Skip to main content

XSS

38829 CVEs technique

Monthly

CVE-2026-6397 MEDIUM This Month

Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8624 MEDIUM This Month

Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30691 npm MEDIUM This Month

Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44924 MEDIUM This Month

Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8493 PHP MEDIUM PATCH This Month

Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.

XSS Colorbox Inline
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6871 PHP MEDIUM PATCH This Month

Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.

XSS Obfuscate
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6367 PHP MEDIUM PATCH This Month

Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.

XSS Drupal Core
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6365 PHP MEDIUM PATCH This Month

Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.

XSS Drupal Core
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6095 PHP MEDIUM PATCH This Month

Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.

XSS Orejime
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-5090 MEDIUM This Month

Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34246 MEDIUM PATCH This Month

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

PHP XSS Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-34241 HIGH PATCH This Week

Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrary JavaScript into reply notifications that execute in the recipient's browser when rendered via Blade's unescaped `{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.

XSS Panel
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-46342 npm LOW PATCH GHSA Monitor

Cache poisoning via the `/__nuxt_island/*` endpoint in Nuxt allows an attacker to prime a shared CDN or reverse-proxy cache with attacker-controlled rendered HTML, causing subsequent users requesting the same island path to receive the poisoned response. Affected are `nuxt` 3.1.0-3.21.5 and 4.0.0-alpha.1-4.4.5, as well as `@nuxt/nitro-server` 3.20.0-3.21.5 and 4.2.0-4.4.5. When any island component passes a prop into an unsafe HTML sink (`v-html`, `innerHTML`), the cache poisoning escalates to stored XSS persisting in the application's origin until cache expiry, exposing non-HttpOnly cookies, in-origin requests, and DOM state. No public exploit identified at time of analysis.

Information Disclosure XSS
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-33741 MEDIUM POC PATCH This Month

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.

XSS Espocrm
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-46426 npm HIGH PATCH GHSA This Week

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Docker Redis CSRF File Upload XSS
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-45738 Go HIGH PATCH GHSA This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-45669 npm MEDIUM PATCH GHSA This Month

Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-46511 npm HIGH PATCH GHSA This Week

Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.

PHP XSS
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46396 npm CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in HAX CMS (versions <= 25.0.0) allows authenticated users to inject malicious `<iframe>` elements with `javascript:` URIs or `srcdoc` payloads that execute in viewers' browsers, enabling theft of JWTs exposed via window.appSettings and full account takeover. A working proof-of-concept is published in the GHSA advisory demonstrating JWT exfiltration, and a vendor patch is available in 26.0.0. No public exploit identified at time of analysis beyond the published PoC, and the issue is not listed in CISA KEV.

Information Disclosure XSS
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-46496 npm CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a `<video-player>` element whose `source` or `source-data` attribute carries a `javascript:` URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.

Information Disclosure XSS
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-40904 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC Smart Polling functionality allows authenticated users with limited privileges to embed malicious HTML into remote strategies via the sync mechanism. When a victim views the affected remote strategy in the Smart Polling UI, the injected HTML renders in their browser, enabling phishing campaigns and open redirect attacks. No public exploit has been identified at time of analysis; full JavaScript XSS is explicitly mitigated by the product's existing Content Security Policy, bounding the practical impact to social engineering vectors rather than direct session compromise.

Open Redirect Information Disclosure XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-40903 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.

Open Redirect Information Disclosure XSS
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-40902 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.

Open Redirect Information Disclosure XSS
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-40901 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Open Redirect Information Disclosure XSS
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-40900 MEDIUM PATCH This Month

Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Ssti Information Disclosure XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-31906 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31379 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Path Traversal Apache XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27737 MEDIUM PATCH This Month

Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Bigbluebutton Scalite Bbb Playback
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45231 MEDIUM PATCH This Month

Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.

XSS Dumbassets
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45494 MEDIUM PATCH Exploit Likely This Month

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Google Microsoft XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45270 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE CSRF XSS
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-45138 PHP MEDIUM PATCH GHSA This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45627 Go HIGH PATCH GHSA This Week

Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.

XSS Docker
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-7498 HIGH This Week

Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.

XSS Dernekweb
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3495 Go LOW PATCH Monitor

Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.

