XSS

A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]

HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.

Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter.

Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'.

Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized.

An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting'). [CVSS 5.5 MEDIUM]

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. [CVSS 6.1 MEDIUM]

Stored XSS in the Viet contact WordPress plugin versions up to 1.3.2 allows authenticated administrators to inject malicious scripts into admin settings due to inadequate input sanitization and output escaping. The injected scripts execute when other users access affected pages, impacting multi-site WordPress installations and sites with unfiltered_html disabled. Exploitation requires administrator-level access and no patch is currently available.

Stored XSS in WP Hello Bar plugin up to version 1.02 allows authenticated administrators to inject malicious scripts through the 'digit_one' and 'digit_two' parameters due to inadequate input validation. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

OnboardLite's user migration feature in the admin dashboard is vulnerable to stored cross-site scripting, allowing authenticated attackers to inject malicious scripts that execute when administrators process Discord account migrations. This vulnerability affects versions prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f and could enable session hijacking or credential theft targeting privileged users. No patch is currently available.

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code execution through crafted knowledge base entries.

Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows attackers to inject malicious JavaScript through unescaped SVG content in dynamically generated icon images. An unauthenticated attacker can craft a malicious link that, when clicked by a victim, executes arbitrary scripts in the context of the SiYuan application. Public exploit code exists for versions prior to 3.5.4, which contains the necessary patches.

Movary has a third input validation vulnerability that allows authenticated users to delete arbitrary files from the server, potentially causing data loss or service disruption.

Movary has a second input validation vulnerability allowing authenticated users to write arbitrary files on the server, enabling code execution through web shell upload.

Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.

A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. [CVSS 3.5 LOW]

Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.

E-Learning System versions up to 1.0 contains a vulnerability that allows attackers to basic cross site scripting (CVSS 4.3).

A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. [CVSS 2.4 LOW]

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. [CVSS 3.5 LOW]

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Title parameter in /admin/activity.php. Public exploit code exists for this vulnerability, enabling potential attacks against affected deployments. A security patch is not currently available.

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows remote attackers to inject malicious scripts through the detail parameter in /admin/expenses.php, potentially compromising administrator sessions and data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk of client-side attacks.

Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.

Stored XSS in 1Panel's App Store allows attackers to inject malicious scripts into application details that execute in users' browsers when viewed, potentially enabling session hijacking or unauthorized system access. Versions up to v1.10.33-lts and v2.0.16 are vulnerable, with no patch currently available. An attacker could publish a compromised application to steal credentials, modify system functions, or compromise system availability.

A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]

A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. [CVSS 3.5 LOW]

Stored XSS in the Integrate Dynamics 365 CRM WordPress plugin through version 1.1.1 allows authenticated administrators to inject malicious scripts into plugin settings due to inadequate input sanitization. An attacker with admin privileges can execute arbitrary JavaScript that runs whenever users access affected pages. No patch is currently available.

The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

Stored cross-site scripting in the Team Section Block plugin for WordPress through version 2.0.0 allows authenticated contributors and above to inject malicious scripts into pages by manipulating social network link URLs due to improper input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. An unpatched WordPress installation with this plugin poses a persistent attack vector for authenticated users with lower privilege levels.

The CM E-Mail Blacklist plugin for WordPress through version 1.6.2 contains a stored XSS vulnerability in the 'black_email' parameter due to inadequate input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, though exploitation is limited to multi-site installations or those with unfiltered_html disabled. No patch is currently available.

The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. [CVSS 4.4 MEDIUM]

Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.

A8\+ Collaborative Management versions up to 7.0 is affected by cross-site scripting (xss) (CVSS 6.1).

Quiz Maker Plugin by Opinion Stage Wordpre versions up to 19.6.25 is affected by cross-site scripting (xss).

WeGIA prior to version 3.6.2 lacks framing protection headers (X-Frame-Options and Content-Security-Policy), allowing attackers to perform clickjacking attacks by embedding the application within malicious web pages to trick users into unintended actions. Public exploit code exists for this vulnerability, affecting charitable institutions using vulnerable versions of the web manager.

