XSS
Monthly
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS.This issue affects Website Software: through 03022026. [CVSS 8.6 HIGH]
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. [CVSS 5.4 MEDIUM]
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. [CVSS 7.3 HIGH]
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]
HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session.
Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS.This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 7.6 HIGH]
Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website is affected by cross-site scripting (xss) (CVSS 7.6).
Stored cross-site scripting in Foxit PDF Editor Cloud's Create New Layer feature allows authenticated attackers to execute arbitrary JavaScript by injecting malicious code that persists when layers are accessed by other users. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and requires user interaction to trigger. No patch is currently available.
Foxit PDF Editor Cloud contains a stored XSS vulnerability in its file upload functionality where malicious usernames are not properly sanitized before being displayed in the upload file list, enabling authenticated attackers to execute arbitrary JavaScript in other users' browsers. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and currently has no available patch. An attacker with valid credentials could craft a malicious username to compromise account security or steal sensitive document data from other users viewing the file list.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS.This issue affects SKSPro: through 07012026. [CVSS 7.6 HIGH]
Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.
Authenticated contributors and above can inject malicious scripts into WordPress pages through the Happy Addons for Elementor plugin (versions up to 3.20.7) via improper sanitization of the '_elementor_data' meta field, resulting in stored XSS that executes for all users viewing affected pages. An attacker with contributor-level permissions can leverage this to steal credentials, perform actions on behalf of administrators, or deface website content. No patch is currently available.
Unauthenticated attackers can upload malicious SVG files through the Form Maker by 10Web WordPress plugin (versions up to 1.15.35) due to insufficient file type validation, enabling stored cross-site scripting attacks against administrators and site visitors. The plugin's default allowlist includes SVG files and relies on weak substring-based extension checking, allowing JavaScript execution when the uploaded files are viewed. No patch is currently available.
Stored XSS in WordPress Form Maker plugin (versions up to 1.15.35) allows unauthenticated attackers to inject malicious scripts through hidden form field values that execute when administrators view the submissions list. The vulnerability stems from improper output escaping after HTML entity decoding of user-supplied input. Website administrators using this plugin are at risk of account compromise and unauthorized actions performed within their WordPress dashboard.
Stored XSS in LatePoint WordPress plugin versions up to 5.2.5 allows unauthenticated attackers to inject malicious scripts into customer profile fields that execute when administrators review activity history. The vulnerability stems from inadequate input sanitization and output escaping, potentially enabling credential theft or administrative account compromise. No patch is currently available.
Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. [CVSS 5.3 MEDIUM]
PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. Upgrade to jsPDF 4.1.0 or later to remediate the issue.
FacturaScripts versions 2025.71 and earlier contain a stored XSS vulnerability in the Observations field that executes arbitrary JavaScript when administrators view historical data. An authenticated attacker can inject malicious scripts that persist in the database and compromise admin sessions, with public exploit code already available. The vulnerability remains unpatched and requires administrator interaction to trigger.
Reflected cross-site scripting in FacturaScripts prior to version 2025.8 allows authenticated attackers to inject malicious scripts through crafted input that triggers database errors, which are then rendered without HTML sanitization due to unsafe Twig template filters. Public exploit code exists for this vulnerability. The issue affects error message handling and requires user interaction to exploit, with impacts limited to session hijacking or credential theft within the affected user's browser context.
A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]
A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]
Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. [CVSS 4.7 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. [CVSS 4.7 MEDIUM]
Cloud Pak For Business Automation versions up to 24.0.0 is affected by cross-site scripting (xss) (CVSS 6.4).
Cybozu Garoon 5.15.0 through 6.0.3 contains a cross-site scripting vulnerability in the Message function that allows authenticated attackers to reset arbitrary user passwords through malicious scripts. The vulnerability requires user interaction and affects the confidentiality and integrity of user accounts. No patch is currently available.
Cybozu Garoon versions 5.0.0 through 6.0.3 contain a cross-site scripting vulnerability in the email function that enables attackers to reset arbitrary user passwords by crafting malicious email content. The attack requires user interaction to trigger and can affect confidentiality and integrity across security boundaries. No patch is currently available for this vulnerability.
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]
Unauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded without authentication.
Dsl-6641K Firmware versions up to n8.tr069.20131126 is affected by cross-site scripting (xss) (CVSS 2.4).
QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. [CVSS 6.4 MEDIUM]
TextBox Name Profile input. Attackers can inject malicious script code through a POST request is affected by cross-site scripting (xss) (CVSS 6.4).
WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. [CVSS 6.4 MEDIUM]
Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. [CVSS 5.4 MEDIUM]
BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. [CVSS 6.4 MEDIUM]
Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]
Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. [CVSS 6.4 MEDIUM]
WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. [CVSS 5.4 MEDIUM]
Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]
Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]
PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]
PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. [CVSS 6.4 MEDIUM]
PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. [CVSS 6.4 MEDIUM]
Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. [CVSS 5.4 MEDIUM]
Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. [CVSS 6.4 MEDIUM]
Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. [CVSS 6.4 MEDIUM]
Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents inline in the browser instead of forcing download, allowing malicious HTML or SVG files to execute JavaScript with access to user credentials and HotCRP API permissions. Attackers can exploit this stored XSS vulnerability by uploading crafted documents to submission fields, which then compromise any user who clicks the document link. A patch is available to restrict inline rendering to safe document types.
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]
Cross-site scripting (XSS) in LocalSend up to version 1.17.0 allows unauthenticated attackers to inject malicious scripts through the "Share via Link" web interface, which fails to properly sanitize file names in the file list display. An attacker can craft a malicious file name that executes arbitrary JavaScript in the context of a victim's browser when they access the shared link, potentially leading to session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c.
A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. [CVSS 2.4 LOW]
House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. [CVSS 6.4 MEDIUM]
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. [CVSS 6.4 MEDIUM]
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. [CVSS 6.4 MEDIUM]
PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]
ChurchCRM versions before 6.7.2 contain a stored XSS vulnerability in the event creation feature that allows low-privileged users to inject malicious scripts into event descriptions. These payloads persist in the database and execute when administrators or other users view the affected events, potentially enabling account takeover. Public exploit code exists for this vulnerability, though a patch is available in version 6.7.2.
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. [CVSS 4.6 MEDIUM]
FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. [CVSS 4.8 MEDIUM]
Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. [CVSS 6.1 MEDIUM]
A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. [CVSS 3.5 LOW]
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. [CVSS 5.4 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025. [CVSS 7.5 HIGH]
GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. [CVSS 6.4 MEDIUM]
Stored XSS in RLE NOVA PlanManager allows authenticated users to inject malicious scripts via the comment and brand parameters, which are executed in other users' browsers without sanitization. An attacker can leverage this to hijack sessions, steal credentials, or perform unauthorized actions on behalf of victims. Exploitation requires user interaction and network access, with no patch currently available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS.This issue affects Website Software: through 03022026. [CVSS 8.6 HIGH]
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. [CVSS 5.4 MEDIUM]
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. [CVSS 7.3 HIGH]
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]
HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session.
Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS.This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 7.6 HIGH]
Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website is affected by cross-site scripting (xss) (CVSS 7.6).
Stored cross-site scripting in Foxit PDF Editor Cloud's Create New Layer feature allows authenticated attackers to execute arbitrary JavaScript by injecting malicious code that persists when layers are accessed by other users. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and requires user interaction to trigger. No patch is currently available.
Foxit PDF Editor Cloud contains a stored XSS vulnerability in its file upload functionality where malicious usernames are not properly sanitized before being displayed in the upload file list, enabling authenticated attackers to execute arbitrary JavaScript in other users' browsers. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and currently has no available patch. An attacker with valid credentials could craft a malicious username to compromise account security or steal sensitive document data from other users viewing the file list.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS.This issue affects SKSPro: through 07012026. [CVSS 7.6 HIGH]
Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.
Authenticated contributors and above can inject malicious scripts into WordPress pages through the Happy Addons for Elementor plugin (versions up to 3.20.7) via improper sanitization of the '_elementor_data' meta field, resulting in stored XSS that executes for all users viewing affected pages. An attacker with contributor-level permissions can leverage this to steal credentials, perform actions on behalf of administrators, or deface website content. No patch is currently available.
Unauthenticated attackers can upload malicious SVG files through the Form Maker by 10Web WordPress plugin (versions up to 1.15.35) due to insufficient file type validation, enabling stored cross-site scripting attacks against administrators and site visitors. The plugin's default allowlist includes SVG files and relies on weak substring-based extension checking, allowing JavaScript execution when the uploaded files are viewed. No patch is currently available.
Stored XSS in WordPress Form Maker plugin (versions up to 1.15.35) allows unauthenticated attackers to inject malicious scripts through hidden form field values that execute when administrators view the submissions list. The vulnerability stems from improper output escaping after HTML entity decoding of user-supplied input. Website administrators using this plugin are at risk of account compromise and unauthorized actions performed within their WordPress dashboard.
Stored XSS in LatePoint WordPress plugin versions up to 5.2.5 allows unauthenticated attackers to inject malicious scripts into customer profile fields that execute when administrators review activity history. The vulnerability stems from inadequate input sanitization and output escaping, potentially enabling credential theft or administrative account compromise. No patch is currently available.
Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. [CVSS 5.3 MEDIUM]
PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. Upgrade to jsPDF 4.1.0 or later to remediate the issue.
FacturaScripts versions 2025.71 and earlier contain a stored XSS vulnerability in the Observations field that executes arbitrary JavaScript when administrators view historical data. An authenticated attacker can inject malicious scripts that persist in the database and compromise admin sessions, with public exploit code already available. The vulnerability remains unpatched and requires administrator interaction to trigger.
Reflected cross-site scripting in FacturaScripts prior to version 2025.8 allows authenticated attackers to inject malicious scripts through crafted input that triggers database errors, which are then rendered without HTML sanitization due to unsafe Twig template filters. Public exploit code exists for this vulnerability. The issue affects error message handling and requires user interaction to exploit, with impacts limited to session hijacking or credential theft within the affected user's browser context.
A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]
A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]
Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. [CVSS 4.7 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. [CVSS 4.7 MEDIUM]
Cloud Pak For Business Automation versions up to 24.0.0 is affected by cross-site scripting (xss) (CVSS 6.4).
Cybozu Garoon 5.15.0 through 6.0.3 contains a cross-site scripting vulnerability in the Message function that allows authenticated attackers to reset arbitrary user passwords through malicious scripts. The vulnerability requires user interaction and affects the confidentiality and integrity of user accounts. No patch is currently available.
Cybozu Garoon versions 5.0.0 through 6.0.3 contain a cross-site scripting vulnerability in the email function that enables attackers to reset arbitrary user passwords by crafting malicious email content. The attack requires user interaction to trigger and can affect confidentiality and integrity across security boundaries. No patch is currently available for this vulnerability.
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]
Unauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded without authentication.
Dsl-6641K Firmware versions up to n8.tr069.20131126 is affected by cross-site scripting (xss) (CVSS 2.4).
QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. [CVSS 6.4 MEDIUM]
TextBox Name Profile input. Attackers can inject malicious script code through a POST request is affected by cross-site scripting (xss) (CVSS 6.4).
WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. [CVSS 6.4 MEDIUM]
Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. [CVSS 5.4 MEDIUM]
BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. [CVSS 6.4 MEDIUM]
Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]
Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. [CVSS 6.4 MEDIUM]
WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. [CVSS 5.4 MEDIUM]
Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]
Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]
PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]
PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. [CVSS 6.4 MEDIUM]
PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. [CVSS 6.4 MEDIUM]
Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. [CVSS 5.4 MEDIUM]
Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. [CVSS 6.4 MEDIUM]
Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. [CVSS 6.4 MEDIUM]
Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents inline in the browser instead of forcing download, allowing malicious HTML or SVG files to execute JavaScript with access to user credentials and HotCRP API permissions. Attackers can exploit this stored XSS vulnerability by uploading crafted documents to submission fields, which then compromise any user who clicks the document link. A patch is available to restrict inline rendering to safe document types.
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]
Cross-site scripting (XSS) in LocalSend up to version 1.17.0 allows unauthenticated attackers to inject malicious scripts through the "Share via Link" web interface, which fails to properly sanitize file names in the file list display. An attacker can craft a malicious file name that executes arbitrary JavaScript in the context of a victim's browser when they access the shared link, potentially leading to session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c.
A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. [CVSS 2.4 LOW]
House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. [CVSS 6.4 MEDIUM]
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. [CVSS 6.4 MEDIUM]
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. [CVSS 6.4 MEDIUM]
PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]
ChurchCRM versions before 6.7.2 contain a stored XSS vulnerability in the event creation feature that allows low-privileged users to inject malicious scripts into event descriptions. These payloads persist in the database and execute when administrators or other users view the affected events, potentially enabling account takeover. Public exploit code exists for this vulnerability, though a patch is available in version 6.7.2.
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. [CVSS 4.6 MEDIUM]
FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. [CVSS 4.8 MEDIUM]
Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. [CVSS 6.1 MEDIUM]
A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. [CVSS 3.5 LOW]
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. [CVSS 5.4 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025. [CVSS 7.5 HIGH]
GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. [CVSS 6.4 MEDIUM]
Stored XSS in RLE NOVA PlanManager allows authenticated users to inject malicious scripts via the comment and brand parameters, which are executed in other users' browsers without sanitization. An attacker can leverage this to hijack sessions, steal credentials, or perform unauthorized actions on behalf of victims. Exploitation requires user interaction and network access, with no patch currently available.