though the low privilege bar (contributor role) elevates risk on sites with open or loosely managed user registration.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the GBI To Print WordPress plugin version 1.0 allows authenticated attackers with contributor-level access to inject persistent malicious scripts into WordPress pages via the unsanitized 'div' attribute of the 'gbitoprint' shortcode. The root cause is a direct concatenation of raw shortcode attribute input into HTML output inside gbi_toprint_shortcode() at gbitoprint.php line 86, with no call to esc_attr() or equivalent WordPress sanitization. Any site visitor loading a page containing the injected shortcode will execute the attacker-controlled script in their browser, enabling session theft, credential harvesting, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS signals low near-term mass exploitation probability.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the GNTT Post Title Ticker WordPress plugin version 1.0 allows authenticated contributors to inject persistent malicious JavaScript via unsanitized shortcode attributes across three display functions. The vulnerability arises from direct HTML concatenation of user-controlled values - including border, width, height, header_background, header_text_color, and id - without any escaping in gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing(). No public exploit has been identified at time of analysis, and the EPSS exploitation probability stands at a low 0.03%, suggesting limited real-world interest despite an accessible contributor-level attack surface on multi-author WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Cryptocurrency Prijsvergelijking Widget WordPress plugin (version 1.0) allows authenticated attackers holding contributor-level access to inject persistent JavaScript into any page where the plugin shortcode is placed, executing silently in the browsers of all subsequent visitors including administrators. The root cause is the as_get_coin_shortcode() function writing user-controlled 'width' and 'height' shortcode attributes directly into an iframe's HTML style attribute without calling esc_attr(), enabling style-context breakout via crafted attribute-termination payloads. No public exploit has been independently listed at time of analysis and EPSS stands at 0.03% (9th percentile), indicating low observed exploitation probability, though the CVSS Changed Scope designation means a single injected payload can compromise sessions of any user - including site administrators - who loads the affected page.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the My Email Shortcode WordPress plugin (versions up to and including 0.91) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'subject' attribute of the 'my-email' shortcode. The Changed scope in the CVSS vector (S:C) confirms that successful exploitation crosses security boundaries, affecting visiting users' browser sessions regardless of their own privilege level. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.03% at the 9th percentile indicates low observed exploitation probability at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the faq shortcode WordPress plugin (all versions up to and including 1.0) permits authenticated contributors to persist arbitrary JavaScript into site pages via the unsanitized 'color' attribute of the [faq] shortcode, with the payload executing in any visitor's browser upon page load. The vulnerability stems from missing input sanitization and output escaping in faq.php at line 65, and the changed scope (S:C in CVSS) confirms cross-user impact beyond the attacker's own session. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation activity.

XSS WordPress
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Reflected cross-site scripting in the EventPress WordPress theme (all versions before 22.2) lets unauthenticated attackers inject arbitrary JavaScript by abusing the unsanitized 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, which echoes the value back into the response without escaping. An attacker who lures a logged-in user (typically an administrator working in the Customizer/admin context) to a crafted link executes script in that user's session, enabling actions such as session/cookie theft or admin-context operations. EPSS exploitation probability is very low (0.05%, 17th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS WordPress
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting in ShopLentor (WordPress plugin, versions ≤ 3.3.8) allows authenticated contributors to permanently embed malicious JavaScript into WordPress pages via the 'blockUniqId' attribute of Product Grid blocks. Any user who subsequently visits an injected page triggers script execution in their browser, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. EPSS is negligible at 0.03% (9th percentile), no CISA KEV listing exists, and no public exploit has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Splide Carousel Block WordPress plugin (all versions ≤ 1.7.1) allows authenticated attackers with contributor-level access to inject persistent JavaScript via the 'url' block attribute, executing against any visitor of the affected page. The attack requires the malicious post to be published by an editor or administrator before the payload fires, adding a social-engineering or workflow-abuse dependency. With an EPSS of 0.03% (9th percentile) and no current CISA KEV listing, real-world exploitation risk is low but non-negligible on sites permitting untrusted contributors to submit content.

XSS WordPress
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.

XSS Zte Zxunipos Nds Lte
NVD
EPSS 0% CVSS 1.9
LOW Monitor

Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

XSS sanitizer bypass in LiquidJS's strip_html filter (all versions through 10.25.7) allows stored or reflected cross-site scripting via newline-embedded HTML tags. The filter's catch-all regex branch uses JavaScript's dot operator without the dotAll flag, causing tags containing literal newline or carriage-return characters (e.g., <img\nsrc=x\nonerror=alert(1)>) to pass through unmodified - while browsers parse such tags as fully valid HTML elements and execute embedded event handlers. Publicly available exploit code exists; no vendor-released patch has been identified at time of analysis.

Node.js CSRF XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

CarrierWave's `content_type_denylist` silently fails to block MIME types containing regex metacharacters - most critically `image/svg+xml` - because string entries are interpolated directly into a regex without `Regexp.quote` or anchoring, causing the `+` character to be treated as a quantifier rather than a literal. Any Ruby application relying on this denylist to prevent SVG uploads for stored XSS protection is completely unprotected despite believing the control is active. A publicly available proof-of-concept exploit demonstrates successful SVG bypass; no public exploit identified at time of analysis for active KEV-level exploitation.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Kirby CMS (versions before 4.9.1 and 5.4.1) allows an authenticated Panel user with update permission to a list field or list block to inject unsanitized HTML directly via Kirby's API, which is later rendered and executed in the browsers of frontend visitors and logged-in users. Because the list field intentionally stores formatted HTML and was not sanitized on save, an attacker can plant auto-firing JavaScript that runs when affected pages load. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%), consistent with a privilege-gated, non-KEV issue rather than mass exploitation.

XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Prometheus versions 2.49.0 through 3.5.2/3.11.2 allows a low-privileged attacker who can inject crafted histogram metrics to execute arbitrary JavaScript in the browser of any user who views the affected metric in the legacy heatmap chart UI. Exploitation requires the non-default `--enable-feature=old-ui` flag to be set and the victim to navigate to the specific heatmap view. No public exploit code has been identified at time of analysis, but the vulnerability is technically straightforward - a missing `escapeHTML()` call on `le` label values rendered as axis tick labels in Graph.tsx. This is the third stored DOM XSS in Prometheus's web UI in recent years, following CVE-2019-10215 and CVE-2026-40179.

XSS Prometheus
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Faction (a penetration testing report generation and collaboration framework) versions prior to 1.8.3 allows authenticated low-privilege users to persist attacker-controlled JavaScript via attachment filenames that are later rendered without output encoding when other users preview assessment files. Because payloads execute in privileged victims' browsers under the application origin, an attacker can hijack manager or admin sessions; SSVC rates technical impact as total though EPSS sits at 0.03% (10th percentile) and no public exploit identified at time of analysis.

XSS Faction
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Faction penetration testing platform versions prior to 1.8.3 allows authenticated users to inject JavaScript via crafted attachment filenames in remediation verification flows, which then executes in the browser of any user viewing the affected verification or remediation views. With CVSS scope-changed impact (S:C) and high confidentiality and integrity impact, exploitation can hijack privileged manager or assessor sessions; no public exploit identified at time of analysis and EPSS sits at 0.03% (10th percentile).

XSS Faction
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Cross-site scripting in Teable's authentication redirect flow (versions 1.0-1.9.x) allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by crafting a login URL with a malicious `redirect` parameter using javascript: or data: URI schemes. The vulnerable component is LoginPage.tsx in the Next.js frontend and the social auth controller adapter in the NestJS backend, neither of which validated the redirect destination before navigating. Publicly available exploit code exists (GitHub gist), but the vulnerability is not listed in CISA KEV and EPSS probability is very low at 0.04% (11th percentile), indicating no confirmed widespread exploitation.

XSS Teable
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScript files that the application then serves without security headers, enabling execution in the CRM's origin. Successful exploitation leads to session hijacking, account takeover, and theft of CRM data. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.03% (10th percentile), though SSVC rates technical impact as total.