Stored XSS in WeGIA before version 3.6.2 allows authenticated users to inject malicious scripts into adopter information fields that execute in the browsers of all visitors to the affected pages. Public exploit code exists for this vulnerability, which impacts the html/pet/adotantes/cadastro_adotante.php and informacao_adotantes.php endpoints. Organizations should upgrade to version 3.6.2 or later to mitigate the risk of persistent JavaScript injection attacks.

Stored XSS in WeGIA's attendance incident form allows authenticated attackers to inject malicious scripts through unsanitized dropdown fields, affecting versions prior to 3.6.2. An attacker with login credentials can craft payloads that execute in other users' browsers when they view the affected page. Public exploit code exists for this vulnerability, and a patch is available in version 3.6.2 and later.

WeGIA web manager for charitable institutions has a reflected XSS vulnerability prior to version 3.6.2 that enables account takeover through crafted malicious links.

SiYuan prior to version 3.5.4-dev2 fails to sanitize SVG file uploads, allowing authenticated attackers to embed malicious JavaScript that executes when other users view the files. Public exploit code exists for this stored XSS vulnerability, which can compromise user sessions and access sensitive knowledge management data. The vulnerability affects self-hosted instances where users can upload SVG content from untrusted sources.

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. [CVSS 6.1 MEDIUM]

StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. [CVSS 7.2 HIGH]

SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. [CVSS 6.1 MEDIUM]

Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. [CVSS 7.2 HIGH]

Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]

Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. [CVSS 7.2 HIGH]

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]

Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. [CVSS 6.1 MEDIUM]

Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. [CVSS 7.2 HIGH]

Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. [CVSS 6.4 MEDIUM]

In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. [CVSS 7.2 HIGH]

Postgres Enterprise Manager versions up to 9.8.1 is affected by cross-site scripting (xss) (CVSS 6.5).

Insufficient input validation in the Easy Discuss component for Joomla allows authenticated users to inject persistent cross-site scripting (XSS) payloads through user avatar text fields. An attacker with valid credentials can exploit this to execute malicious scripts in the browsers of other users viewing affected content. The vulnerability affects Joomla installations using the vulnerable Easy Discuss component, with no patch currently available.

Stored cross-site scripting in Joomla's Easy Discuss component allows authenticated users to inject malicious scripts into forum posts due to insufficient input validation. An attacker with login credentials can execute arbitrary JavaScript in the browsers of other users viewing affected posts, potentially leading to session hijacking or credential theft. No patch is currently available for this vulnerability.

Stored cross-site scripting in ConnectWise PSA versions before 2026.1 allows authenticated users to inject malicious scripts into Time Entry notes that execute in other users' browsers when viewed in the audit trail. An attacker with legitimate access could leverage this to steal session tokens, perform unauthorized actions, or compromise other users within the PSA system. No patch is currently available.

Stored XSS in TOA Corporation TRIFORA 3 network cameras allows authenticated administrators to inject malicious scripts through configuration settings that execute in other administrators' browsers when accessing the settings interface. An attacker with administrative privileges could exploit this to compromise other admin sessions and potentially gain unauthorized access to camera management functions. No patch is currently available for this medium-severity vulnerability.

Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20260110 allows authenticated Contributor-level users to inject malicious scripts via the 'usp_access' shortcode due to inadequate input sanitization. When other users visit pages containing the injected payload, the attacker's JavaScript executes in their browsers, potentially enabling session hijacking or unauthorized actions. No patch is currently available to remediate this vulnerability.

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

Stored XSS in the Related Posts by Taxonomy WordPress plugin through version 2.7.6 allows contributors and higher-privileged authenticated users to inject malicious scripts into shortcode attributes that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content viewed by site visitors. No patch is currently available.

lucy-xss-filter before commit e5826c0 contains a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through improper input sanitization caused by misconfigured default filter rules. The vulnerability requires user interaction to trigger and affects the confidentiality and integrity of web applications relying on this filter. A patch is available to address the misconfigured rule set.

