XSS
Monthly
Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.
Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.
Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.
Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.
Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.
Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.
Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.
Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrary JavaScript into reply notifications that execute in the recipient's browser when rendered via Blade's unescaped `{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.
Cache poisoning via the `/__nuxt_island/*` endpoint in Nuxt allows an attacker to prime a shared CDN or reverse-proxy cache with attacker-controlled rendered HTML, causing subsequent users requesting the same island path to receive the poisoned response. Affected are `nuxt` 3.1.0-3.21.5 and 4.0.0-alpha.1-4.4.5, as well as `@nuxt/nitro-server` 3.20.0-3.21.5 and 4.2.0-4.4.5. When any island component passes a prop into an unsafe HTML sink (`v-html`, `innerHTML`), the cache poisoning escalates to stored XSS persisting in the application's origin until cache expiry, exposing non-HttpOnly cookies, in-origin requests, and DOM state. No public exploit identified at time of analysis.
Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.
Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.
Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.
Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.
Stored cross-site scripting in HAX CMS (versions <= 25.0.0) allows authenticated users to inject malicious `<iframe>` elements with `javascript:` URIs or `srcdoc` payloads that execute in viewers' browsers, enabling theft of JWTs exposed via window.appSettings and full account takeover. A working proof-of-concept is published in the GHSA advisory demonstrating JWT exfiltration, and a vendor patch is available in 26.0.0. No public exploit identified at time of analysis beyond the published PoC, and the issue is not listed in CISA KEV.
Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a `<video-player>` element whose `source` or `source-data` attribute carries a `javascript:` URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.
Stored HTML injection in Nozomi Networks Guardian and CMC Smart Polling functionality allows authenticated users with limited privileges to embed malicious HTML into remote strategies via the sync mechanism. When a victim views the affected remote strategy in the Smart Polling UI, the injected HTML renders in their browser, enabling phishing campaigns and open redirect attacks. No public exploit has been identified at time of analysis; full JavaScript XSS is explicitly mitigated by the product's existing Content Security Policy, bounding the practical impact to social engineering vectors rather than direct session compromise.
Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.
Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.
Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.
Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.
Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.
Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.
Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.
Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.
Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.
Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.
Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.
Stored cross-site scripting in phpMyFAQ 4.1.1 lets any authenticated user with a registered account persist JavaScript inside FAQ or News comments by submitting a URL containing an unescaped double quote, which Utils::parseUrl() injects unescaped into an href attribute. Payloads execute for every visitor - including admins viewing the comments panel - enabling session cookie theft and full application takeover. Publicly available exploit code exists in the GHSA advisory, though EPSS is only 0.01% and SSVC categorizes exploitation as POC rather than active.
Stored cross-site scripting in phpMyFAQ versions prior to 4.1.2 allows authenticated users with FAQ_ADD permission to inject malicious JavaScript into FAQ questions and answers that execute in all visitors' browsers. The vulnerability exploits an encode-decode cycle where FILTER_SANITIZE_SPECIAL_CHARS encoding is immediately reversed by html_entity_decode(), bypassing Filter::removeAttributes() which only strips HTML attributes but not tags like <script>. Twig templates render this content with the |raw filter, executing stored payloads. CVSS 5.4 indicates network-accessible attack requiring low-privilege authentication and user interaction, with changed scope enabling cross-user impact. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Stored cross-site scripting in phpMyFAQ before 4.1.2 lets FAQ editors persist HTML-entity-encoded JavaScript that survives sanitization and executes in every visitor's browser, including administrators. The flaw stems from Twig's `| raw` filter being applied to `result.question` and `result.answerPreview` in `search.twig`, combined with a `html_entity_decode(strip_tags())` round-trip in SearchController.php that resurrects encoded tags. Publicly available exploit code exists (POC per SSVC), though EPSS is 0.01% and the issue is not on the CISA KEV list.