Mattermost XSS
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-6495 HIGH POC PATCH This Week

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-3220 HIGH POC PATCH This Week

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

WordPress XSS
NVD WPScan
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29964 MEDIUM This Month

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29965 MEDIUM This Month

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2018-25331 MEDIUM POC This Month

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2018-25330 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Joomla Extension Ekrishta
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2021-47981 MEDIUM POC This Month

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47975 MEDIUM POC This Month

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wp Learn Manager
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2021-47957 MEDIUM POC This Month

Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Information Disclosure
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47955 MEDIUM POC This Month

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS PHP
NVD Exploit-DB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47934 MEDIUM POC This Month

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37245 HIGH POC This Week

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Path Traversal Digital Publications
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2020-37243 HIGH POC This Week

Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Pricing Table
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2020-37240 MEDIUM POC This Month

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Queue Management System
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37238 MEDIUM POC This Month

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cms Made Simple
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37237 MEDIUM POC This Month

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Composr Cms
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37236 MEDIUM POC This Month

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Newslister
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37235 MEDIUM POC This Month

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37233 MEDIUM POC This Month

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-8656 LOW PATCH Monitor

Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.

XSS Jsondiffpatch
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-45622 MEDIUM PATCH This Month

Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.

XSS Vvveb
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45616 MEDIUM PATCH This Month

Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.

XSS Vvveb
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46367 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in phpMyFAQ 4.1.1 lets any authenticated user with a registered account persist JavaScript inside FAQ or News comments by submitting a URL containing an unescaped double quote, which Utils::parseUrl() injects unescaped into an href attribute. Payloads execute for every visitor - including admins viewing the comments panel - enabling session cookie theft and full application takeover. Publicly available exploit code exists in the GHSA advisory, though EPSS is only 0.01% and SSVC categorizes exploitation as POC rather than active.

XSS Phpmyfaq
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-46363 PHP MEDIUM PATCH This Month

Stored cross-site scripting in phpMyFAQ versions prior to 4.1.2 allows authenticated users with FAQ_ADD permission to inject malicious JavaScript into FAQ questions and answers that execute in all visitors' browsers. The vulnerability exploits an encode-decode cycle where FILTER_SANITIZE_SPECIAL_CHARS encoding is immediately reversed by html_entity_decode(), bypassing Filter::removeAttributes() which only strips HTML attributes but not tags like <script>. Twig templates render this content with the |raw filter, executing stored payloads. CVSS 5.4 indicates network-accessible attack requiring low-privilege authentication and user interaction, with changed scope enabling cross-user impact. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS Phpmyfaq
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46361 PHP HIGH PATCH This Week

Stored cross-site scripting in phpMyFAQ before 4.1.2 lets FAQ editors persist HTML-entity-encoded JavaScript that survives sanitization and executes in every visitor's browser, including administrators. The flaw stems from Twig's `| raw` filter being applied to `result.question` and `result.answerPreview` in `search.twig`, combined with a `html_entity_decode(strip_tags())` round-trip in SearchController.php that resurrects encoded tags. Publicly available exploit code exists (POC per SSVC), though EPSS is 0.01% and the issue is not on the CISA KEV list.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-46360 PHP MEDIUM PATCH This Month

Authenticated users with FAQ_EDIT permission in phpMyFAQ can bypass SVG sanitization and execute arbitrary JavaScript in victims' browsers by exploiting recursive entity decoding limits. By nesting ampersand encoding five levels deep around numeric HTML entities in SVG href attributes (e.g., &amp;amp;amp;amp;amp;#106; for 'j'), attackers reconstruct javascript: URLs that the decodeAllEntities() method fails to detect but browsers fully decode. The malicious SVG uploads persist on the server and execute JavaScript when other users click the embedded links. Fixed in version 4.1.2. EPSS and KEV data not available; VulnCheck reported this issue with vendor-confirmed details and proof-of-concept in GitHub security advisory GHSA-whqh-9pq5-c7r3.

XSS Phpmyfaq
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47968 MEDIUM POC PATCH This Month

Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Podcast Generator
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47967 MEDIUM POC This Month

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2021-47963 MEDIUM POC This Month

Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS RCE Anote
NVD Exploit-DB GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47962 MEDIUM POC This Month

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Savsoft Quiz
NVD Exploit-DB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45610 PHP MEDIUM GHSA This Month

Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.

Authentication Bypass Open Redirect CSRF XSS PHP
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-45580 PHP MEDIUM GHSA This Month

Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.

Mozilla CSRF XSS PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44366 MEDIUM PATCH This Month

Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.