Lucy XSS Filter with ObjectSecurityListener or EmbedSecurityListener enabled is vulnerable to server-side request forgery (SSRF) via malformed embed or object tags lacking file extensions in src attributes, allowing remote attackers to trigger arbitrary HEAD requests to internal or external URLs. Public exploit code exists for this vulnerability, and no patch is currently available.

PlantUML versions before 1.2026.0 fail to properly sanitize interactive attributes in GraphViz diagrams, allowing attackers to inject malicious JavaScript into SVG output through crafted diagram files. Applications that render these SVGs are vulnerable to arbitrary script execution within the user's browser context. A patch is available to address this stored XSS vulnerability.

Stored XSS in Altium Live's Support Center AddComment endpoint allows attackers to inject malicious JavaScript that persists and executes when support staff or other users view affected support cases. The vulnerability stems from inadequate server-side input validation that bypasses client-side HTML escaping, enabling attackers to compromise elevated-privilege support accounts through victim browser execution. No patch is currently available.

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. [CVSS 5.4 MEDIUM]

GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. [CVSS 6.2 MEDIUM]

Phpwcms versions up to 1.9.30 is affected by unrestricted upload of file with dangerous type (CVSS 5.4).

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. [CVSS 5.4 MEDIUM]

Stored XSS in Altium Workflow Engine allows authenticated users to inject malicious scripts into workflow forms that execute with administrator privileges when viewed. An attacker can exploit this to escalate privileges, create new admin accounts, steal session tokens, and perform arbitrary administrative actions. No patch is currently available for the on-premises enterprise server deployment.

Altium Forum has stored XSS in forum posts with scope change (CVSS 9.0). Authenticated attackers can inject JavaScript that executes in other users' sessions, including accessing Altium design tools and project data.

Stored XSS in Altium Live user profile fields allows authenticated attackers to inject malicious scripts that execute when other users view the compromised profile, potentially enabling session hijacking or phishing attacks. The vulnerability stems from inadequate server-side input validation that fails to properly sanitize whitespace-based attribute injection techniques. Exploitation requires a valid user account and victim interaction but carries high risk due to cross-site impact affecting other platform users.

A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. [CVSS 8.2 HIGH]

Cyber Cafe Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).

Cyber Cafe Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).

Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section [CVSS 6.1 MEDIUM]

SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. [CVSS 6.1 MEDIUM]

Wireless Mini Router Wireless-N 300M Firmware versions up to 28k.minirouter.20190211 is affected by cross-site scripting (xss) (CVSS 5.4).

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. [CVSS 6.1 MEDIUM]

Stored XSS in LaSuite Doc versions 3.8.0 through 4.3.0 allows authenticated users with document editing privileges to inject malicious JavaScript URLs into the Interlinking feature, which execute when other users click the crafted links. This vulnerability affects the collaborative documentation platform's security model by enabling arbitrary code execution in victims' browsers. A patch is available in version 4.4.0.

Stored XSS in Cisco ISE's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive information or hijacking administrative sessions. Exploitation requires valid admin credentials and user interaction, making it suitable for insider threats or compromised accounts. No patch is currently available.

Stored XSS in Cisco Prime Infrastructure and EPNM web management interfaces allows authenticated administrators with high privileges to inject malicious scripts that execute in other users' browsers, potentially enabling session hijacking or credential theft. The vulnerability stems from insufficient input validation in specific data fields and requires valid admin credentials to exploit. No patch is currently available.

Cisco ISE and ISE-PIC's web management interface fails to properly sanitize user input, enabling authenticated admins to inject malicious scripts that execute in other users' browsers. Successful exploitation allows attackers with valid administrative credentials to steal session data or perform actions on behalf of legitimate users through reflected XSS attacks. No patch is currently available.

Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. [CVSS 6.1 MEDIUM]

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. [CVSS 5.4 MEDIUM]