Authenticated users with FAQ_EDIT permission in phpMyFAQ can bypass SVG sanitization and execute arbitrary JavaScript in victims' browsers by exploiting recursive entity decoding limits. By nesting ampersand encoding five levels deep around numeric HTML entities in SVG href attributes (e.g., &amp;amp;amp;amp;#106; for 'j'), attackers reconstruct javascript: URLs that the decodeAllEntities() method fails to detect but browsers fully decode. The malicious SVG uploads persist on the server and execute JavaScript when other users click the embedded links. Fixed in version 4.1.2. EPSS and KEV data not available; VulnCheck reported this issue with vendor-confirmed details and proof-of-concept in GitHub security advisory GHSA-whqh-9pq5-c7r3.
Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.
Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.
Stored cross-site scripting (XSS) in Weblate allows authenticated contributors to inject HTML and CSS into the live search preview feature, which executes in the browsers of all authenticated users who perform matching searches. The vulnerability stems from improper output escaping of unit source and context fields in the search preview interface. Vendor-released patch available in version 2026.5, confirmed via GitHub advisory GHSA-6wxc-8mgq-w26m and commit 8b0adf1d0b43. CVSS score of 4.6 (Medium) reflects the requirement for low-privilege authentication and user interaction, limiting exploitation scope compared to unauthenticated XSS.
Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.
Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.
Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.
Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.
Stored cross-site scripting (XSS) in Fujitsu's Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 allows authenticated users to execute arbitrary scripts in administrators' browsers by uploading files with malicious content. When administrators view file information on the administration page, the injected script executes with user-level privileges. No public exploit code or active exploitation has been identified at the time of analysis.
Cross-site scripting (XSS) via DOM clobbering in Svelte versions 5.55.6 and earlier allows attackers to inject malicious code when attribute spreading is used simultaneously on both form elements and their child input/button elements with user-controllable name attributes. The vulnerability requires specific markup patterns where both the form and nested input/button use spread syntax with attacker-controlled values, enabling manipulation of Svelte's internal framework state. Vendor-released patch: version 5.55.7.
Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.
Stored cross-site scripting (XSS) in pyLoad's download management interface allows authenticated users with add-package permissions to inject JavaScript that executes in administrators' browsers when viewing the /collector or /queue pages. The vulnerability stems from unescaped template literal interpolation in packages.js that directly writes attacker-controlled link URLs to the DOM via jQuery .html(). Exploitation requires low-privilege authentication (Perms.ADD role) but enables full session hijacking against administrators, leading to plugin upload, configuration tampering, and potential remote code execution through reconnect-script features. A secondary unauthenticated attack vector exists when the ClickNLoad handler is enabled via POST /flash/add. No public exploit identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.
Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.
Cross-site scripting in Svelte versions up to 5.55.6 allows remote attackers to inject malicious event handlers via spread syntax when rendering untrusted data as element attributes. The vulnerability executes in victims' browsers only when JavaScript is enabled and Svelte's hydration mechanism does not process the vulnerable element before the injected event fires. Vendor-released patch: version 5.55.7.
Stored cross-site scripting (XSS) in Open WebUI versions up to 0.9.2 allows authenticated users to upload malicious Office files (Excel, DOCX, PPT) that execute arbitrary JavaScript in the browsers of any user previewing the file. The vulnerability stems from rendering user-supplied HTML from file-preview components using Svelte's `{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.
Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.
Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.
Stored cross-site scripting (XSS) in Open WebUI versions before 0.6.5 allows authenticated users to exfiltrate session tokens via maliciously crafted chat content. The HTML rendering view uses an insufficiently restrictive iframe sandbox (`allow-scripts allow-forms allow-same-origin`), enabling injected JavaScript to access localStorage and transmit authentication tokens to attacker-controlled servers. While primarily self-XSS, exploitation extends to other users through shared chat cloning, file upload content rendering, or conversation import features. Publicly available exploit code exists (GitHub advisory includes working PoC). CVSS 7.7 reflects high complexity requiring user interaction, but successful exploitation grants full account compromise (C:H/I:H).
Stored cross-site scripting in Open WebUI versions before 0.8.0 allows authenticated users to inject malicious data URIs into the profile_image_url field, enabling JavaScript execution in the application origin. The most critical attack path involves uploading a base64-encoded SVG data URI that, when loaded via the /api/v1/users/{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).
DOM-based cross-site scripting in Fides consent banner (fides.js) allows remote unauthenticated attackers to execute arbitrary JavaScript in the embedding site's origin via crafted URL parameters, JavaScript globals, or cookies. The vulnerability affects Fides Enterprise deployments using the consent management platform with HTML-formatted banner descriptions enabled (FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true), though only when the non-default HTML description feature is active. Cookie-based payload delivery enables persistent XSS across all subdomains until cookies are cleared. Vendor-released patch available in ethyca-fides 2.84.5 (OSS) and fidesplus 2.84.6 (Enterprise). No public exploit identified at time of analysis beyond the vendor's proof-of-concept test snippet.
Stored cross-site scripting in ApostropheCMS 4.29.0 allows authenticated editors to inject arbitrary JavaScript via image widget URL fields, affecting administrators and public visitors. The vulnerability permits execution of malicious payloads when victims click crafted image links on published pages. No vendor-released patch identified at time of analysis, and CVSS 7.3 (High) reflects the authenticated nature and required user interaction, though impact on administrator sessions elevates real-world risk.
The sanitize-html npm package allows remote attackers to bypass HTML sanitization and inject executable JavaScript by wrapping malicious payloads inside disallowed <xmp> tags, achieving stored cross-site scripting (XSS) in applications using default configurations. This affects all versions through 2.17.3, with no vendor-released patch identified at time of analysis. A publicly available proof-of-concept demonstrates the bypass, which leverages the library's special handling of raw-text elements. With a 9.3 CVSS score and network-based attack vector requiring only user interaction, this represents a critical risk for Node.js applications that render sanitized user content in browsers.
Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.
CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.
Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.
Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.
Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.
Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.
Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.
Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.
Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.
Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrary JavaScript into reply notifications that execute in the recipient's browser when rendered via Blade's unescaped `{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.
Cache poisoning via the `/__nuxt_island/*` endpoint in Nuxt allows an attacker to prime a shared CDN or reverse-proxy cache with attacker-controlled rendered HTML, causing subsequent users requesting the same island path to receive the poisoned response. Affected are `nuxt` 3.1.0-3.21.5 and 4.0.0-alpha.1-4.4.5, as well as `@nuxt/nitro-server` 3.20.0-3.21.5 and 4.2.0-4.4.5. When any island component passes a prop into an unsafe HTML sink (`v-html`, `innerHTML`), the cache poisoning escalates to stored XSS persisting in the application's origin until cache expiry, exposing non-HttpOnly cookies, in-origin requests, and DOM state. No public exploit identified at time of analysis.
Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.
Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.
Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.
Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.
Stored cross-site scripting in HAX CMS (versions <= 25.0.0) allows authenticated users to inject malicious `<iframe>` elements with `javascript:` URIs or `srcdoc` payloads that execute in viewers' browsers, enabling theft of JWTs exposed via window.appSettings and full account takeover. A working proof-of-concept is published in the GHSA advisory demonstrating JWT exfiltration, and a vendor patch is available in 26.0.0. No public exploit identified at time of analysis beyond the published PoC, and the issue is not listed in CISA KEV.
Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a `<video-player>` element whose `source` or `source-data` attribute carries a `javascript:` URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.
Stored HTML injection in Nozomi Networks Guardian and CMC Smart Polling functionality allows authenticated users with limited privileges to embed malicious HTML into remote strategies via the sync mechanism. When a victim views the affected remote strategy in the Smart Polling UI, the injected HTML renders in their browser, enabling phishing campaigns and open redirect attacks. No public exploit has been identified at time of analysis; full JavaScript XSS is explicitly mitigated by the product's existing Content Security Policy, bounding the practical impact to social engineering vectors rather than direct session compromise.
Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.
Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.
Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.
Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.
Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.
Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.
Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.
Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.
Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.
Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.
Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.
Stored cross-site scripting in phpMyFAQ 4.1.1 lets any authenticated user with a registered account persist JavaScript inside FAQ or News comments by submitting a URL containing an unescaped double quote, which Utils::parseUrl() injects unescaped into an href attribute. Payloads execute for every visitor - including admins viewing the comments panel - enabling session cookie theft and full application takeover. Publicly available exploit code exists in the GHSA advisory, though EPSS is only 0.01% and SSVC categorizes exploitation as POC rather than active.
Stored cross-site scripting in phpMyFAQ versions prior to 4.1.2 allows authenticated users with FAQ_ADD permission to inject malicious JavaScript into FAQ questions and answers that execute in all visitors' browsers. The vulnerability exploits an encode-decode cycle where FILTER_SANITIZE_SPECIAL_CHARS encoding is immediately reversed by html_entity_decode(), bypassing Filter::removeAttributes() which only strips HTML attributes but not tags like <script>. Twig templates render this content with the |raw filter, executing stored payloads. CVSS 5.4 indicates network-accessible attack requiring low-privilege authentication and user interaction, with changed scope enabling cross-user impact. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Stored cross-site scripting in phpMyFAQ before 4.1.2 lets FAQ editors persist HTML-entity-encoded JavaScript that survives sanitization and executes in every visitor's browser, including administrators. The flaw stems from Twig's `| raw` filter being applied to `result.question` and `result.answerPreview` in `search.twig`, combined with a `html_entity_decode(strip_tags())` round-trip in SearchController.php that resurrects encoded tags. Publicly available exploit code exists (POC per SSVC), though EPSS is 0.01% and the issue is not on the CISA KEV list.
Authenticated users with FAQ_EDIT permission in phpMyFAQ can bypass SVG sanitization and execute arbitrary JavaScript in victims' browsers by exploiting recursive entity decoding limits. By nesting ampersand encoding five levels deep around numeric HTML entities in SVG href attributes (e.g., &amp;amp;amp;amp;#106; for 'j'), attackers reconstruct javascript: URLs that the decodeAllEntities() method fails to detect but browsers fully decode. The malicious SVG uploads persist on the server and execute JavaScript when other users click the embedded links. Fixed in version 4.1.2. EPSS and KEV data not available; VulnCheck reported this issue with vendor-confirmed details and proof-of-concept in GitHub security advisory GHSA-whqh-9pq5-c7r3.
Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.
Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.
Stored cross-site scripting (XSS) in Weblate allows authenticated contributors to inject HTML and CSS into the live search preview feature, which executes in the browsers of all authenticated users who perform matching searches. The vulnerability stems from improper output escaping of unit source and context fields in the search preview interface. Vendor-released patch available in version 2026.5, confirmed via GitHub advisory GHSA-6wxc-8mgq-w26m and commit 8b0adf1d0b43. CVSS score of 4.6 (Medium) reflects the requirement for low-privilege authentication and user interaction, limiting exploitation scope compared to unauthenticated XSS.
Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.
Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.
Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.
Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.
Stored cross-site scripting (XSS) in Fujitsu's Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 allows authenticated users to execute arbitrary scripts in administrators' browsers by uploading files with malicious content. When administrators view file information on the administration page, the injected script executes with user-level privileges. No public exploit code or active exploitation has been identified at the time of analysis.
Cross-site scripting (XSS) via DOM clobbering in Svelte versions 5.55.6 and earlier allows attackers to inject malicious code when attribute spreading is used simultaneously on both form elements and their child input/button elements with user-controllable name attributes. The vulnerability requires specific markup patterns where both the form and nested input/button use spread syntax with attacker-controlled values, enabling manipulation of Svelte's internal framework state. Vendor-released patch: version 5.55.7.
Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.
Stored cross-site scripting (XSS) in pyLoad's download management interface allows authenticated users with add-package permissions to inject JavaScript that executes in administrators' browsers when viewing the /collector or /queue pages. The vulnerability stems from unescaped template literal interpolation in packages.js that directly writes attacker-controlled link URLs to the DOM via jQuery .html(). Exploitation requires low-privilege authentication (Perms.ADD role) but enables full session hijacking against administrators, leading to plugin upload, configuration tampering, and potential remote code execution through reconnect-script features. A secondary unauthenticated attack vector exists when the ClickNLoad handler is enabled via POST /flash/add. No public exploit identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.
Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.
Cross-site scripting in Svelte versions up to 5.55.6 allows remote attackers to inject malicious event handlers via spread syntax when rendering untrusted data as element attributes. The vulnerability executes in victims' browsers only when JavaScript is enabled and Svelte's hydration mechanism does not process the vulnerable element before the injected event fires. Vendor-released patch: version 5.55.7.
Stored cross-site scripting (XSS) in Open WebUI versions up to 0.9.2 allows authenticated users to upload malicious Office files (Excel, DOCX, PPT) that execute arbitrary JavaScript in the browsers of any user previewing the file. The vulnerability stems from rendering user-supplied HTML from file-preview components using Svelte's `{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.
Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.
Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.
Stored cross-site scripting (XSS) in Open WebUI versions before 0.6.5 allows authenticated users to exfiltrate session tokens via maliciously crafted chat content. The HTML rendering view uses an insufficiently restrictive iframe sandbox (`allow-scripts allow-forms allow-same-origin`), enabling injected JavaScript to access localStorage and transmit authentication tokens to attacker-controlled servers. While primarily self-XSS, exploitation extends to other users through shared chat cloning, file upload content rendering, or conversation import features. Publicly available exploit code exists (GitHub advisory includes working PoC). CVSS 7.7 reflects high complexity requiring user interaction, but successful exploitation grants full account compromise (C:H/I:H).
Stored cross-site scripting in Open WebUI versions before 0.8.0 allows authenticated users to inject malicious data URIs into the profile_image_url field, enabling JavaScript execution in the application origin. The most critical attack path involves uploading a base64-encoded SVG data URI that, when loaded via the /api/v1/users/{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).
DOM-based cross-site scripting in Fides consent banner (fides.js) allows remote unauthenticated attackers to execute arbitrary JavaScript in the embedding site's origin via crafted URL parameters, JavaScript globals, or cookies. The vulnerability affects Fides Enterprise deployments using the consent management platform with HTML-formatted banner descriptions enabled (FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true), though only when the non-default HTML description feature is active. Cookie-based payload delivery enables persistent XSS across all subdomains until cookies are cleared. Vendor-released patch available in ethyca-fides 2.84.5 (OSS) and fidesplus 2.84.6 (Enterprise). No public exploit identified at time of analysis beyond the vendor's proof-of-concept test snippet.
Stored cross-site scripting in ApostropheCMS 4.29.0 allows authenticated editors to inject arbitrary JavaScript via image widget URL fields, affecting administrators and public visitors. The vulnerability permits execution of malicious payloads when victims click crafted image links on published pages. No vendor-released patch identified at time of analysis, and CVSS 7.3 (High) reflects the authenticated nature and required user interaction, though impact on administrator sessions elevates real-world risk.
The sanitize-html npm package allows remote attackers to bypass HTML sanitization and inject executable JavaScript by wrapping malicious payloads inside disallowed <xmp> tags, achieving stored cross-site scripting (XSS) in applications using default configurations. This affects all versions through 2.17.3, with no vendor-released patch identified at time of analysis. A publicly available proof-of-concept demonstrates the bypass, which leverages the library's special handling of raw-text elements. With a 9.3 CVSS score and network-based attack vector requiring only user interaction, this represents a critical risk for Node.js applications that render sanitized user content in browsers.
Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.
CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.