XSS Vvveb
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45106 PyPI MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in Weblate allows authenticated contributors to inject HTML and CSS into the live search preview feature, which executes in the browsers of all authenticated users who perform matching searches. The vulnerability stems from improper output escaping of unit source and context fields in the search preview interface. Vendor-released patch available in version 2026.5, confirmed via GitHub advisory GHSA-6wxc-8mgq-w26m and commit 8b0adf1d0b43. CVSS score of 4.6 (Medium) reflects the requirement for low-privilege authentication and user interaction, limiting exploitation scope compared to unauthenticated XSS.

XSS Suse
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-41147 PHP HIGH PATCH GHSA This Week

Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.

XSS PHP
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-23695 PHP MEDIUM PATCH This Month

Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.

XSS Cockpit
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6415 MEDIUM This Month

Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.

XSS WordPress Advanced Custom Fields
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6646 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24662 MEDIUM This Month

Stored cross-site scripting (XSS) in Fujitsu's Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 allows authenticated users to execute arbitrary scripts in administrators' browsers by uploading files with malicious content. When administrators view file information on the administration page, the injected script executes with user-level privileges. No public exploit code or active exploitation has been identified at the time of analysis.

XSS Information Disclosure Musetheque V4 Information Disclosure For Ipknowledge
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-42573 npm MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) via DOM clobbering in Svelte versions 5.55.6 and earlier allows attackers to inject malicious code when attribute spreading is used simultaneously on both form elements and their child input/button elements with user-controllable name attributes. The vulnerability requires specific markup patterns where both the form and nested input/button use spread syntax with attacker-controlled values, enabling manipulation of Svelte's internal framework state. Vendor-released patch: version 5.55.7.

XSS
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45665 npm HIGH PATCH GHSA This Week

Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.

XSS Privilege Escalation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45348 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) in pyLoad's download management interface allows authenticated users with add-package permissions to inject JavaScript that executes in administrators' browsers when viewing the /collector or /queue pages. The vulnerability stems from unescaped template literal interpolation in packages.js that directly writes attacker-controlled link URLs to the DOM via jQuery .html(). Exploitation requires low-privilege authentication (Perms.ADD role) but enables full session hijacking against administrators, leading to plugin upload, configuration tampering, and potential remote code execution through reconnect-script features. A secondary unauthenticated attack vector exists when the ClickNLoad handler is enabled via POST /flash/add. No public exploit identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

XSS CSRF
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-45346 npm MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.

XSS Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-42599 npm MEDIUM PATCH GHSA This Month

Cross-site scripting in Svelte versions up to 5.55.6 allows remote attackers to inject malicious event handlers via spread syntax when rendering untrusted data as element attributes. The vulnerability executes in victims' browsers only when JavaScript is enabled and Svelte's hydration mechanism does not process the vulnerable element before the injected event fires. Vendor-released patch: version 5.55.7.

XSS Red Hat
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45318 PyPI MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in Open WebUI versions up to 0.9.2 allows authenticated users to upload malicious Office files (Excel, DOCX, PPT) that execute arbitrary JavaScript in the browsers of any user previewing the file. The vulnerability stems from rendering user-supplied HTML from file-preview components using Svelte's `{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.

XSS Microsoft File Upload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45314 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.

XSS
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-45315 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.

XSS RCE Python
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-45303 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) in Open WebUI versions before 0.6.5 allows authenticated users to exfiltrate session tokens via maliciously crafted chat content. The HTML rendering view uses an insufficiently restrictive iframe sandbox (`allow-scripts allow-forms allow-same-origin`), enabling injected JavaScript to access localStorage and transmit authentication tokens to attacker-controlled servers. While primarily self-XSS, exploitation extends to other users through shared chat cloning, file upload content rendering, or conversation import features. Publicly available exploit code exists (GitHub advisory includes working PoC). CVSS 7.7 reflects high complexity requiring user interaction, but successful exploitation grants full account compromise (C:H/I:H).

XSS
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45299 PyPI MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Open WebUI versions before 0.8.0 allows authenticated users to inject malicious data URIs into the profile_image_url field, enabling JavaScript execution in the application origin. The most critical attack path involves uploading a base64-encoded SVG data URI that, when loaded via the /api/v1/users/{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).

XSS Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44541 PyPI HIGH PATCH GHSA This Week

DOM-based cross-site scripting in Fides consent banner (fides.js) allows remote unauthenticated attackers to execute arbitrary JavaScript in the embedding site's origin via crafted URL parameters, JavaScript globals, or cookies. The vulnerability affects Fides Enterprise deployments using the consent management platform with HTML-formatted banner descriptions enabled (FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true), though only when the non-default HTML description feature is active. Cookie-based payload delivery enables persistent XSS across all subdomains until cookies are cleared. Vendor-released patch available in ethyca-fides 2.84.5 (OSS) and fidesplus 2.84.6 (Enterprise). No public exploit identified at time of analysis beyond the vendor's proof-of-concept test snippet.

XSS
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-45011 npm HIGH GHSA This Week

Stored cross-site scripting in ApostropheCMS 4.29.0 allows authenticated editors to inject arbitrary JavaScript via image widget URL fields, affecting administrators and public visitors. The vulnerability permits execution of malicious payloads when victims click crafted image links on published pages. No vendor-released patch identified at time of analysis, and CVSS 7.3 (High) reflects the authenticated nature and required user interaction, though impact on administrator sessions elevates real-world risk.

XSS
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44990 npm CRITICAL PATCH GHSA Act Now

The sanitize-html npm package allows remote attackers to bypass HTML sanitization and inject executable JavaScript by wrapping malicious payloads inside disallowed <xmp> tags, achieving stored cross-site scripting (XSS) in applications using default configurations. This affects all versions through 2.17.3, with no vendor-released patch identified at time of analysis. A publicly available proof-of-concept demonstrates the bypass, which leverages the library's special handling of raw-text elements. With a 9.3 CVSS score and network-based attack vector requiring only user interaction, this represents a critical risk for Node.js applications that render sanitized user content in browsers.

XSS Node.js
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-44586 HIGH PATCH This Week

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.

XSS Microsoft Node.js
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-42897 MEDIUM POC KEV PATCH THREAT Exploited Act Now

Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.

XSS Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
Threat
5.1
CVE-2026-44899 PyPI MEDIUM PATCH GHSA This Month

CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.

XSS Apple Python Red Hat
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.

XSS Colorbox Inline
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.

XSS Obfuscate
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.

XSS Drupal Core
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.

XSS Drupal Core
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.

XSS Orejime
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.

PHP XSS Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrary JavaScript into reply notifications that execute in the recipient's browser when rendered via Blade's unescaped `{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.

XSS Panel
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache poisoning via the `/__nuxt_island/*` endpoint in Nuxt allows an attacker to prime a shared CDN or reverse-proxy cache with attacker-controlled rendered HTML, causing subsequent users requesting the same island path to receive the poisoned response. Affected are `nuxt` 3.1.0-3.21.5 and 4.0.0-alpha.1-4.4.5, as well as `@nuxt/nitro-server` 3.20.0-3.21.5 and 4.2.0-4.4.5. When any island component passes a prop into an unsafe HTML sink (`v-html`, `innerHTML`), the cache poisoning escalates to stored XSS persisting in the application's origin until cache expiry, exposing non-HttpOnly cookies, in-origin requests, and DOM state. No public exploit identified at time of analysis.

Information Disclosure XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.

XSS Espocrm
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Docker Redis CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.

PHP XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in HAX CMS (versions <= 25.0.0) allows authenticated users to inject malicious `<iframe>` elements with `javascript:` URIs or `srcdoc` payloads that execute in viewers' browsers, enabling theft of JWTs exposed via window.appSettings and full account takeover. A working proof-of-concept is published in the GHSA advisory demonstrating JWT exfiltration, and a vendor patch is available in 26.0.0. No public exploit identified at time of analysis beyond the published PoC, and the issue is not listed in CISA KEV.

Information Disclosure XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a `<video-player>` element whose `source` or `source-data` attribute carries a `javascript:` URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.

Information Disclosure XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC Smart Polling functionality allows authenticated users with limited privileges to embed malicious HTML into remote strategies via the sync mechanism. When a victim views the affected remote strategy in the Smart Polling UI, the injected HTML renders in their browser, enabling phishing campaigns and open redirect attacks. No public exploit has been identified at time of analysis; full JavaScript XSS is explicitly mitigated by the product's existing Content Security Policy, bounding the practical impact to social engineering vectors rather than direct session compromise.

Open Redirect Information Disclosure XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.

Open Redirect Information Disclosure XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.

Open Redirect Information Disclosure XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Open Redirect Information Disclosure XSS
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Ssti Information Disclosure XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Path Traversal Apache XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Bigbluebutton Scalite +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.

XSS Dumbassets
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH Exploit Likely This Month

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Google Microsoft XSS
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.

XSS Docker
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.

XSS Dernekweb
NVD VulDB
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.

Mattermost XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

WordPress XSS
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM This Month

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Joomla Extension Ekrishta
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wp Learn Manager
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Information Disclosure
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS PHP
NVD Exploit-DB GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Month

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Path Traversal Digital Publications
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Pricing Table
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Queue Management System
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cms Made Simple
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Composr Cms
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Newslister
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.

XSS Jsondiffpatch
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.

XSS Vvveb
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.

XSS Vvveb
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Stored cross-site scripting in phpMyFAQ 4.1.1 lets any authenticated user with a registered account persist JavaScript inside FAQ or News comments by submitting a URL containing an unescaped double quote, which Utils::parseUrl() injects unescaped into an href attribute. Payloads execute for every visitor - including admins viewing the comments panel - enabling session cookie theft and full application takeover. Publicly available exploit code exists in the GHSA advisory, though EPSS is only 0.01% and SSVC categorizes exploitation as POC rather than active.

XSS Phpmyfaq
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in phpMyFAQ versions prior to 4.1.2 allows authenticated users with FAQ_ADD permission to inject malicious JavaScript into FAQ questions and answers that execute in all visitors' browsers. The vulnerability exploits an encode-decode cycle where FILTER_SANITIZE_SPECIAL_CHARS encoding is immediately reversed by html_entity_decode(), bypassing Filter::removeAttributes() which only strips HTML attributes but not tags like <script>. Twig templates render this content with the |raw filter, executing stored payloads. CVSS 5.4 indicates network-accessible attack requiring low-privilege authentication and user interaction, with changed scope enabling cross-user impact. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS Phpmyfaq
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Stored cross-site scripting in phpMyFAQ before 4.1.2 lets FAQ editors persist HTML-entity-encoded JavaScript that survives sanitization and executes in every visitor's browser, including administrators. The flaw stems from Twig's `| raw` filter being applied to `result.question` and `result.answerPreview` in `search.twig`, combined with a `html_entity_decode(strip_tags())` round-trip in SearchController.php that resurrects encoded tags. Publicly available exploit code exists (POC per SSVC), though EPSS is 0.01% and the issue is not on the CISA KEV list.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Authenticated users with FAQ_EDIT permission in phpMyFAQ can bypass SVG sanitization and execute arbitrary JavaScript in victims' browsers by exploiting recursive entity decoding limits. By nesting ampersand encoding five levels deep around numeric HTML entities in SVG href attributes (e.g., &amp;amp;amp;amp;amp;#106; for 'j'), attackers reconstruct javascript: URLs that the decodeAllEntities() method fails to detect but browsers fully decode. The malicious SVG uploads persist on the server and execute JavaScript when other users click the embedded links. Fixed in version 4.1.2. EPSS and KEV data not available; VulnCheck reported this issue with vendor-confirmed details and proof-of-concept in GitHub security advisory GHSA-whqh-9pq5-c7r3.

XSS Phpmyfaq
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Podcast Generator
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS RCE Anote
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Savsoft Quiz
NVD Exploit-DB GitHub
EPSS 0% CVSS 5.7
MEDIUM This Month

Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.

Authentication Bypass Open Redirect CSRF +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.

Mozilla CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.

XSS Vvveb
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Weblate allows authenticated contributors to inject HTML and CSS into the live search preview feature, which executes in the browsers of all authenticated users who perform matching searches. The vulnerability stems from improper output escaping of unit source and context fields in the search preview interface. Vendor-released patch available in version 2026.5, confirmed via GitHub advisory GHSA-6wxc-8mgq-w26m and commit 8b0adf1d0b43. CVSS score of 4.6 (Medium) reflects the requirement for low-privilege authentication and user interaction, limiting exploitation scope compared to unauthenticated XSS.

XSS Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.

XSS PHP
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.

XSS Cockpit
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.

XSS WordPress Advanced Custom Fields
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting (XSS) in Fujitsu's Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 allows authenticated users to execute arbitrary scripts in administrators' browsers by uploading files with malicious content. When administrators view file information on the administration page, the injected script executes with user-level privileges. No public exploit code or active exploitation has been identified at the time of analysis.

XSS Information Disclosure Musetheque V4 Information Disclosure For Ipknowledge
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) via DOM clobbering in Svelte versions 5.55.6 and earlier allows attackers to inject malicious code when attribute spreading is used simultaneously on both form elements and their child input/button elements with user-controllable name attributes. The vulnerability requires specific markup patterns where both the form and nested input/button use spread syntax with attacker-controlled values, enabling manipulation of Svelte's internal framework state. Vendor-released patch: version 5.55.7.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.

XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting (XSS) in pyLoad's download management interface allows authenticated users with add-package permissions to inject JavaScript that executes in administrators' browsers when viewing the /collector or /queue pages. The vulnerability stems from unescaped template literal interpolation in packages.js that directly writes attacker-controlled link URLs to the DOM via jQuery .html(). Exploitation requires low-privilege authentication (Perms.ADD role) but enables full session hijacking against administrators, leading to plugin upload, configuration tampering, and potential remote code execution through reconnect-script features. A secondary unauthenticated attack vector exists when the ClickNLoad handler is enabled via POST /flash/add. No public exploit identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

XSS CSRF
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.

XSS Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in Svelte versions up to 5.55.6 allows remote attackers to inject malicious event handlers via spread syntax when rendering untrusted data as element attributes. The vulnerability executes in victims' browsers only when JavaScript is enabled and Svelte's hydration mechanism does not process the vulnerable element before the injected event fires. Vendor-released patch: version 5.55.7.

XSS Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Open WebUI versions up to 0.9.2 allows authenticated users to upload malicious Office files (Excel, DOCX, PPT) that execute arbitrary JavaScript in the browsers of any user previewing the file. The vulnerability stems from rendering user-supplied HTML from file-preview components using Svelte's `{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.

XSS Microsoft File Upload
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.

XSS RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Open WebUI versions before 0.6.5 allows authenticated users to exfiltrate session tokens via maliciously crafted chat content. The HTML rendering view uses an insufficiently restrictive iframe sandbox (`allow-scripts allow-forms allow-same-origin`), enabling injected JavaScript to access localStorage and transmit authentication tokens to attacker-controlled servers. While primarily self-XSS, exploitation extends to other users through shared chat cloning, file upload content rendering, or conversation import features. Publicly available exploit code exists (GitHub advisory includes working PoC). CVSS 7.7 reflects high complexity requiring user interaction, but successful exploitation grants full account compromise (C:H/I:H).

XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Open WebUI versions before 0.8.0 allows authenticated users to inject malicious data URIs into the profile_image_url field, enabling JavaScript execution in the application origin. The most critical attack path involves uploading a base64-encoded SVG data URI that, when loaded via the /api/v1/users/{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).

XSS Python
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

DOM-based cross-site scripting in Fides consent banner (fides.js) allows remote unauthenticated attackers to execute arbitrary JavaScript in the embedding site's origin via crafted URL parameters, JavaScript globals, or cookies. The vulnerability affects Fides Enterprise deployments using the consent management platform with HTML-formatted banner descriptions enabled (FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true), though only when the non-default HTML description feature is active. Cookie-based payload delivery enables persistent XSS across all subdomains until cookies are cleared. Vendor-released patch available in ethyca-fides 2.84.5 (OSS) and fidesplus 2.84.6 (Enterprise). No public exploit identified at time of analysis beyond the vendor's proof-of-concept test snippet.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Stored cross-site scripting in ApostropheCMS 4.29.0 allows authenticated editors to inject arbitrary JavaScript via image widget URL fields, affecting administrators and public visitors. The vulnerability permits execution of malicious payloads when victims click crafted image links on published pages. No vendor-released patch identified at time of analysis, and CVSS 7.3 (High) reflects the authenticated nature and required user interaction, though impact on administrator sessions elevates real-world risk.

XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

The sanitize-html npm package allows remote attackers to bypass HTML sanitization and inject executable JavaScript by wrapping malicious payloads inside disallowed <xmp> tags, achieving stored cross-site scripting (XSS) in applications using default configurations. This affects all versions through 2.17.3, with no vendor-released patch identified at time of analysis. A publicly available proof-of-concept demonstrates the bypass, which leverages the library's special handling of raw-text elements. With a 9.3 CVSS score and network-based attack vector requiring only user interaction, this represents a critical risk for Node.js applications that render sanitized user content in browsers.

XSS Node.js
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.

XSS Microsoft Node.js
NVD GitHub
EPSS 0% 5.1 CVSS 6.1
MEDIUM POC KEV PATCH THREAT Exploited Act Now

Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.

XSS Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.

XSS Apple Python +1
NVD GitHub VulDB
Prev Page 17 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy