XSS
Monthly
Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.9 allows authenticated contributors and above to inject arbitrary JavaScript into WordPress pages via the 'su_box' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of all users who access the affected pages, potentially compromising site visitors' sessions and data. No public exploit code has been identified at the time of analysis, though the vulnerability is straightforward to reproduce and weaponize.
Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.
Stored Cross-Site Scripting in WP YouTube Lyte plugin for WordPress versions up to 1.7.29 allows authenticated contributors and above to inject arbitrary JavaScript via the 'lyte' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been confirmed at time of analysis; patch is available in version 1.7.30 and later.
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
### Summary The client-side `escapeForHtml()` function in `KimaiEscape.js`, introduced in commit `89bfa82c` (#2959) to fix a JavaScript XSS vulnerability, only escapes `<`, `>`, and `&` but does not escape `"` (double quote) or `'` (single quote). When user-controlled data (profile alias) is placed in an HTML attribute context (`title="__DISPLAY__"`) via the team member form prototype and rendered through `innerHTML`, the missing quote escaping allows HTML attribute injection, resulting in Stored XSS. ### Details Incomplete security patch. The `escapeForHtml()` function was meant to prevent XSS but missed quote characters, which are critical for HTML attribute context escaping. **Vulnerable code** - `assets/js/plugins/KimaiEscape.js:29-33`: ```javascript const tagsToReplace = { '&': '&', '<': '<', '>': '>', // MISSING: '"': '"' // MISSING: "'": ''' }; ``` **Affected code files**: - `assets/js/plugins/KimaiEscape.js:24-38` - incomplete escape function - `assets/js/forms/KimaiTeamForm.js:77,86` - replacement + innerHTML - `templates/macros/widgets.html.twig:126` - `title="{{ tooltip }}"` in avatar macro - `templates/form/blocks.html.twig:104` - `{{ widgets.avatar('__INITIALS__', '__COLOR__', '__DISPLAY__') }}` ### PoC [poc.zip](https://github.com/user-attachments/files/26537515/poc.zip) Please extract the uploaded compressed file before proceeding 1. ./setup.sh 2. ./poc_xss.sh <img width="751" height="155" alt="스크린샷 2026-04-07 오후 9 06 27" src="https://github.com/user-attachments/assets/c09a23fb-f60b-49dd-9018-8c723e35b4c4" /> ### Impact - Stored XSS: payload persists in the database (user alias field) - Privilege escalation: ROLE_USER injects XSS that executes in ROLE_ADMIN/ROLE_SUPER_ADMIN browser session
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information.
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.
Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and
Stored cross-site scripting in Power Charts Lite WordPress plugin versions up to 0.1.0 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'id' parameter of the [pc] shortcode. The vulnerability exists because the plugin extracts user-supplied shortcode attributes, directly concatenates them into HTML class attributes without sanitization, and then decodes HTML entities, creating a persistent XSS payload that executes for all users viewing the affected page. No active exploitation has been confirmed, but the attack requires only standard WordPress contributor permissions and no additional complexity.
Stored cross-site scripting in WM JqMath WordPress plugin up to version 1.3 allows authenticated contributors and above to inject arbitrary JavaScript via the 'style' shortcode attribute, which executes in the browsers of all users viewing affected pages. The vulnerability stems from direct concatenation of unsanitized user input into HTML without proper escaping (missing esc_attr() calls). CVSS 6.4 reflects moderate risk with scope change; no public exploit code or active KEV status identified at time of analysis.
Stored cross-site scripting in Coachific Shortcode plugin for WordPress versions up to 1.0 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the 'userhash' shortcode attribute. The plugin sanitizes input with sanitize_text_field() but fails to apply JavaScript-specific escaping before interpolating the value into a script tag, enabling persistent XSS attacks visible to all page visitors. EPSS score of 6.4 reflects moderate real-world risk constrained by the requirement for authenticated contributor access and user interaction.
Stored Cross-Site Scripting in WP Circliful plugin for WordPress up to version 1.2 allows authenticated attackers with Contributor-level access to inject arbitrary HTML and JavaScript via insufficiently sanitized shortcode attributes in [circliful] and [circliful_direct] shortcodes. The vulnerability exists in the circliful_shortcode() and circliful_direct_shortcode() functions, which concatenate user input directly into HTML attributes without escaping. When a user visits a page containing the injected shortcode, the malicious script executes in their browser. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in Nozomi Networks Guardian and CMC allows authenticated attackers with custom field privileges to inject malicious JavaScript payloads through the Assets and Nodes custom field functionality. When victims view affected pages, the XSS executes with high integrity and availability impact due to changed scope (CVSS S:C), enabling unauthorized actions including data modification and service disruption. No public exploit identified at time of analysis, though the attack complexity is low (AC:L) once custom field access is obtained.
Stored Cross-Site Scripting in Quick Interest Slider plugin for WordPress (versions ≤3.1.5) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'loan-amount' and 'loan-period' parameters. Injected scripts execute in victim browsers when accessing compromised pages, enabling session hijacking, credential theft, or malicious redirects. CVSS 7.2 with network-accessible, low-complexity attack vector (AV:N/AC:L/PR:N) and scope change (S:C) indicates significant cross-tenant impact. No public exploit identified at time of analysis, though exploitation requires minimal technical sophistication due to unauthenticated attack surface.
Stored Cross-Site Scripting in VI: Include Post By WordPress plugin up to version 0.4.200706 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class_container' shortcode attribute, which executes in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode parameters. No public exploit code or active exploitation has been reported; however, the low attack complexity and broad scope of impact (affecting all site visitors) make this a moderate-priority issue for WordPress installations using this plugin.
Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. With a CVSS score of 4.3 and no evidence of public exploitation, this represents a moderate-severity threat requiring administrator interaction.
Cross-site scripting (XSS) in goldmark HTML renderer before version 1.7.17 allows unauthenticated remote attackers to execute arbitrary JavaScript by encoding dangerous URL schemes (such as javascript:) using HTML5 named character references, bypassing the renderer's prefix-based protocol validation due to improper ordering of entity resolution. Applications using affected versions can be exploited via crafted markdown containing malicious links that render unsafe protocols in user contexts, with a CVSS score of 6.1 indicating moderate real-world impact driven by the requirement for user interaction (UI:R) and change of scope across trust boundaries.
Stored cross-site scripting in GROWI v7.4.6 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, compromising confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a link or viewing affected content) and authenticated access, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active KEV confirmation is indicated in available data.
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Stored Cross-Site Scripting in Token of Trust WordPress plugin versions ≤3.32.3 allows unauthenticated remote attackers to inject malicious scripts via the unsanitized 'description' parameter, achieving persistent code execution in victim browsers with changed security context (CVSS scope changed). CVSS 7.2 with network attack vector and no authentication required. No public exploit identified at time of analysis, but EPSS data not provided to assess exploitation probability.
Open redirect vulnerability in Immich prior to version 2.7.3 allows authenticated attackers to craft malicious shared album names that inject unsanitized HTML into Open Graph meta tags, redirecting victims' browsers to attacker-controlled sites when they open the share link. This enables phishing attacks where victims can be directed to credential-harvesting sites that impersonate the Immich login interface, exploiting user trust in the shared album feature.
Reflected cross-site scripting (XSS) in XWiki's compare view allows unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious code through unescaped URL parameters in the page revision comparison feature. When the victim is an administrator, successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance. Vendor-released patch is available; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Docmost prior to version 0.71.0 allows authenticated users to inject malicious `javascript:` URLs into attachment nodes, executing arbitrary JavaScript in the browser context of other users who activate those attachments. Attack requires low privileges and user interaction (clicking the attachment), affecting all users viewing compromised pages. The vulnerability has been patched in version 0.71.0.
Stored cross-site scripting (XSS) in Docmost prior to version 0.70.0 allows authenticated attackers to inject malicious scripts through MIME type spoofing, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (clicking a link or viewing injected content) and affects only the confidentiality and integrity of affected users' data, not availability. Vendor-released patch: version 0.70.0.
Stored cross-site scripting (XSS) in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated users to upload malicious HTML files containing JavaScript via the social post attachment API endpoint. The uploaded files are served without sanitization, content-type restrictions, or proper content-disposition headers, causing embedded JavaScript to execute in the browser within the application's trusted origin. This enables session hijacking, account takeover, and privilege escalation attacks, particularly when an administrator views a malicious link. The vulnerability is confirmed fixed in version 2.0.0-RC.3.
Stored XSS in October CMS versions before 3.7.14 and 4.1.10 allows authenticated users with media upload permissions to bypass SVG sanitization regex patterns and inject malicious JavaScript through crafted SVG files. When a superuser or other high-privileged user views or embeds the malicious SVG, the payload executes in their browser context, enabling privilege escalation. The vulnerability requires both authenticated backend access and user interaction (viewing/embedding the SVG), resulting in a CVSS 4.8 (Medium) rating; no public exploit code has been identified at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and earlier allows authenticated attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious webpage that manipulates the DOM environment. The vulnerability requires user interaction and results in limited confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager 6.5.24 and FP11.7 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by crafting malicious web pages that manipulate the DOM environment, requiring user interaction to trigger the attack. CVSS 5.4 reflects moderate severity with network-accessible attack surface but limited scope impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and FP11.7 earlier allows authenticated users to execute arbitrary JavaScript in victims' browsers by crafting malicious webpages that manipulate the DOM environment. The vulnerability requires user interaction (victim must visit a crafted page) and affects the confidentiality and integrity of user sessions within the AEM application context. CVSS 5.4 reflects the moderate severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.
Stored Cross-Site Scripting in Adobe Experience Manager versions FP11.7 and earlier allows authenticated attackers to inject malicious JavaScript into form fields, which executes in victims' browsers with limited impact (confidentiality and integrity). The vulnerability requires user interaction (victim must view the affected page) and authenticated access, resulting in a CVSS 5.4 (medium) score. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated users with Event Log viewing permissions to execute arbitrary JavaScript in other users' browsers via malicious HTML content in the mail preview iframe. The vulnerability stems from improper iframe sandboxing when rendering logged email messages, affecting confidentiality and integrity with a CVSS score of 5.1. No public exploit code has been identified at the time of analysis.
Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.
Reflected cross-site scripting (XSS) in Adobe Connect 2025.3, 12.10, and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a crafted URL, potentially compromising user session data and performing actions on behalf of the victim. The vulnerability affects multiple versions across a wide product scope and requires user interaction (clicking a malicious link) to trigger. No public exploit code or active exploitation has been confirmed at the time of analysis.
DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat.
Reflected Cross-Site Scripting in Adobe Connect versions 12.10 and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by distributing a malicious URL. The vulnerability requires user interaction (clicking a link) and can affect the confidentiality and integrity of user sessions across different origins due to changed scope. No public exploit code or active exploitation has been confirmed at this time.
Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score.
Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level.
Stored Cross-Site Scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated backend users with editor settings permissions to inject malicious JavaScript into Markup Classes fields, which executes unsanitized in the Froala editor dropdown menus when any user-including superusers-opens a RichEditor. This enables privilege escalation when a superuser performs routine content editing tasks. CVSS 5.1 indicates moderate risk; exploitation requires authenticated backend access and user interaction (opening an editor), but the stored nature of the payload and privilege escalation potential elevate real-world concern. No public exploit code or active CISA KEV status reported.
Stored cross-site scripting (XSS) in Windows Admin Center before version 2.6.5.16 allows unauthenticated remote attackers to inject malicious scripts that execute in the browsers of other users, enabling account spoofing and data theft. The vulnerability requires user interaction (clicking a malicious link) but has network-wide scope, affecting all users of the Admin Center instance. Microsoft has released a patched version; exploitation is currently limited to scenarios where attackers can socially engineer clicks on crafted URLs.
Stored cross-site scripting (XSS) in Microsoft SharePoint Server allows authenticated users to inject malicious scripts that execute in the browsers of other authorized users viewing affected web pages, enabling account spoofing and credential theft within enterprise collaboration environments. The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all versions prior to specific patch releases. CVSS score of 4.6 reflects low severity due to authentication requirement and user interaction needed, but real-world risk is elevated in multi-user SharePoint deployments where XSS can be weaponized for privilege escalation or lateral movement.
Reflected cross-site scripting (XSS) in Fortinet FortiSandbox and FortiSandbox PaaS versions 5.0.0 through 5.0.4 allows unauthenticated remote attackers to inject malicious scripts via crafted HTTP requests. Exploitation requires user interaction (clicking a malicious link), resulting in session hijacking, credential theft, or malware distribution to administrators accessing the FortiSandbox web interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Fortinet FortiSandbox and FortiSandbox PaaS versions 4.2 through 5.0.5 allows authenticated administrators with high privileges to inject malicious scripts into web pages, leading to unauthorized code execution when other users interact with compromised content. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity but not availability. With a CVSS score of 4.8 and high privilege requirement (PR:H), this represents a moderate risk primarily to multi-user deployments where administrative accounts may be compromised or untrusted.
Stored cross-site scripting (XSS) in Fortinet FortiSOAR allows authenticated remote attackers to inject malicious scripts via crafted HTTP requests, affecting both PaaS and on-premise deployments across versions 7.3 through 7.6.3. The vulnerability requires user interaction to trigger the payload and results in limited confidentiality and integrity impact, with a CVSS score of 4.6 reflecting the authentication requirement and user-interaction dependency. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.
Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.
Stored cross-site scripting (XSS) in Ivanti Neurons for ITSM (on-premise and cloud) before version 2025.4 allows authenticated remote attackers to inject malicious scripts that execute in other users' sessions, enabling limited information disclosure. User interaction is required to trigger the vulnerability. No public exploit code or active exploitation has been identified.
Stored XSS in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files through malicious component names displayed in delete confirmation dialogs. When a user clicks the crafted payload, the vulnerability escalates from XSS to potential local code execution within the application context. Vendor-released patches available for Windows and macOS. No public exploit identified at time of analysis, though the attack vector is local (CVSS:3.1/AV:L) requiring user interaction but no authentication (PR:N), with CVSS 7.1 reflecting high confidentiality and integrity impact.
Stored cross-site scripting (XSS) in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files by crafting malicious HTML payloads in design names that trigger when exported to CSV format. The vulnerability requires no authentication but depends on user interaction (opening the exported CSV). Vendor patch available via updated client installers for Windows and macOS. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code identified at time of analysis.
Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). Vendor-released patch available via official Fusion client installers for Windows and macOS. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in ShopLentor WordPress plugin (versions up to 3.3.5) via the woolentor_quickview_button shortcode's button_text attribute allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript that executes for all site visitors. The vulnerability stems from insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. With a CVSS score of 6.4 and confirmed patch availability in version 3.3.6, this poses a moderate risk to WordPress installations using the plugin, particularly those with multiple contributor-level users.
Stored Cross-Site Scripting in WholeSale Products Dynamic Pricing Management WooCommerce plugin allows authenticated administrators to inject arbitrary web scripts via admin settings that execute for all users on affected pages. The vulnerability affects all versions up to and including 1.2 on multi-site WordPress installations or single-site installations with unfiltered_html disabled. While the CVSS score of 4.4 is moderate, exploitation requires high-privilege administrator credentials and the attack is limited by high attack complexity; however, the persistent nature of stored XSS means injected payloads affect all subsequent site visitors.
Stored cross-site scripting in the Surbma | Booking.com Shortcode WordPress plugin (all versions up to 2.1) allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization on the `surbma-bookingcom` shortcode attributes, causing arbitrary JavaScript execution for all site visitors accessing the compromised page. The vulnerability has a CVSS score of 6.4 with network-based attack vector and low complexity, requiring only contributor-level privileges to exploit. No public exploit code or active exploitation has been independently confirmed at the time of analysis.
Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. With CVSS 7.2 (High) and network-based attack vector requiring no privileges or user int
Stored Cross-Site Scripting in MaxKB's MdRenderer component allows authenticated users to inject malicious scripts via custom <iframe_render> tags in LLM responses or Application Prologue configurations, leading to JavaScript execution in the parent window context with access to session tokens and sensitive data. MaxKB versions 2.7.1 and earlier are affected; the vulnerability is fixed in version 2.8.0. The attack requires user interaction (UI:P) but impacts all visitors to an affected application's chat interface, making it a high-impact stored XSS despite the moderate CVSS 5.1 score.
Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the Application prologue field via <html_rander> tags, which the backend stores unsanitized and the frontend renders with innerHTML-equivalent mechanisms. Exploitation enables session hijacking, unauthorized workspace/application deletion, and sensitive data exposure against any visitor accessing the affected chatbot. Fixed in version 2.8.0.
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to execute arbitrary JavaScript in other users' browsers, including administrators. MaxKB versions 2.7.1 and below are affected. The vulnerability requires user interaction (UI:P) and low privileges (PR:L) to exploit, but delivers high integrity impact (VI:H) to victim sessions. A vendor-released patch is available in version 2.8.0.
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript through application name or icon fields, which is then executed in victims' browsers when accessing the public chat interface. The vulnerability stems from unsanitized data insertion into HTML responses by ChatHeadersMiddleware, enabling arbitrary code execution with user interaction. MaxKB 2.8.0 has released a patch to fix this issue.
Reflected cross-site scripting (XSS) in SAP BusinessObjects Business Intelligence allows authenticated attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers, potentially exposing restricted information. The vulnerability requires user interaction (clicking a malicious link) and affects only confidentiality with a CVSS score of 4.1 (low severity). No public exploit code or active exploitation has been identified.
Reflected Cross-Site Scripting (XSS) in SAP Supplier Relationship Management (SRM) SICF Handler allows unauthenticated remote attackers to craft malicious URLs that, when accessed by victims, execute arbitrary JavaScript within their browsers. Successful exploitation enables attackers to steal session credentials, modify procurement data, or perform actions on behalf of authenticated users, affecting confidentiality and integrity of SRM operations. The vulnerability carries a CVSS score of 6.1 with moderate real-world risk due to required user interaction and cross-origin constraints, though no public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected cross-site scripting (XSS) in manikandan580 School-management-system 1.0 allows unauthenticated remote attackers to inject malicious scripts via the pagedes POST parameter in /studentms/admin/contact-us.php, affecting users with browser cookies or session tokens. Publicly available exploit code exists, and the vulnerability impacts confidentiality and integrity with moderate scope. CVSS score of 6.1 reflects the requirement for user interaction to trigger the malicious payload.
Stored or reflected cross-site scripting (XSS) in alandsilva26 hotel-management-php 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the context of authenticated administrators via a malicious room_id GET parameter in /public/admin/edit_room.php. Public exploit code exists (SSVC confirms poc status). The vulnerability requires user interaction (UI:R) to trigger, affecting confidentiality and integrity of admin sessions with partial technical impact.
Reflected cross-site scripting (XSS) in School Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the email POST parameter in the contact-us.php admin interface. A victim must click a crafted link, enabling attackers to steal session cookies, perform administrative actions, or redirect users to malicious sites. Public proof-of-concept code exists; however, real-world exploitation probability remains low (EPSS 0.02%) due to reliance on user interaction and limited automaton.
A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.
A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.
Stored cross-site scripting in Note Mark note-taking application allows authenticated users to execute arbitrary JavaScript in victims' browsers by uploading HTML/SVG files as note assets. The vulnerability affects the Go backend's asset delivery mechanism (github.com/enchant97/note-mark), which serves uploaded files inline without setting Content-Type headers or X-Content-Type-Options: nosniff, enabling browser MIME-sniffing attacks. Attackers with low-privilege accounts can create malicious asset URLs that, when opened by victims, execute scripts with full access to authenticated API endpoints, private notes, and user data. CVSS 8.7 (High) reflects the changed scope impact where one user's malicious upload affects other users' security context. Vendor-released patch available in v0.19.2.
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
Stored cross-site scripting (XSS) in Prometheus web UI allows remote code execution in user browsers when viewing metrics with injected HTML/JavaScript in metric names or label values. Attackers who can inject metrics via compromised scrape targets, remote write, or OTLP receivers can execute arbitrary JavaScript to exfiltrate configuration, delete time-series data, or shut down Prometheus if admin APIs are enabled. Prometheus 3.5.2 LTS and 3.11.2 patch this by escaping all user-controlled value
Stored code execution in Decidim's user name field allows authenticated attackers with low privileges to inject malicious code that executes in victims' browsers when they view comment pages, enabling account takeover and data theft across trust boundaries. The vulnerability affects the decidim-core RubyGem component. Patches are available in versions 0.30.5 and 0.31.1. No public exploit identified at time of analysis, though the attack vector is relatively straightforward for authenticated users.
Stored Cross-Site Scripting (XSS) in Pandora FMS versions 777 through 800 allows authenticated users with low privileges to inject malicious scripts via event comments, which execute in the browsers of other users viewing those comments. The vulnerability has a CVSS score of 2.1 with low confidentiality and integrity impact, requiring user interaction and attack preparation time to exploit. No public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in code-projects Simple Content Management System 1.0 allows authenticated high-privilege attackers to inject malicious scripts via the News Title parameter in /web/admin/welcome.php, affecting all versions of the product. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (2.4) due to high privilege requirements and limited impact scope.
Cross-site Scripting (XSS) in LibreNMS versions before 26.3.0 allows authenticated administrators to inject malicious scripts on the showconfig page, enabling attacks against other authorized users. The vulnerability requires high administrative privileges and user interaction (clicking a malicious link) to execute, resulting in integrity impact to other users' sessions. Publicly available exploit code exists, though CISA KEV status is not confirmed.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.
Stored cross-site scripting in Apache Storm UI before 2.8.6 allows authenticated users with topology submission rights to inject malicious HTML/JavaScript via unsanitized component identifiers, stream names, and grouping values in the visualization component. The payload persists in Nimbus and executes in the browser of any administrator viewing the topology visualization, enabling privilege escalation in multi-tenant deployments. EPSS score of 0.04% and SSVC assessment of partial technical impact with no automated exploitation indicate relatively low real-world risk despite the concerning privilege-escalation scenario.
Reflected cross-site scripting (XSS) in PHPGurukul Company Visitor Management System 2.0 allows authenticated remote attackers to inject malicious scripts via the fromdate parameter in /bwdates-reports-details.php. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists, elevating practical risk despite the moderate CVSS score of 5.1.
Cross-site scripting (XSS) in Simple ChatBox up to version 1.0 allows remote attackers to inject malicious scripts via the msg parameter in the /chatbox/insert.php endpoint, with user interaction required. The vulnerability has publicly available exploit code and affects the PHP-based chat application component. Impact is limited to integrity of user sessions, but the attack vector is remote and requires no authentication.
Stored cross-site scripting (XSS) in NightWolf Penetration Testing Platform 2.1.5 allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires user interaction is absent from the CVSS vector (UI:N), meaning the injected payload executes automatically when a victim views affected content. No public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject arbitrary scripts via the serviceId parameter in /checkupdatestatus.php. The vulnerability requires user interaction (UI:R) and results in low integrity impact, but is publicly available with exploit code and has been disclosed. CVSS base score is 4.3 with relatively low real-world risk due to UI requirement and limited impact scope, though the presence of public POC increases adoption likelihood among less-skilled attackers.
Stored cross-site scripting in Snipe-IT asset management system v8.3.0-8.3.1 allows authenticated users with basic login privileges to inject malicious JavaScript via Name and Surname fields, which executes when other users view Activity Reports or modified profiles. This vulnerability requires the victim's Display Name to be unset and affects all users with sufficient permissions to access those views. Patch available in v8.3.2; EPSS score is minimal (0.01%), indicating low empirical exploitation likelihood despite network-accessible attack vector.
Reflected cross-site scripting (XSS) in Vtiger CRM 8.4.0 MailManager module allows authenticated attackers to execute arbitrary JavaScript in a user's browser session via a specially crafted double URL-encoded payload in the _folder parameter. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity within the scope of the authenticated session. With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite public disclosure.
HTML Injection in Totara LMS through version 19.1.5 allows authenticated users with low privileges to inject malicious HTML/JavaScript into messages sent to all application users, enabling session hijacking and arbitrary command execution in victims' browsers. A publicly available exploit exists (GitHub POC referenced), though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% indicates very low observed exploitation probability despite the CVSS 8.0 rating, suggesting limited attacker interest or opportunity in real-world environments.
Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.9 allows authenticated contributors and above to inject arbitrary JavaScript into WordPress pages via the 'su_box' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of all users who access the affected pages, potentially compromising site visitors' sessions and data. No public exploit code has been identified at the time of analysis, though the vulnerability is straightforward to reproduce and weaponize.
Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.
Stored Cross-Site Scripting in WP YouTube Lyte plugin for WordPress versions up to 1.7.29 allows authenticated contributors and above to inject arbitrary JavaScript via the 'lyte' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been confirmed at time of analysis; patch is available in version 1.7.30 and later.
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
### Summary The client-side `escapeForHtml()` function in `KimaiEscape.js`, introduced in commit `89bfa82c` (#2959) to fix a JavaScript XSS vulnerability, only escapes `<`, `>`, and `&` but does not escape `"` (double quote) or `'` (single quote). When user-controlled data (profile alias) is placed in an HTML attribute context (`title="__DISPLAY__"`) via the team member form prototype and rendered through `innerHTML`, the missing quote escaping allows HTML attribute injection, resulting in Stored XSS. ### Details Incomplete security patch. The `escapeForHtml()` function was meant to prevent XSS but missed quote characters, which are critical for HTML attribute context escaping. **Vulnerable code** - `assets/js/plugins/KimaiEscape.js:29-33`: ```javascript const tagsToReplace = { '&': '&', '<': '<', '>': '>', // MISSING: '"': '"' // MISSING: "'": ''' }; ``` **Affected code files**: - `assets/js/plugins/KimaiEscape.js:24-38` - incomplete escape function - `assets/js/forms/KimaiTeamForm.js:77,86` - replacement + innerHTML - `templates/macros/widgets.html.twig:126` - `title="{{ tooltip }}"` in avatar macro - `templates/form/blocks.html.twig:104` - `{{ widgets.avatar('__INITIALS__', '__COLOR__', '__DISPLAY__') }}` ### PoC [poc.zip](https://github.com/user-attachments/files/26537515/poc.zip) Please extract the uploaded compressed file before proceeding 1. ./setup.sh 2. ./poc_xss.sh <img width="751" height="155" alt="스크린샷 2026-04-07 오후 9 06 27" src="https://github.com/user-attachments/assets/c09a23fb-f60b-49dd-9018-8c723e35b4c4" /> ### Impact - Stored XSS: payload persists in the database (user alias field) - Privilege escalation: ROLE_USER injects XSS that executes in ROLE_ADMIN/ROLE_SUPER_ADMIN browser session
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information.
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.
Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and
Stored cross-site scripting in Power Charts Lite WordPress plugin versions up to 0.1.0 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'id' parameter of the [pc] shortcode. The vulnerability exists because the plugin extracts user-supplied shortcode attributes, directly concatenates them into HTML class attributes without sanitization, and then decodes HTML entities, creating a persistent XSS payload that executes for all users viewing the affected page. No active exploitation has been confirmed, but the attack requires only standard WordPress contributor permissions and no additional complexity.
Stored cross-site scripting in WM JqMath WordPress plugin up to version 1.3 allows authenticated contributors and above to inject arbitrary JavaScript via the 'style' shortcode attribute, which executes in the browsers of all users viewing affected pages. The vulnerability stems from direct concatenation of unsanitized user input into HTML without proper escaping (missing esc_attr() calls). CVSS 6.4 reflects moderate risk with scope change; no public exploit code or active KEV status identified at time of analysis.
Stored cross-site scripting in Coachific Shortcode plugin for WordPress versions up to 1.0 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the 'userhash' shortcode attribute. The plugin sanitizes input with sanitize_text_field() but fails to apply JavaScript-specific escaping before interpolating the value into a script tag, enabling persistent XSS attacks visible to all page visitors. EPSS score of 6.4 reflects moderate real-world risk constrained by the requirement for authenticated contributor access and user interaction.
Stored Cross-Site Scripting in WP Circliful plugin for WordPress up to version 1.2 allows authenticated attackers with Contributor-level access to inject arbitrary HTML and JavaScript via insufficiently sanitized shortcode attributes in [circliful] and [circliful_direct] shortcodes. The vulnerability exists in the circliful_shortcode() and circliful_direct_shortcode() functions, which concatenate user input directly into HTML attributes without escaping. When a user visits a page containing the injected shortcode, the malicious script executes in their browser. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in Nozomi Networks Guardian and CMC allows authenticated attackers with custom field privileges to inject malicious JavaScript payloads through the Assets and Nodes custom field functionality. When victims view affected pages, the XSS executes with high integrity and availability impact due to changed scope (CVSS S:C), enabling unauthorized actions including data modification and service disruption. No public exploit identified at time of analysis, though the attack complexity is low (AC:L) once custom field access is obtained.
Stored Cross-Site Scripting in Quick Interest Slider plugin for WordPress (versions ≤3.1.5) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'loan-amount' and 'loan-period' parameters. Injected scripts execute in victim browsers when accessing compromised pages, enabling session hijacking, credential theft, or malicious redirects. CVSS 7.2 with network-accessible, low-complexity attack vector (AV:N/AC:L/PR:N) and scope change (S:C) indicates significant cross-tenant impact. No public exploit identified at time of analysis, though exploitation requires minimal technical sophistication due to unauthenticated attack surface.
Stored Cross-Site Scripting in VI: Include Post By WordPress plugin up to version 0.4.200706 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class_container' shortcode attribute, which executes in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode parameters. No public exploit code or active exploitation has been reported; however, the low attack complexity and broad scope of impact (affecting all site visitors) make this a moderate-priority issue for WordPress installations using this plugin.
Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. With a CVSS score of 4.3 and no evidence of public exploitation, this represents a moderate-severity threat requiring administrator interaction.
Cross-site scripting (XSS) in goldmark HTML renderer before version 1.7.17 allows unauthenticated remote attackers to execute arbitrary JavaScript by encoding dangerous URL schemes (such as javascript:) using HTML5 named character references, bypassing the renderer's prefix-based protocol validation due to improper ordering of entity resolution. Applications using affected versions can be exploited via crafted markdown containing malicious links that render unsafe protocols in user contexts, with a CVSS score of 6.1 indicating moderate real-world impact driven by the requirement for user interaction (UI:R) and change of scope across trust boundaries.
Stored cross-site scripting in GROWI v7.4.6 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, compromising confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a link or viewing affected content) and authenticated access, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active KEV confirmation is indicated in available data.
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Stored Cross-Site Scripting in Token of Trust WordPress plugin versions ≤3.32.3 allows unauthenticated remote attackers to inject malicious scripts via the unsanitized 'description' parameter, achieving persistent code execution in victim browsers with changed security context (CVSS scope changed). CVSS 7.2 with network attack vector and no authentication required. No public exploit identified at time of analysis, but EPSS data not provided to assess exploitation probability.
Open redirect vulnerability in Immich prior to version 2.7.3 allows authenticated attackers to craft malicious shared album names that inject unsanitized HTML into Open Graph meta tags, redirecting victims' browsers to attacker-controlled sites when they open the share link. This enables phishing attacks where victims can be directed to credential-harvesting sites that impersonate the Immich login interface, exploiting user trust in the shared album feature.
Reflected cross-site scripting (XSS) in XWiki's compare view allows unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious code through unescaped URL parameters in the page revision comparison feature. When the victim is an administrator, successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance. Vendor-released patch is available; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Docmost prior to version 0.71.0 allows authenticated users to inject malicious `javascript:` URLs into attachment nodes, executing arbitrary JavaScript in the browser context of other users who activate those attachments. Attack requires low privileges and user interaction (clicking the attachment), affecting all users viewing compromised pages. The vulnerability has been patched in version 0.71.0.
Stored cross-site scripting (XSS) in Docmost prior to version 0.70.0 allows authenticated attackers to inject malicious scripts through MIME type spoofing, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (clicking a link or viewing injected content) and affects only the confidentiality and integrity of affected users' data, not availability. Vendor-released patch: version 0.70.0.
Stored cross-site scripting (XSS) in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated users to upload malicious HTML files containing JavaScript via the social post attachment API endpoint. The uploaded files are served without sanitization, content-type restrictions, or proper content-disposition headers, causing embedded JavaScript to execute in the browser within the application's trusted origin. This enables session hijacking, account takeover, and privilege escalation attacks, particularly when an administrator views a malicious link. The vulnerability is confirmed fixed in version 2.0.0-RC.3.
Stored XSS in October CMS versions before 3.7.14 and 4.1.10 allows authenticated users with media upload permissions to bypass SVG sanitization regex patterns and inject malicious JavaScript through crafted SVG files. When a superuser or other high-privileged user views or embeds the malicious SVG, the payload executes in their browser context, enabling privilege escalation. The vulnerability requires both authenticated backend access and user interaction (viewing/embedding the SVG), resulting in a CVSS 4.8 (Medium) rating; no public exploit code has been identified at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and earlier allows authenticated attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious webpage that manipulates the DOM environment. The vulnerability requires user interaction and results in limited confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager 6.5.24 and FP11.7 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by crafting malicious web pages that manipulate the DOM environment, requiring user interaction to trigger the attack. CVSS 5.4 reflects moderate severity with network-accessible attack surface but limited scope impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and FP11.7 earlier allows authenticated users to execute arbitrary JavaScript in victims' browsers by crafting malicious webpages that manipulate the DOM environment. The vulnerability requires user interaction (victim must visit a crafted page) and affects the confidentiality and integrity of user sessions within the AEM application context. CVSS 5.4 reflects the moderate severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.
Stored Cross-Site Scripting in Adobe Experience Manager versions FP11.7 and earlier allows authenticated attackers to inject malicious JavaScript into form fields, which executes in victims' browsers with limited impact (confidentiality and integrity). The vulnerability requires user interaction (victim must view the affected page) and authenticated access, resulting in a CVSS 5.4 (medium) score. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated users with Event Log viewing permissions to execute arbitrary JavaScript in other users' browsers via malicious HTML content in the mail preview iframe. The vulnerability stems from improper iframe sandboxing when rendering logged email messages, affecting confidentiality and integrity with a CVSS score of 5.1. No public exploit code has been identified at the time of analysis.
Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.
Reflected cross-site scripting (XSS) in Adobe Connect 2025.3, 12.10, and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a crafted URL, potentially compromising user session data and performing actions on behalf of the victim. The vulnerability affects multiple versions across a wide product scope and requires user interaction (clicking a malicious link) to trigger. No public exploit code or active exploitation has been confirmed at the time of analysis.
DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat.
Reflected Cross-Site Scripting in Adobe Connect versions 12.10 and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by distributing a malicious URL. The vulnerability requires user interaction (clicking a link) and can affect the confidentiality and integrity of user sessions across different origins due to changed scope. No public exploit code or active exploitation has been confirmed at this time.
Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score.
Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level.
Stored Cross-Site Scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated backend users with editor settings permissions to inject malicious JavaScript into Markup Classes fields, which executes unsanitized in the Froala editor dropdown menus when any user-including superusers-opens a RichEditor. This enables privilege escalation when a superuser performs routine content editing tasks. CVSS 5.1 indicates moderate risk; exploitation requires authenticated backend access and user interaction (opening an editor), but the stored nature of the payload and privilege escalation potential elevate real-world concern. No public exploit code or active CISA KEV status reported.
Stored cross-site scripting (XSS) in Windows Admin Center before version 2.6.5.16 allows unauthenticated remote attackers to inject malicious scripts that execute in the browsers of other users, enabling account spoofing and data theft. The vulnerability requires user interaction (clicking a malicious link) but has network-wide scope, affecting all users of the Admin Center instance. Microsoft has released a patched version; exploitation is currently limited to scenarios where attackers can socially engineer clicks on crafted URLs.
Stored cross-site scripting (XSS) in Microsoft SharePoint Server allows authenticated users to inject malicious scripts that execute in the browsers of other authorized users viewing affected web pages, enabling account spoofing and credential theft within enterprise collaboration environments. The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all versions prior to specific patch releases. CVSS score of 4.6 reflects low severity due to authentication requirement and user interaction needed, but real-world risk is elevated in multi-user SharePoint deployments where XSS can be weaponized for privilege escalation or lateral movement.
Reflected cross-site scripting (XSS) in Fortinet FortiSandbox and FortiSandbox PaaS versions 5.0.0 through 5.0.4 allows unauthenticated remote attackers to inject malicious scripts via crafted HTTP requests. Exploitation requires user interaction (clicking a malicious link), resulting in session hijacking, credential theft, or malware distribution to administrators accessing the FortiSandbox web interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Fortinet FortiSandbox and FortiSandbox PaaS versions 4.2 through 5.0.5 allows authenticated administrators with high privileges to inject malicious scripts into web pages, leading to unauthorized code execution when other users interact with compromised content. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity but not availability. With a CVSS score of 4.8 and high privilege requirement (PR:H), this represents a moderate risk primarily to multi-user deployments where administrative accounts may be compromised or untrusted.
Stored cross-site scripting (XSS) in Fortinet FortiSOAR allows authenticated remote attackers to inject malicious scripts via crafted HTTP requests, affecting both PaaS and on-premise deployments across versions 7.3 through 7.6.3. The vulnerability requires user interaction to trigger the payload and results in limited confidentiality and integrity impact, with a CVSS score of 4.6 reflecting the authentication requirement and user-interaction dependency. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.
Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.
Stored cross-site scripting (XSS) in Ivanti Neurons for ITSM (on-premise and cloud) before version 2025.4 allows authenticated remote attackers to inject malicious scripts that execute in other users' sessions, enabling limited information disclosure. User interaction is required to trigger the vulnerability. No public exploit code or active exploitation has been identified.
Stored XSS in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files through malicious component names displayed in delete confirmation dialogs. When a user clicks the crafted payload, the vulnerability escalates from XSS to potential local code execution within the application context. Vendor-released patches available for Windows and macOS. No public exploit identified at time of analysis, though the attack vector is local (CVSS:3.1/AV:L) requiring user interaction but no authentication (PR:N), with CVSS 7.1 reflecting high confidentiality and integrity impact.
Stored cross-site scripting (XSS) in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files by crafting malicious HTML payloads in design names that trigger when exported to CSV format. The vulnerability requires no authentication but depends on user interaction (opening the exported CSV). Vendor patch available via updated client installers for Windows and macOS. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code identified at time of analysis.
Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). Vendor-released patch available via official Fusion client installers for Windows and macOS. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in ShopLentor WordPress plugin (versions up to 3.3.5) via the woolentor_quickview_button shortcode's button_text attribute allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript that executes for all site visitors. The vulnerability stems from insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. With a CVSS score of 6.4 and confirmed patch availability in version 3.3.6, this poses a moderate risk to WordPress installations using the plugin, particularly those with multiple contributor-level users.
Stored Cross-Site Scripting in WholeSale Products Dynamic Pricing Management WooCommerce plugin allows authenticated administrators to inject arbitrary web scripts via admin settings that execute for all users on affected pages. The vulnerability affects all versions up to and including 1.2 on multi-site WordPress installations or single-site installations with unfiltered_html disabled. While the CVSS score of 4.4 is moderate, exploitation requires high-privilege administrator credentials and the attack is limited by high attack complexity; however, the persistent nature of stored XSS means injected payloads affect all subsequent site visitors.
Stored cross-site scripting in the Surbma | Booking.com Shortcode WordPress plugin (all versions up to 2.1) allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization on the `surbma-bookingcom` shortcode attributes, causing arbitrary JavaScript execution for all site visitors accessing the compromised page. The vulnerability has a CVSS score of 6.4 with network-based attack vector and low complexity, requiring only contributor-level privileges to exploit. No public exploit code or active exploitation has been independently confirmed at the time of analysis.
Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. With CVSS 7.2 (High) and network-based attack vector requiring no privileges or user int
Stored Cross-Site Scripting in MaxKB's MdRenderer component allows authenticated users to inject malicious scripts via custom <iframe_render> tags in LLM responses or Application Prologue configurations, leading to JavaScript execution in the parent window context with access to session tokens and sensitive data. MaxKB versions 2.7.1 and earlier are affected; the vulnerability is fixed in version 2.8.0. The attack requires user interaction (UI:P) but impacts all visitors to an affected application's chat interface, making it a high-impact stored XSS despite the moderate CVSS 5.1 score.
Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the Application prologue field via <html_rander> tags, which the backend stores unsanitized and the frontend renders with innerHTML-equivalent mechanisms. Exploitation enables session hijacking, unauthorized workspace/application deletion, and sensitive data exposure against any visitor accessing the affected chatbot. Fixed in version 2.8.0.
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to execute arbitrary JavaScript in other users' browsers, including administrators. MaxKB versions 2.7.1 and below are affected. The vulnerability requires user interaction (UI:P) and low privileges (PR:L) to exploit, but delivers high integrity impact (VI:H) to victim sessions. A vendor-released patch is available in version 2.8.0.
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript through application name or icon fields, which is then executed in victims' browsers when accessing the public chat interface. The vulnerability stems from unsanitized data insertion into HTML responses by ChatHeadersMiddleware, enabling arbitrary code execution with user interaction. MaxKB 2.8.0 has released a patch to fix this issue.
Reflected cross-site scripting (XSS) in SAP BusinessObjects Business Intelligence allows authenticated attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers, potentially exposing restricted information. The vulnerability requires user interaction (clicking a malicious link) and affects only confidentiality with a CVSS score of 4.1 (low severity). No public exploit code or active exploitation has been identified.
Reflected Cross-Site Scripting (XSS) in SAP Supplier Relationship Management (SRM) SICF Handler allows unauthenticated remote attackers to craft malicious URLs that, when accessed by victims, execute arbitrary JavaScript within their browsers. Successful exploitation enables attackers to steal session credentials, modify procurement data, or perform actions on behalf of authenticated users, affecting confidentiality and integrity of SRM operations. The vulnerability carries a CVSS score of 6.1 with moderate real-world risk due to required user interaction and cross-origin constraints, though no public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected cross-site scripting (XSS) in manikandan580 School-management-system 1.0 allows unauthenticated remote attackers to inject malicious scripts via the pagedes POST parameter in /studentms/admin/contact-us.php, affecting users with browser cookies or session tokens. Publicly available exploit code exists, and the vulnerability impacts confidentiality and integrity with moderate scope. CVSS score of 6.1 reflects the requirement for user interaction to trigger the malicious payload.
Stored or reflected cross-site scripting (XSS) in alandsilva26 hotel-management-php 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the context of authenticated administrators via a malicious room_id GET parameter in /public/admin/edit_room.php. Public exploit code exists (SSVC confirms poc status). The vulnerability requires user interaction (UI:R) to trigger, affecting confidentiality and integrity of admin sessions with partial technical impact.
Reflected cross-site scripting (XSS) in School Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the email POST parameter in the contact-us.php admin interface. A victim must click a crafted link, enabling attackers to steal session cookies, perform administrative actions, or redirect users to malicious sites. Public proof-of-concept code exists; however, real-world exploitation probability remains low (EPSS 0.02%) due to reliance on user interaction and limited automaton.
A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.
A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.
Stored cross-site scripting in Note Mark note-taking application allows authenticated users to execute arbitrary JavaScript in victims' browsers by uploading HTML/SVG files as note assets. The vulnerability affects the Go backend's asset delivery mechanism (github.com/enchant97/note-mark), which serves uploaded files inline without setting Content-Type headers or X-Content-Type-Options: nosniff, enabling browser MIME-sniffing attacks. Attackers with low-privilege accounts can create malicious asset URLs that, when opened by victims, execute scripts with full access to authenticated API endpoints, private notes, and user data. CVSS 8.7 (High) reflects the changed scope impact where one user's malicious upload affects other users' security context. Vendor-released patch available in v0.19.2.
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
Stored cross-site scripting (XSS) in Prometheus web UI allows remote code execution in user browsers when viewing metrics with injected HTML/JavaScript in metric names or label values. Attackers who can inject metrics via compromised scrape targets, remote write, or OTLP receivers can execute arbitrary JavaScript to exfiltrate configuration, delete time-series data, or shut down Prometheus if admin APIs are enabled. Prometheus 3.5.2 LTS and 3.11.2 patch this by escaping all user-controlled value
Stored code execution in Decidim's user name field allows authenticated attackers with low privileges to inject malicious code that executes in victims' browsers when they view comment pages, enabling account takeover and data theft across trust boundaries. The vulnerability affects the decidim-core RubyGem component. Patches are available in versions 0.30.5 and 0.31.1. No public exploit identified at time of analysis, though the attack vector is relatively straightforward for authenticated users.
Stored Cross-Site Scripting (XSS) in Pandora FMS versions 777 through 800 allows authenticated users with low privileges to inject malicious scripts via event comments, which execute in the browsers of other users viewing those comments. The vulnerability has a CVSS score of 2.1 with low confidentiality and integrity impact, requiring user interaction and attack preparation time to exploit. No public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in code-projects Simple Content Management System 1.0 allows authenticated high-privilege attackers to inject malicious scripts via the News Title parameter in /web/admin/welcome.php, affecting all versions of the product. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (2.4) due to high privilege requirements and limited impact scope.
Cross-site Scripting (XSS) in LibreNMS versions before 26.3.0 allows authenticated administrators to inject malicious scripts on the showconfig page, enabling attacks against other authorized users. The vulnerability requires high administrative privileges and user interaction (clicking a malicious link) to execute, resulting in integrity impact to other users' sessions. Publicly available exploit code exists, though CISA KEV status is not confirmed.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.
Stored cross-site scripting in Apache Storm UI before 2.8.6 allows authenticated users with topology submission rights to inject malicious HTML/JavaScript via unsanitized component identifiers, stream names, and grouping values in the visualization component. The payload persists in Nimbus and executes in the browser of any administrator viewing the topology visualization, enabling privilege escalation in multi-tenant deployments. EPSS score of 0.04% and SSVC assessment of partial technical impact with no automated exploitation indicate relatively low real-world risk despite the concerning privilege-escalation scenario.
Reflected cross-site scripting (XSS) in PHPGurukul Company Visitor Management System 2.0 allows authenticated remote attackers to inject malicious scripts via the fromdate parameter in /bwdates-reports-details.php. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists, elevating practical risk despite the moderate CVSS score of 5.1.
Cross-site scripting (XSS) in Simple ChatBox up to version 1.0 allows remote attackers to inject malicious scripts via the msg parameter in the /chatbox/insert.php endpoint, with user interaction required. The vulnerability has publicly available exploit code and affects the PHP-based chat application component. Impact is limited to integrity of user sessions, but the attack vector is remote and requires no authentication.
Stored cross-site scripting (XSS) in NightWolf Penetration Testing Platform 2.1.5 allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires user interaction is absent from the CVSS vector (UI:N), meaning the injected payload executes automatically when a victim views affected content. No public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject arbitrary scripts via the serviceId parameter in /checkupdatestatus.php. The vulnerability requires user interaction (UI:R) and results in low integrity impact, but is publicly available with exploit code and has been disclosed. CVSS base score is 4.3 with relatively low real-world risk due to UI requirement and limited impact scope, though the presence of public POC increases adoption likelihood among less-skilled attackers.
Stored cross-site scripting in Snipe-IT asset management system v8.3.0-8.3.1 allows authenticated users with basic login privileges to inject malicious JavaScript via Name and Surname fields, which executes when other users view Activity Reports or modified profiles. This vulnerability requires the victim's Display Name to be unset and affects all users with sufficient permissions to access those views. Patch available in v8.3.2; EPSS score is minimal (0.01%), indicating low empirical exploitation likelihood despite network-accessible attack vector.
Reflected cross-site scripting (XSS) in Vtiger CRM 8.4.0 MailManager module allows authenticated attackers to execute arbitrary JavaScript in a user's browser session via a specially crafted double URL-encoded payload in the _folder parameter. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity within the scope of the authenticated session. With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite public disclosure.
HTML Injection in Totara LMS through version 19.1.5 allows authenticated users with low privileges to inject malicious HTML/JavaScript into messages sent to all application users, enabling session hijacking and arbitrary command execution in victims' browsers. A publicly available exploit exists (GitHub POC referenced), though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% indicates very low observed exploitation probability despite the CVSS 8.0 rating, suggesting limited attacker interest or opportunity in real-world environments.