XSS Twenty
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Cross-site scripting in the Joomla! Framework Filter package exposes applications to script injection through inadequately sanitized HTML attribute values in the checkAttribute methods. Authenticated users holding high-level privileges can inject malicious content that executes in the browser of any user who subsequently views the affected page. No public exploit has been identified at time of analysis, and an EPSS score of 0.01% at the 0th percentile confirms minimal current exploitation interest across the security community.

XSS Joomla Framework Filter Package
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Inadequate HTML attribute sanitization in the cleanattributes() function of the Joomla! Framework Filter package exposes a cross-site scripting (XSS) vector across versions 1.0.0-3.0.5 and 4.0.0-4.0.1. An attacker holding high-privileged (administrative) access can inject malicious script content through unfiltered HTML attributes; when a victim user passively views that content, the payload executes in their browser, yielding high confidentiality impact (VC:H) consistent with session token or credential theft. No public exploit code exists and this vulnerability is not listed in CISA KEV, placing real-world risk well below what the CVSS 6.9 base score might initially suggest.

XSS Joomla Framework Filter Package
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated high-privilege attacker to inject malicious scripts that execute in another user's browser session, yielding high confidentiality impact on the vulnerable system. Affected installations span Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. SSVC assessment lists exploitation as none, EPSS is 0.04% (13th percentile), and no public exploit code or CISA KEV listing exists, indicating this is a low-urgency but genuine privilege-escalation-adjacent risk in multi-administrator Joomla environments.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to inject unescaped output into readmore links, executing arbitrary JavaScript in a victim's browser upon interaction. Affected releases span Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0. No public exploit code has been identified and CISA KEV does not list this vulnerability, but a vendor security advisory has been published at the Joomla Security Centre.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS content history component (com_contenthistory) allows a high-privileged attacker to inject persistent malicious scripts due to missing output escaping, leading to confidentiality compromise of the vulnerable system when a victim views affected history entries. Confirmed affected versions span Joomla! CMS 3.0.0-5.4.5 and 6.0.0-6.1.0 across an exceptionally wide installed base. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; EPSS of 0.04% (13th percentile) confirms no observed widespread exploitation at time of analysis.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, high-privileged attacker to inject malicious script via the Remarks argument on the /admin/?page=patients/view_patient endpoint, resulting in low-integrity impact when a victim administrator views the affected patient record. A public proof-of-concept exploit exists (GitHub issue), though the CVSS 4.0 base score of 1.9 and EPSS of 0.03% (8th percentile) indicate low real-world exploitation likelihood. This is not listed in the CISA KEV catalog and SSVC classifies it as non-automatable with partial technical impact.

XSS Hospitals Patient Records Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM Cognos Analytics and Cognos Transformer's Administration interface allows an authenticated low-privileged user to inject persistent JavaScript payloads into the Web UI, which then execute in the browser sessions of other users - including higher-privileged administrators - potentially leading to credential theft or session hijacking. Affected are Cognos Analytics versions 11.2.0, 12.0, and 12.1.0, and Cognos Transformer versions 11.2.4, 12.0, and 12.1.0. No public exploit identified at time of analysis, and the EPSS score of 0.03% (8th percentile) combined with SSVC exploitation status of 'none' indicates very low observed exploitation pressure.

XSS IBM Cognos Analytics +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in IBM Financial Transaction Manager for SWIFT Services for Multiplatforms versions 3.2.4.0 through 3.2.4.15 permits injection of arbitrary JavaScript into the Web UI, creating a pathway to credential disclosure within an authenticated operator's session. The Changed Scope (S:C) in the CVSS vector confirms the injected script executes in the victim's browser beyond the originating application boundary, elevating real-world impact in a SWIFT financial messaging context. No public exploit has been identified and EPSS stands at 0.05% (16th percentile), reflecting low immediate exploitation probability, though a discrepancy between the CVE description characterizing the attacker as unauthenticated and the CVSS PR:L vector warrants vendor clarification before finalizing risk posture.

XSS IBM Financial Transaction Manager For Swift Services For Multiplatforms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.

XSS Geo Mashup
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Basic XSS via arbitrary shortcode execution in the Nyla WordPress theme (versions through 1.7) allows unauthenticated remote attackers to inject script-bearing HTML tags into rendered web pages, resulting in limited confidentiality impact against site visitors. The vulnerability is classified under CWE-80 and was disclosed by Patchstack, who titled the finding 'Arbitrary Shortcode Execution' - indicating that the XSS payload is delivered through unsanitized shortcode rendering rather than a conventional input field. No public exploit code exists and no active exploitation has been confirmed at time of analysis.

XSS Nyla
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).

PHP XSS Electronic Judging System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. Publicly available exploit code exists (GitHub Gist), though EPSS stands at 0.03% (9th percentile) indicating low observed exploitation probability, and it is not listed in CISA KEV. The vendor did not respond to responsible disclosure, meaning no patch has been released.

XSS Blitz
NVD VulDB GitHub
EPSS 0% CVSS 1.8
LOW PATCH Monitor

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

XSS Gdpr Cookies Module For Backdrop Cms
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in pingvin-share's sign-in auto-redirect feature allows remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `redirect` query parameter. All releases from 1.0 through 1.13.0 (the full release history) are affected. A publicly available proof-of-concept exploit exists on GitHub, and the vendor has not responded to responsible disclosure — meaning no patch has been issued and no vendor advisory exists.

XSS Pingvin Share
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.

PHP XSS Codeigniter Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) in PbootCMS v.3.2.11 allows a high-privileged authenticated attacker to inject malicious JavaScript into the site configuration functionality, which executes in the browser of any user who subsequently views the affected configuration page. Despite the description using the term 'code injection,' CWE-79 and the XSS tag confirm this is a stored or reflected XSS class vulnerability, not arbitrary server-side code execution. A GitHub-hosted proof-of-concept exists (TazmiDev/CVE-2026-36239), and no public patch has been identified at time of analysis; no active exploitation has been confirmed by CISA KEV.

XSS N A
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM This Month

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app sending a crafted VIEW intent with a javascript: URI to the exposed BrowserMainActivity component. Because AppLock operates with elevated permissions by design (it restricts access to other apps), this unsafe WebView navigation path creates a changed-scope impact: script execution occurs within AppLock's privilege context, enabling UI spoofing and potential privilege escalation beyond what a normal app could achieve. No public exploit identified at time of analysis beyond the publicly available proof-of-concept published by the reporter on GitHub.

XSS Google Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals low observed exploitation probability.

XSS Wp Activity Log
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the PickPlugins Team Showcase WordPress plugin (versions up to and including 1.22.28) enables authenticated low-privileged users to inject persistent malicious scripts that execute in the browsers of other site users who view the affected content. The CVSS Changed scope (S:C) reflects this cross-user impact boundary - typical of stored XSS in WordPress plugins where contributor-level accounts can craft content consumed by administrators or visitors. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) combined with SSVC exploitation status of 'none' indicates negligible active threat currently.

XSS Team Showcase
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Stored XSS and HTML/CSS injection in Roundcube Webmail 1.6.x and 1.7.x allows an authenticated attacker to plant a malicious payload in a draft message's subject field, which then executes in the browsers of other users when they encounter the draft restore dialog on a shared mailbox. Fixed in versions 1.6.16 and 1.7.1 per vendor advisory published 2026-05-24. No public exploit identified at time of analysis, and EPSS sits at 0.03% (10th percentile), indicating minimal observed exploitation interest.

XSS Webmail
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

CSS injection in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) allows remote attackers to bypass the HTML sanitizer by embedding an SVG document with an animate element whose attributeName references style, enabling cross-site scripting style attacks against mail recipients. The flaw carries a CVSS 7.2 (changed scope) with no privileges or user interaction required beyond viewing a crafted message, no public exploit identified at time of analysis, and an EPSS of 0.04% (14th percentile) indicating low predicted exploitation volume despite the trivially-triggerable attack vector.

XSS Webmail
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.

PHP XSS Student Grades Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.

PHP XSS Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.

XSS Apache Apache Echarts
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.

PHP XSS Employee Management System
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network.

XSS Aterm Wx1800Hp Aterm Wx5400Hp +7
NVD
Prev Page 15 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy