Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2026-30252 MEDIUM This Month

Reflected cross-site scripting (XSS) vulnerabilities in Interzen Consulting ZenShare Suite v17.0 login.php endpoint allow remote unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious payloads into the codice_azienda and red_url parameters. Attack requires user interaction (clicking a crafted link) and affects the authentication process; no public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34828 Go HIGH PATCH GHSA This Week

Session fixation in listmonk v6.0.0 allows authenticated sessions to persist after password reset or password change, enabling attackers with stolen session cookies to maintain account access despite credential recovery by the victim. Authenticated remote attackers (PR:L) can exploit this to retain high confidentiality impact access. No public exploit code identified at time of analysis, though the vulnerability is trivially reproducible per the detailed proof-of-concept. EPSS data not available; vulnerability confirmed in production release v6.0.0 via GitHub Security Advisory.

Authentication Bypass XSS
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-34974 PHP MEDIUM PATCH GHSA This Month

Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.

PHP XSS Privilege Escalation Google Chrome
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66486 MEDIUM PATCH This Month

HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.

IBM XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-66485 MEDIUM PATCH This Month

HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.

IBM XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66484 MEDIUM PATCH This Month

Stored cross-site scripting in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated high-privilege users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser sessions. CVSS 5.5 reflects the requirement for elevated privileges but global scope impact; no public exploit or active exploitation confirmed.

IBM XSS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-34729 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in phpMyFAQ allows authenticated administrators to inject unquoted or single-quoted event handler attributes that bypass the content sanitization pipeline, resulting in arbitrary JavaScript execution for all FAQ page visitors. The vulnerability exists in the removeAttributes() regex filter (line 174 of Filter.php) which only matches double-quoted HTML attributes, allowing payloads like <img src=x onerror=alert(1)> to persist and execute in the browser when the F

PHP XSS CSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34725 npm HIGH PATCH GHSA This Week

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl

XSS RCE PostgreSQL
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-34715 MEDIUM GHSA This Month

HTTP response splitting in ewe's encode_headers function allows remote attackers to inject arbitrary HTTP response headers and content by embedding CRLF sequences in user-controlled response header values, enabling cache poisoning and cross-site scripting attacks. The vulnerability affects ewe versions that do not validate outgoing response header keys and values, despite implementing equivalent validation for incoming request headers. A proof-of-concept demonstrates injection of custom headers through a redirect URL parameter passed directly to the Location header without sanitization.

XSS
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34571 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).

XSS Privilege Escalation Ci4ms
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-34569 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS blog category management allows authenticated users to inject malicious JavaScript that executes across multiple application contexts including public blog pages and administrative interfaces. Affecting all versions prior to 0.31.0.0, attackers with low-privilege authenticated access can achieve scope change with high impact to confidentiality, integrity, and availability (CVSS 9.9). Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation is straightforward given low attack complexity.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-34568 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. Attack requires low-privilege authentication (PR:L) but has scope change (S:C), enabling session hijacking and credential theft across user contexts. Vendor-released patch available in version 0.31.0.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34567 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS (CodeIgniter 4 CMS) allows authenticated users with blog post management privileges to inject malicious JavaScript through unsanitized category fields, affecting all users who view blog posts containing the poisoned categories. The vulnerability is confirmed patched in version 0.31.0.0. With CVSS 9.1 (Critical) due to scope change and high confidentiality impact, and low attack complexity requiring only low-privilege authentication, this represents significant risk in multi-user CMS environments despite no confirmed active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34566 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). Vendor-released patch version 0.31.0.0 addresses the input sanitization failures. No public exploit identified at time of analysis; CVSS 9.1 reflects the scope change and cross-context impact enabling privilege escalation and potential administrator session compromise.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34565 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34564 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS menu management allows authenticated attackers to inject malicious scripts that execute in administrative and public contexts with changed scope impact. Affecting all CI4MS versions prior to 0.31.0.0, attackers with low-level privileges can exploit inadequate input sanitization in the Pages-to-navigation-menu workflow to persistently embed DOM-based XSS payloads. CVSS 9.1 (Critical) with scope change (S:C) indicates privilege escalation potential across trust boundaries. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though exploitation probability exists given low attack complexity (AC:L) and no user interaction requirement (UI:N).

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34563 PHP CRITICAL PATCH GHSA Act Now

Stored blind cross-site scripting in CI4MS backup management allows authenticated attackers to inject malicious JavaScript payloads via SQL-backed backup filenames, achieving scope change with high confidentiality impact and low integrity/availability impact. The vulnerability exploits insufficient input sanitization during backup upload processing and unsafe output rendering in administrative views. Vendor-released patch available in version 0.31.0.0. CVSS 9.1 (Critical) with network attack vector, low complexity, and low privilege requirement. No public exploit identified at time of analysis, though EPSS data unavailable for this recently disclosed GitHub-sourced CVE.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34562 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts via unencoded System Settings - Company Information fields, which are later rendered to other users without proper output encoding. The vulnerability requires administrative privileges to exploit but poses a real risk in multi-user deployments where admin accounts may be compromised or where trust boundaries exist between administrative roles.

XSS Ci4ms
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-34561 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts through unvalidated System Settings - Social Media Management configuration fields. The vulnerability stores attacker-controlled input server-side and renders it without proper output encoding, enabling script execution in the context of the application. This is a stored XSS vulnerability with limited real-world impact due to high-privilege prerequisite (PR:H), though it undermines the integrity and confidentiality of the CMS for downstream users viewing the affected settings.

XSS Ci4ms
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-34560 PHP CRITICAL PATCH GHSA Act Now

Blind stored XSS in CI4MS CMS log viewer allows authenticated attackers to execute JavaScript in administrator sessions when reviewing application logs. Affects CI4MS versions prior to 0.31.0.0. The vulnerability enables low-privilege authenticated users to inject malicious payloads that persist in logs and execute when administrators access the logs interface (CVSS 9.1, Critical). EPSS data not available; no public exploit identified at time of analysis, though the attack technique is well-documented in XSS literature.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34559 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS blog tag management (versions prior to 0.31.0.0) allows authenticated attackers to inject malicious JavaScript through unsanitized tag name fields, achieving code execution in victim browsers with scope change (CVSS 9.1, S:C). The payload persists server-side and executes on public tag pages and administrative interfaces, enabling session hijacking, credential theft, and administrative account compromise. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users with tag creation privileges.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4364 MEDIUM PATCH This Month

IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.

IBM XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34748 npm HIGH PATCH GHSA This Week

Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). CVSS score of 8.7 reflects the elevated risk from privileged position abuse. No public exploit identified at time of analysis, though the technical details are publicly documented in GitHub Security Advisory GHSA-mmxc-95ch-2j7c.

XSS Payload
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28805 PHP HIGH PATCH GHSA This Week

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working

PHP SQLi Denial Of Service Information Disclosure XSS
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20090 MEDIUM This Month

Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code executed in users' browsers via insufficient input validation. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco UCS E-Series Software. Requires administrative privileges and user interaction (clicking a crafted link), resulting in session hijacking, credential theft, or unauthorized access to sensitive browser-based information. No public exploit code identified at time of analysis.

XSS Cisco
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20089 MEDIUM This Month

Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject persistent malicious scripts that execute in other users' browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series. No public exploit code or active exploitation confirmed; patch availability not independently verified from provided data.

Cisco XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20087 MEDIUM This Month

Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code via insufficient input validation. Attackers with admin privileges can craft malicious links that execute JavaScript in the browsers of other users accessing the interface, potentially compromising session security, stealing credentials, or accessing sensitive information. No public exploit code or active exploitation has been confirmed; the vulnerability requires administrator privileges and user interaction to trigger.

Cisco XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20088 MEDIUM This Month

Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject malicious script code that executes in the browsers of other users accessing the interface. An attacker with administrative credentials can exploit insufficient input validation by crafting a malicious link and tricking a user into clicking it, enabling arbitrary script execution or theft of sensitive browser-based information. No public exploit code or active exploitation has been identified at time of analysis.

Cisco XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20085 MEDIUM This Month

Reflected XSS in Cisco IMC web management interface allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (standalone), and UCS E-Series Software. Exploitation requires user interaction (clicking a malicious link) but could lead to session hijacking, credential theft, or malware delivery to privileged administrators managing critical infrastructure.

Cisco XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33978 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Notesnook mobile versions prior to 3.3.17 allows remote attackers to execute arbitrary JavaScript in the share editor WebView by injecting malicious HTML through unescaped clip metadata (title, subject, or link-preview data). When a victim opens the Notesnook share flow and selects Web clip, the attacker's payload executes with access to local context and user data. No public exploit code or active exploitation has been confirmed, though the vulnerability requires user interaction to trigger.

XSS Apple Google
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13535 MEDIUM This Month

King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-3877 HIGH PATCH This Week

Reflected cross-site scripting in VertiGIS FM dashboard search functionality allows authenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs. The vulnerability affects VertiGIS FM across versions and requires user interaction (victim clicking a crafted link), but provides no authentication bypass-victims must already be logged into the application. CVSS score is not available; exploitation requires victim interaction and authentication context.

XSS Vertigis Fm
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-34889 MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in Ultimate Addons for WPBakery Page Builder versions before 3.21.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in other users' browsers with user interaction. The vulnerability affects WordPress sites using this plugin and could enable session hijacking, credential theft, or malware distribution through page builder interfaces.

XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21631 MEDIUM This Month

Cross-site scripting (XSS) in Joomla CMS multilingual associations component allows unauthenticated remote attackers to inject malicious scripts via unescaped output in the comparison view. The vulnerability affects all versions of Joomla CMS and stems from improper output encoding in the com_associations component. No CVSS score is available; however, the CWE-79 classification confirms reflected or stored XSS capability.

XSS Joomla Cms
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-21632 MEDIUM This Month

Joomla CMS fails to properly escape article titles in output, enabling stored cross-site scripting (XSS) attacks across multiple locations. Attackers with article creation or editing privileges can inject malicious scripts into article titles that execute in the browsers of site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability affects all Joomla CMS versions and requires administrative action to remediate.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-5255 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the userid parameter in /delstaffinfo.php, with public exploit code available. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact but can enable session hijacking, credential theft, or malware distribution.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5254 LOW POC Monitor

Stored cross-site scripting (XSS) in welovemedia FFmate up to version 2.0.15 allows authenticated remote attackers to inject malicious scripts via the Webhook Handler component's AppJsonTreeView.vue file. The vulnerability requires user interaction to trigger payload execution and has been publicly disclosed with exploit code available on GitHub. The vendor has not responded to early disclosure notifications, leaving users without an official patch.

XSS Ffmate
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5253 LOW POC Monitor

Stored cross-site scripting (XSS) in bufanyun HotGo 1.0/2.0 allows authenticated remote attackers to inject malicious scripts via the editNotice endpoint in the MessageList.vue component, affecting the application's message handling functionality. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (3.5) due to limited attack complexity and minimal impact scope. The vendor has not responded to early disclosure attempts.

XSS Hotgo
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5252 LOW POC Monitor

Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.

XSS Admin
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5249 LOW POC Monitor

Stored cross-site scripting (XSS) in GouguCMS 4.08.18 allows authenticated remote attackers to inject malicious scripts via the value.content parameter in the Record Endpoint (\gougucms-master\app\admin\view\user\record.html), which are executed in the context of other users' browsers. The vulnerability has a publicly available exploit and affects user record management functionality with low CVSS score (3.5) due to requirement for user interaction and authenticated access, though the vendor has not responded to disclosure.

XSS Gougucms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-35057 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious scripts through crafted structured text mentions in profile posts, which are executed when other users view the affected content. The vulnerability has a CVSS score of 5.1 with low attack complexity and requires user interaction (viewing the malicious post), making it a moderate-risk concern for XenForo communities. Publicly available exploit code has been identified, and vendor patches have been released.

XSS Xenforo
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35055 MEDIUM PATCH This Month

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious scripts that execute in the context of other users' browsers when interacting with post content displayed via lightbox. Versions before 2.3.9 and 2.2.18 are affected. The vulnerability requires user interaction (clicking or hovering on lightbox elements) and has limited scope, affecting only session integrity and information disclosure rather than system availability or confidentiality of sensitive data.

XSS Xenforo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35054 MEDIUM PATCH This Month

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts through BB code that persist in the application and execute when other users view the affected content. The vulnerability requires user interaction (viewing the malicious post) and authenticated access to create content, limiting its scope but enabling account compromise and session hijacking of affected users.

XSS Xenforo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-5240 LOW Monitor

Stored cross-site scripting (XSS) in code-projects BloodBank Managing System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the statename parameter in /admin_state.php, affecting user sessions and administrative functions with user interaction required. The vulnerability carries a CVSS score of 5.3 (medium severity) with low integrity impact, and publicly available exploit code exists according to disclosed documentation.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34598 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) in YesWiki allows unauthenticated attackers to inject malicious JavaScript through form title fields, achieving persistent code execution in browsers of all users viewing affected pages. The vulnerability requires no authentication and affects the BazaR form component, with publicly available exploit code demonstrating injection via the 'Name of the event' and 'Description' fields. Successful exploitation enables session hijacking, credential theft, and arbitrary actions in victim contexts including administrative users.

XSS
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-30526 MEDIUM POC This Month

Reflected cross-site scripting in SourceCodester Zoo Management System v1.0 login page allows remote attackers to inject arbitrary JavaScript or HTML via the msg parameter without authentication. The vulnerable parameter reflects user input directly to the browser without HTML encoding, enabling credential theft, session hijacking, or malware distribution through crafted URLs. Publicly available proof-of-concept code exists, increasing real-world exploitation risk.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29598 MEDIUM This Month

Stored cross-site scripting (XSS) vulnerabilities in DDSN Interactive Acora CMS v10.7.1 allow unauthenticated attackers to inject malicious scripts via the submit_add_user.asp endpoint's First Name and Last Name parameters, enabling arbitrary JavaScript execution in the context of victim browsers. Public proof-of-concept code is available on GitHub; no patch information or CVSS/EPSS quantification is currently available.

XSS N A
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34530 Go MEDIUM PATCH GHSA This Month

Stored cross-site scripting in File Browser via admin-controlled branding fields allows injection of persistent JavaScript that executes for all visitors, including unauthenticated users. The vulnerability stems from use of Go's text/template (which performs no HTML escaping) instead of html/template when rendering the SPA index.html with branding data. An authenticated admin can inject malicious payloads into branding.name or branding.color fields that break out of their intended HTML context and execute arbitrary JavaScript in every user's browser without restriction, as no Content-Security-Policy header is set. Affected versions through v2.62.1 are vulnerable; vendor-released patches are available.

XSS Python Docker
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-34529 Go HIGH PATCH GHSA This Week

Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

XSS Privilege Escalation Python Docker Mozilla
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2480 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.10 allows authenticated contributors and above to inject arbitrary JavaScript via the 'max_width' attribute of the su_box shortcode due to insufficient input sanitization and output escaping. The injected scripts persist in page content and execute for all users viewing the affected page, enabling attackers with contributor-level WordPress access to compromise site visitors without additional user interaction.

WordPress XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-34605 Go HIGH POC PATCH GHSA This Week

Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers to execute arbitrary JavaScript via the unauthenticated /api/icon/getDynamicIcon endpoint by bypassing SVG sanitization using XML namespace-prefixed element names. The vulnerability exploits a parser inconsistency where Go's HTML5 parser treats 'x:script' as a distinct tag while browsers' XML parsers resolve the namespace prefix to execute the script. Publicly available exploit code exists (GitHub issue #17246 documents the bypass technique), though no CISA KEV listing indicates mass exploitation campaigns at time of analysis.

XSS Siyuan
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-34585 Go HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system versions prior to 3.6.2 escalates to remote code execution in the Electron desktop client. Attackers craft malicious .sy.zip import files containing HTML entities mixed with raw special characters that bypass server-side attribute escaping, injecting event handlers into imported notes. When victims open the compromised note in the Electron client, injected JavaScript executes with full Node/Electron API access, enabling arbitrary code execution. CVSS 8.6 (High) with local attack vector requiring user interaction; no public exploit identified at time of analysis.

XSS RCE Siyuan
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-34448 Go CRITICAL PATCH GHSA Act Now

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. The Electron desktop client's configuration (nodeIntegration enabled, contextIsolation disabled) allows the XSS payload to break sandbox boundaries and execute arbitrary commands under the victim's OS account. CVSS 9.0 (Critical) with network attack vector, low complexity, and cross-scope impact. Vendor-released patch: version 3.6.2. No public exploit identified at time of analysis, though technical details are disclosed in GitHub advisory GHSA-rx4h-526q-4458.

XSS Command Injection Siyuan
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-34405 npm MEDIUM PATCH GHSA This Month

Nuxt OG Image versions prior to 6.2.5 allow cross-site scripting (XSS) attacks via arbitrary HTML attribute injection in the image-generation endpoint at /_og/d/, affecting any unauthenticated remote user who can craft a malicious URI. An attacker can inject attributes into the HTML page body to execute JavaScript in the context of users' browsers, compromising confidentiality and integrity without service disruption. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Og Image
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34739 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) via unencoded HTML reflection in WWBN AVideo's User_Location plugin testIP.php endpoint allows authenticated attackers to execute arbitrary JavaScript in admin sessions. Affecting AVideo 26.0 and earlier, the vulnerability exploits SameSite=None cookie configuration to enable cross-origin exploitation, permitting unauthenticated attackers to lure admins to malicious links that hijack their authenticated context. No public exploit code or vendor patch has been released at time of analysis.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34716 PHP MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.

XSS RCE Avideo
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-34396 PHP MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows unauthenticated attackers to inject malicious JavaScript into plugin configuration values via CSRF, or authenticated admins to directly inject code that executes in administrator browsers when accessing plugin configuration pages. The vulnerability exploits missing output encoding in the jsonToFormElements() function, enabling arbitrary JavaScript execution within the admin panel with impact to confidentiality and integrity.

XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3468 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in SonicWall Email Security allows authenticated admin users to inject and execute arbitrary JavaScript code through improper input sanitization during web page generation. The vulnerability affects all versions of SonicWall Email Security appliance and requires admin-level authentication to exploit, limiting immediate exposure but posing significant risk to organizations where admin accounts are compromised or insider threats exist.

Sonicwall XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-34206 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.

XSS Captcha Protect
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-5209 LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Leave Application System 1.0 User Management Handler allows authenticated remote attackers with high privileges to inject malicious scripts via the component, requiring user interaction to execute. The vulnerability carries a CVSS 4.8 score with publicly available exploit code; however, real-world risk is constrained by high privilege requirement (PR:H) and necessary user interaction (UI:P), limiting opportunistic exploitation.

XSS Leave Application System
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-62184 MEDIUM This Month

Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pega Infinity
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-32607 LOW PATCH Monitor

Stored cross-site scripting (XSS) in Discourse assignment UI allows authenticated users with assign permission to inject arbitrary HTML/JavaScript into user and group display names when the hidden prioritize_full_name_in_ux site setting is enabled, affecting versions 2026.1.0–2026.1.2, 2026.2.0–2026.2.1, and 2026.3.0. The injected payload executes in the browser of any user viewing an affected topic, enabling session hijacking, credential theft, or malware distribution. No active exploitation confirmed; however, the requirement for console access to enable the vulnerable setting and assign permission to exploit limits real-world impact, though the low CVSS score (2.1) reflects these constraints rather than severity of XSS itself.

XSS Discourse
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-32273 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Discourse category description API endpoints allows authenticated users with category management privileges to inject malicious scripts that execute in the browsers of other users viewing the category. The vulnerability affects Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-pre-release due to missing input sanitization on category description updates. Vendor-released patches address this in versions 2026.1.3, 2026.2.2, and 2026.3.0; no public exploit code has been identified at time of analysis.

XSS Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32243 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Discourse allows authenticated users with conversation creation privileges to inject arbitrary HTML and JavaScript via crafted AI conversation titles, executing malicious payloads in the browsers of users viewing onebox previews and potentially enabling session hijacking or unauthorized actions. Affects Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta; patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Discourse
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-20915 HIGH PATCH This Week

Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta allows authenticated users with pending change permissions to inject malicious JavaScript into the Pending Changes sidebar, executing in the browsers of other users who view that sidebar. This vulnerability affects the beta release 2.5.0 before version 2.5.0b2 and requires existing user authentication with specific permissions to exploit.

XSS Checkmk
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-33276 HIGH PATCH This Week

Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta versions before 2.5.0b2 allows authenticated users with host or service creation permissions to inject malicious JavaScript that executes in the browsers of other users when they perform searches via the Unified Search feature, potentially enabling session hijacking, credential theft, or administrative account compromise.

XSS Checkmk
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-0396 LOW PATCH Monitor

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via crafted DNS queries when domain-based dynamic rules are enabled, requiring user interaction to exploit. This affects all DNSdist versions with vulnerable rule functionality and carries low integrity impact with no confidentiality or availability consequences.

XSS Dnsdist
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-34887 MEDIUM This Month

Stored cross-site scripting (XSS) in Extend Themes Kubio AI Page Builder through version 2.7.0 allows authenticated users to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with user account access can inject unescaped input during page generation, leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis.

XSS Kubio Ai Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3107 CRITICAL PATCH Act Now

Stored cross-site scripting in Teampass password manager versions before 3.1.5.16 enables unauthenticated remote attackers to inject malicious JavaScript through the password import functionality, achieving persistent code execution in victims' browsers including administrators. CVSS 9.3 (Critical) with EPSS data unavailable, no KEV listing, and patch available per vendor advisory. Attack requires no authentication (PR:N) and low complexity (AC:L), creating significant risk for organizational password compromise and lateral movement.

XSS PHP
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-41357 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter of the /diagdns.php endpoint. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-41356 MEDIUM This Month

Reflected XSS in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter in /diagconnect.php, potentially enabling session hijacking or unauthorized user actions. The vulnerability requires user interaction (clicking a malicious link) and has a CVSS score of 5.1 (medium severity). No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3106 CRITICAL PATCH Act Now

Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.

XSS PHP
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-41355 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs targeting the 'port' and 'proxyPort' parameters in the /anon.php endpoint. Successful exploitation enables theft of session cookies and unauthorized actions on behalf of the victim. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-10553 HIGH This Week

Stored cross-site scripting in Dassault Systèmes DELMIA Factory Resource Manager (R2023x through R2025x) allows authenticated attackers to inject malicious scripts that execute in victims' browser sessions with changed scope impact. CVSS 8.7 severity reflects the scope change (S:C) enabling attacks beyond the vulnerable component's privileges. No public exploit code identified and not listed in CISA KEV at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once authenticated access is obtained.

XSS Delmia Factory Resource Manager
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-10551 HIGH This Week

Stored Cross-Site Scripting (XSS) in Dassault Systèmes ENOVIA Collaborative Industry Innovator's Document Management module enables authenticated attackers to inject malicious scripts that execute in other users' browser sessions across 3DEXPERIENCE releases R2023x through R2025x. With CVSS 8.7 (High severity) and scope change (S:C), successful exploitation allows session hijacking, credential theft, and persistent compromise of users accessing manipulated documents. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) makes exploitation straightforward once an attacker gains low-privilege access (PR:L).

XSS Enovia Collaborative Industry Innovator
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-1877 MEDIUM This Month

Cross-site request forgery in Auto Post Scheduler WordPress plugin versions up to 1.84 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a malicious link, due to missing nonce validation in the aps_options_page function. The vulnerability combines CSRF with stored XSS capability, affecting any WordPress site running the vulnerable plugin. CVSS 6.1 reflects the requirement for user interaction and the limited direct impact, though the ability to inject web scripts poses a meaningful risk to site integrity and user security.

WordPress CSRF XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1834 MEDIUM This Month

Stored cross-site scripting in Ibtana - WordPress Website Builder plugin up to version 1.2.5.7 allows authenticated contributors to inject arbitrary JavaScript via the 'ive' shortcode due to insufficient input sanitization and output escaping. When an injected page is accessed by any user, the malicious script executes in their browser with the privileges of their WordPress session, enabling session hijacking, credential theft, or administrative actions depending on victim privileges. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4146 MEDIUM This Month

Reflected Cross-Site Scripting in Loco Translate WordPress plugin versions up to 2.8.2 allows unauthenticated attackers to inject arbitrary web scripts via the 'update_href' parameter due to insufficient input sanitization and output escaping. The vulnerability requires user interaction (clicking a malicious link) to execute, affecting WordPress sites with the plugin installed. CVSS 6.1 reflects moderate severity with network-accessible attack vector and cross-site scope impact on confidentiality and integrity.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-32734 PHP HIGH PATCH GHSA This Week

DOM-based cross-site scripting in baserCMS tag creation functionality allows remote attackers to execute malicious JavaScript in victim browsers. Affects all baserCMS versions prior to 5.2.3. The vulnerability requires user interaction (CVSS UI:R) but needs no authentication (PR:N), enabling phishing or social engineering attacks. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch available in version 5.2.3.

XSS Basercms
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-30879 PHP MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) vulnerability in baserCMS prior to version 5.2.3 allows attackers to inject malicious scripts into blog posts, potentially enabling session hijacking, credential theft, or malware distribution to site visitors. The vulnerability affects the blog post functionality and has been patched in version 5.2.3; no public exploit code or active exploitation has been confirmed at time of analysis.

XSS Basercms
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-4794 LOW PATCH Monitor

Stored cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10 allow authenticated administrator users to inject malicious scripts via multiple UI fields, potentially compromising other administrators' sessions and enabling unauthorized actions within the administrator context. The vulnerability requires valid administrator credentials and an active login session to exploit, limiting exposure to trusted administrative users but creating significant insider risk.

XSS Papercut Ng Mf
NVD
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5157 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the cust_id parameter in /form/order.php, exploitable through user interaction (UI required). Publicly available exploit code exists; the vulnerability carries CVSS 4.3 (low severity) but poses reputational and user session hijacking risks typical of XSS attacks in e-commerce contexts.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34558 PHP CRITICAL PATCH GHSA Act Now

Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not provided for risk probability assessment.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34557 PHP CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). Vendor-released patch version 0.31.0.0 addresses the input sanitization and output encoding failures. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE.

XSS Ci4ms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32275 HIGH PATCH This Week

Cross-site scripting (XSS) in Tautulli 1.3.10 through 2.16.x allows remote attackers to inject malicious scripts via unsanitized JSONP callback parameters, enabling API key theft from authenticated users who click crafted links. The vulnerability requires social engineering (UI:A in CVSS) and affects the Plex monitoring tool's web interface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though the attack complexity is rated high (AC:H) suggesting practical exploitation requires specific conditions. GitHub security advisory indicates vendor-patched release available.

Python XSS
NVD GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-34231 PyPI MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) in the slippers Django package's {% attrs %} template tag allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript by passing untrusted context variables containing quote characters and event handler attributes. The vulnerability affects templates that pass user-supplied or database-derived values to {% attrs %} without prior escaping. Vendor-released patch version 0.6.3 is available.

Python XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27508 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Smoothwall Express versions before 3.1 Update 13 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers by crafting malicious URLs with javascript: schemes and delivering them through the unsanitized /redirect.cgi endpoint. The vulnerability requires user interaction (clicking a malicious link) and results in limited scope impact affecting user confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.

XSS Express
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-26352 MEDIUM PATCH This Month

Stored cross-site scripting in Smoothwall Express prior to version 3.1 Update 13 allows authenticated attackers to inject arbitrary JavaScript through the VPN_IP parameter in /cgi-bin/vpnmain.cgi, which executes when other users view affected VPN configuration pages. The vulnerability requires user interaction (page view) and authenticated access, limiting immediate risk but enabling persistent session hijacking or credential theft against administrative users. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Express
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27599 PHP MEDIUM PATCH GHSA This Month

Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.

XSS PHP Privilege Escalation CSRF
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-30556 MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'msg' parameter in index.php. Publicly available proof-of-concept code exists, enabling attackers to craft malicious URLs that execute scripts in victim browsers when clicked. No CVSS vector or patch information is available; the vulnerability appears limited in scope to a single PHP parameter.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting (XSS) vulnerabilities in Interzen Consulting ZenShare Suite v17.0 login.php endpoint allow remote unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious payloads into the codice_azienda and red_url parameters. Attack requires user interaction (clicking a crafted link) and affects the authentication process; no public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Session fixation in listmonk v6.0.0 allows authenticated sessions to persist after password reset or password change, enabling attackers with stolen session cookies to maintain account access despite credential recovery by the victim. Authenticated remote attackers (PR:L) can exploit this to retain high confidentiality impact access. No public exploit code identified at time of analysis, though the vulnerability is trivially reproducible per the detailed proof-of-concept. EPSS data not available; vulnerability confirmed in production release v6.0.0 via GitHub Security Advisory.

Authentication Bypass XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like &#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58; (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.

PHP XSS Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.

IBM XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.

IBM XSS
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stored cross-site scripting in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated high-privilege users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser sessions. CVSS 5.5 reflects the requirement for elevated privileges but global scope impact; no public exploit or active exploitation confirmed.

IBM XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in phpMyFAQ allows authenticated administrators to inject unquoted or single-quoted event handler attributes that bypass the content sanitization pipeline, resulting in arbitrary JavaScript execution for all FAQ page visitors. The vulnerability exists in the removeAttributes() regex filter (line 174 of Filter.php) which only matches double-quoted HTML attributes, allowing payloads like <img src=x onerror=alert(1)> to persist and execute in the browser when the F

PHP XSS CSRF
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl

XSS RCE PostgreSQL
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

HTTP response splitting in ewe's encode_headers function allows remote attackers to inject arbitrary HTTP response headers and content by embedding CRLF sequences in user-controlled response header values, enabling cache poisoning and cross-site scripting attacks. The vulnerability affects ewe versions that do not validate outgoing response header keys and values, despite implementing equivalent validation for incoming request headers. A proof-of-concept demonstrates injection of custom headers through a redirect URL parameter passed directly to the Location header without sanitization.

XSS
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).

XSS Privilege Escalation Ci4ms
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS blog category management allows authenticated users to inject malicious JavaScript that executes across multiple application contexts including public blog pages and administrative interfaces. Affecting all versions prior to 0.31.0.0, attackers with low-privilege authenticated access can achieve scope change with high impact to confidentiality, integrity, and availability (CVSS 9.9). Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation is straightforward given low attack complexity.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. Attack requires low-privilege authentication (PR:L) but has scope change (S:C), enabling session hijacking and credential theft across user contexts. Vendor-released patch available in version 0.31.0.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS (CodeIgniter 4 CMS) allows authenticated users with blog post management privileges to inject malicious JavaScript through unsanitized category fields, affecting all users who view blog posts containing the poisoned categories. The vulnerability is confirmed patched in version 0.31.0.0. With CVSS 9.1 (Critical) due to scope change and high confidentiality impact, and low attack complexity requiring only low-privilege authentication, this represents significant risk in multi-user CMS environments despite no confirmed active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). Vendor-released patch version 0.31.0.0 addresses the input sanitization failures. No public exploit identified at time of analysis; CVSS 9.1 reflects the scope change and cross-context impact enabling privilege escalation and potential administrator session compromise.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS menu management allows authenticated attackers to inject malicious scripts that execute in administrative and public contexts with changed scope impact. Affecting all CI4MS versions prior to 0.31.0.0, attackers with low-level privileges can exploit inadequate input sanitization in the Pages-to-navigation-menu workflow to persistently embed DOM-based XSS payloads. CVSS 9.1 (Critical) with scope change (S:C) indicates privilege escalation potential across trust boundaries. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though exploitation probability exists given low attack complexity (AC:L) and no user interaction requirement (UI:N).

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored blind cross-site scripting in CI4MS backup management allows authenticated attackers to inject malicious JavaScript payloads via SQL-backed backup filenames, achieving scope change with high confidentiality impact and low integrity/availability impact. The vulnerability exploits insufficient input sanitization during backup upload processing and unsafe output rendering in administrative views. Vendor-released patch available in version 0.31.0.0. CVSS 9.1 (Critical) with network attack vector, low complexity, and low privilege requirement. No public exploit identified at time of analysis, though EPSS data unavailable for this recently disclosed GitHub-sourced CVE.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts via unencoded System Settings - Company Information fields, which are later rendered to other users without proper output encoding. The vulnerability requires administrative privileges to exploit but poses a real risk in multi-user deployments where admin accounts may be compromised or where trust boundaries exist between administrative roles.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts through unvalidated System Settings - Social Media Management configuration fields. The vulnerability stores attacker-controlled input server-side and renders it without proper output encoding, enabling script execution in the context of the application. This is a stored XSS vulnerability with limited real-world impact due to high-privilege prerequisite (PR:H), though it undermines the integrity and confidentiality of the CMS for downstream users viewing the affected settings.

XSS Ci4ms
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Blind stored XSS in CI4MS CMS log viewer allows authenticated attackers to execute JavaScript in administrator sessions when reviewing application logs. Affects CI4MS versions prior to 0.31.0.0. The vulnerability enables low-privilege authenticated users to inject malicious payloads that persist in logs and execute when administrators access the logs interface (CVSS 9.1, Critical). EPSS data not available; no public exploit identified at time of analysis, though the attack technique is well-documented in XSS literature.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS blog tag management (versions prior to 0.31.0.0) allows authenticated attackers to inject malicious JavaScript through unsanitized tag name fields, achieving code execution in victim browsers with scope change (CVSS 9.1, S:C). The payload persists server-side and executes on public tag pages and administrative interfaces, enabling session hijacking, credential theft, and administrative account compromise. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users with tag creation privileges.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.

IBM XSS
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). CVSS score of 8.7 reflects the elevated risk from privileged position abuse. No public exploit identified at time of analysis, though the technical details are publicly documented in GitHub Security Advisory GHSA-mmxc-95ch-2j7c.

XSS Payload
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working

PHP SQLi Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code executed in users' browsers via insufficient input validation. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco UCS E-Series Software. Requires administrative privileges and user interaction (clicking a crafted link), resulting in session hijacking, credential theft, or unauthorized access to sensitive browser-based information. No public exploit code identified at time of analysis.

XSS Cisco
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject persistent malicious scripts that execute in other users' browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series. No public exploit code or active exploitation confirmed; patch availability not independently verified from provided data.

Cisco XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code via insufficient input validation. Attackers with admin privileges can craft malicious links that execute JavaScript in the browsers of other users accessing the interface, potentially compromising session security, stealing credentials, or accessing sensitive information. No public exploit code or active exploitation has been confirmed; the vulnerability requires administrator privileges and user interaction to trigger.

Cisco XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject malicious script code that executes in the browsers of other users accessing the interface. An attacker with administrative credentials can exploit insufficient input validation by crafting a malicious link and tricking a user into clicking it, enabling arbitrary script execution or theft of sensitive browser-based information. No public exploit code or active exploitation has been identified at time of analysis.

Cisco XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Cisco IMC web management interface allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (standalone), and UCS E-Series Software. Exploitation requires user interaction (clicking a malicious link) but could lead to session hijacking, credential theft, or malware delivery to privileged administrators managing critical infrastructure.

Cisco XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Notesnook mobile versions prior to 3.3.17 allows remote attackers to execute arbitrary JavaScript in the share editor WebView by injecting malicious HTML through unescaped clip metadata (title, subject, or link-preview data). When a victim opens the Notesnook share flow and selects Web clip, the attacker's payload executes with access to local context and user data. No public exploit code or active exploitation has been confirmed, though the vulnerability requires user interaction to trigger.

XSS Apple Google
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Reflected cross-site scripting in VertiGIS FM dashboard search functionality allows authenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs. The vulnerability affects VertiGIS FM across versions and requires user interaction (victim clicking a crafted link), but provides no authentication bypass-victims must already be logged into the application. CVSS score is not available; exploitation requires victim interaction and authentication context.

XSS Vertigis Fm
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in Ultimate Addons for WPBakery Page Builder versions before 3.21.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in other users' browsers with user interaction. The vulnerability affects WordPress sites using this plugin and could enable session hijacking, credential theft, or malware distribution through page builder interfaces.

XSS
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Cross-site scripting (XSS) in Joomla CMS multilingual associations component allows unauthenticated remote attackers to inject malicious scripts via unescaped output in the comparison view. The vulnerability affects all versions of Joomla CMS and stems from improper output encoding in the com_associations component. No CVSS score is available; however, the CWE-79 classification confirms reflected or stored XSS capability.

XSS Joomla Cms
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Joomla CMS fails to properly escape article titles in output, enabling stored cross-site scripting (XSS) attacks across multiple locations. Attackers with article creation or editing privileges can inject malicious scripts into article titles that execute in the browsers of site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability affects all Joomla CMS versions and requires administrative action to remediate.

XSS Joomla Cms
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the userid parameter in /delstaffinfo.php, with public exploit code available. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact but can enable session hijacking, credential theft, or malware distribution.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in welovemedia FFmate up to version 2.0.15 allows authenticated remote attackers to inject malicious scripts via the Webhook Handler component's AppJsonTreeView.vue file. The vulnerability requires user interaction to trigger payload execution and has been publicly disclosed with exploit code available on GitHub. The vendor has not responded to early disclosure notifications, leaving users without an official patch.

XSS Ffmate
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in bufanyun HotGo 1.0/2.0 allows authenticated remote attackers to inject malicious scripts via the editNotice endpoint in the MessageList.vue component, affecting the application's message handling functionality. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (3.5) due to limited attack complexity and minimal impact scope. The vendor has not responded to early disclosure attempts.

XSS Hotgo
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.

XSS Admin
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in GouguCMS 4.08.18 allows authenticated remote attackers to inject malicious scripts via the value.content parameter in the Record Endpoint (\gougucms-master\app\admin\view\user\record.html), which are executed in the context of other users' browsers. The vulnerability has a publicly available exploit and affects user record management functionality with low CVSS score (3.5) due to requirement for user interaction and authenticated access, though the vendor has not responded to disclosure.

XSS Gougucms
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious scripts through crafted structured text mentions in profile posts, which are executed when other users view the affected content. The vulnerability has a CVSS score of 5.1 with low attack complexity and requires user interaction (viewing the malicious post), making it a moderate-risk concern for XenForo communities. Publicly available exploit code has been identified, and vendor patches have been released.

XSS Xenforo
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious scripts that execute in the context of other users' browsers when interacting with post content displayed via lightbox. Versions before 2.3.9 and 2.2.18 are affected. The vulnerability requires user interaction (clicking or hovering on lightbox elements) and has limited scope, affecting only session integrity and information disclosure rather than system availability or confidentiality of sensitive data.

XSS Xenforo
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts through BB code that persist in the application and execute when other users view the affected content. The vulnerability requires user interaction (viewing the malicious post) and authenticated access to create content, limiting its scope but enabling account compromise and session hijacking of affected users.

XSS Xenforo
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting (XSS) in code-projects BloodBank Managing System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the statename parameter in /admin_state.php, affecting user sessions and administrative functions with user interaction required. The vulnerability carries a CVSS score of 5.3 (medium severity) with low integrity impact, and publicly available exploit code exists according to disclosed documentation.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored cross-site scripting (XSS) in YesWiki allows unauthenticated attackers to inject malicious JavaScript through form title fields, achieving persistent code execution in browsers of all users viewing affected pages. The vulnerability requires no authentication and affects the BazaR form component, with publicly available exploit code demonstrating injection via the 'Name of the event' and 'Description' fields. Successful exploitation enables session hijacking, credential theft, and arbitrary actions in victim contexts including administrative users.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting in SourceCodester Zoo Management System v1.0 login page allows remote attackers to inject arbitrary JavaScript or HTML via the msg parameter without authentication. The vulnerable parameter reflects user input directly to the browser without HTML encoding, enabling credential theft, session hijacking, or malware distribution through crafted URLs. Publicly available proof-of-concept code exists, increasing real-world exploitation risk.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) vulnerabilities in DDSN Interactive Acora CMS v10.7.1 allow unauthenticated attackers to inject malicious scripts via the submit_add_user.asp endpoint's First Name and Last Name parameters, enabling arbitrary JavaScript execution in the context of victim browsers. Public proof-of-concept code is available on GitHub; no patch information or CVSS/EPSS quantification is currently available.

XSS N A
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in File Browser via admin-controlled branding fields allows injection of persistent JavaScript that executes for all visitors, including unauthenticated users. The vulnerability stems from use of Go's text/template (which performs no HTML escaping) instead of html/template when rendering the SPA index.html with branding data. An authenticated admin can inject malicious payloads into branding.name or branding.color fields that break out of their intended HTML context and execute arbitrary JavaScript in every user's browser without restriction, as no Content-Security-Policy header is set. Affected versions through v2.62.1 are vulnerable; vendor-released patches are available.

XSS Python Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

XSS Privilege Escalation Python +2
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.10 allows authenticated contributors and above to inject arbitrary JavaScript via the 'max_width' attribute of the su_box shortcode due to insufficient input sanitization and output escaping. The injected scripts persist in page content and execute for all users viewing the affected page, enabling attackers with contributor-level WordPress access to compromise site visitors without additional user interaction.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers to execute arbitrary JavaScript via the unauthenticated /api/icon/getDynamicIcon endpoint by bypassing SVG sanitization using XML namespace-prefixed element names. The vulnerability exploits a parser inconsistency where Go's HTML5 parser treats 'x:script' as a distinct tag while browsers' XML parsers resolve the namespace prefix to execute the script. Publicly available exploit code exists (GitHub issue #17246 documents the bypass technique), though no CISA KEV listing indicates mass exploitation campaigns at time of analysis.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system versions prior to 3.6.2 escalates to remote code execution in the Electron desktop client. Attackers craft malicious .sy.zip import files containing HTML entities mixed with raw special characters that bypass server-side attribute escaping, injecting event handlers into imported notes. When victims open the compromised note in the Electron client, injected JavaScript executes with full Node/Electron API access, enabling arbitrary code execution. CVSS 8.6 (High) with local attack vector requiring user interaction; no public exploit identified at time of analysis.

XSS RCE Siyuan
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. The Electron desktop client's configuration (nodeIntegration enabled, contextIsolation disabled) allows the XSS payload to break sandbox boundaries and execute arbitrary commands under the victim's OS account. CVSS 9.0 (Critical) with network attack vector, low complexity, and cross-scope impact. Vendor-released patch: version 3.6.2. No public exploit identified at time of analysis, though technical details are disclosed in GitHub advisory GHSA-rx4h-526q-4458.

XSS Command Injection Siyuan
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Nuxt OG Image versions prior to 6.2.5 allow cross-site scripting (XSS) attacks via arbitrary HTML attribute injection in the image-generation endpoint at /_og/d/, affecting any unauthenticated remote user who can craft a malicious URI. An attacker can inject attributes into the HTML page body to execute JavaScript in the context of users' browsers, compromising confidentiality and integrity without service disruption. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Og Image
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) via unencoded HTML reflection in WWBN AVideo's User_Location plugin testIP.php endpoint allows authenticated attackers to execute arbitrary JavaScript in admin sessions. Affecting AVideo 26.0 and earlier, the vulnerability exploits SameSite=None cookie configuration to enable cross-origin exploitation, permitting unauthenticated attackers to lure admins to malicious links that hijack their authenticated context. No public exploit code or vendor patch has been released at time of analysis.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.

XSS RCE Avideo
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows unauthenticated attackers to inject malicious JavaScript into plugin configuration values via CSRF, or authenticated admins to directly inject code that executes in administrator browsers when accessing plugin configuration pages. The vulnerability exploits missing output encoding in the jsonToFormElements() function, enabling arbitrary JavaScript execution within the admin panel with impact to confidentiality and integrity.

XSS PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in SonicWall Email Security allows authenticated admin users to inject and execute arbitrary JavaScript code through improper input sanitization during web page generation. The vulnerability affects all versions of SonicWall Email Security appliance and requires admin-level authentication to exploit, limiting immediate exposure but posing significant risk to organizations where admin accounts are compromised or insider threats exist.

Sonicwall XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.

XSS Captcha Protect
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Leave Application System 1.0 User Management Handler allows authenticated remote attackers with high privileges to inject malicious scripts via the component, requiring user interaction to execute. The vulnerability carries a CVSS 4.8 score with publicly available exploit code; however, real-world risk is constrained by high privilege requirement (PR:H) and necessary user interaction (UI:P), limiting opportunistic exploitation.

XSS Leave Application System
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pega Infinity
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored cross-site scripting (XSS) in Discourse assignment UI allows authenticated users with assign permission to inject arbitrary HTML/JavaScript into user and group display names when the hidden prioritize_full_name_in_ux site setting is enabled, affecting versions 2026.1.0–2026.1.2, 2026.2.0–2026.2.1, and 2026.3.0. The injected payload executes in the browser of any user viewing an affected topic, enabling session hijacking, credential theft, or malware distribution. No active exploitation confirmed; however, the requirement for console access to enable the vulnerable setting and assign permission to exploit limits real-world impact, though the low CVSS score (2.1) reflects these constraints rather than severity of XSS itself.

XSS Discourse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Discourse category description API endpoints allows authenticated users with category management privileges to inject malicious scripts that execute in the browsers of other users viewing the category. The vulnerability affects Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-pre-release due to missing input sanitization on category description updates. Vendor-released patches address this in versions 2026.1.3, 2026.2.2, and 2026.3.0; no public exploit code has been identified at time of analysis.

XSS Discourse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Discourse allows authenticated users with conversation creation privileges to inject arbitrary HTML and JavaScript via crafted AI conversation titles, executing malicious payloads in the browsers of users viewing onebox previews and potentially enabling session hijacking or unauthorized actions. Affects Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta; patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Discourse
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta allows authenticated users with pending change permissions to inject malicious JavaScript into the Pending Changes sidebar, executing in the browsers of other users who view that sidebar. This vulnerability affects the beta release 2.5.0 before version 2.5.0b2 and requires existing user authentication with specific permissions to exploit.

XSS Checkmk
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta versions before 2.5.0b2 allows authenticated users with host or service creation permissions to inject malicious JavaScript that executes in the browsers of other users when they perform searches via the Unified Search feature, potentially enabling session hijacking, credential theft, or administrative account compromise.

XSS Checkmk
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via crafted DNS queries when domain-based dynamic rules are enabled, requiring user interaction to exploit. This affects all DNSdist versions with vulnerable rule functionality and carries low integrity impact with no confidentiality or availability consequences.

XSS Dnsdist
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in Extend Themes Kubio AI Page Builder through version 2.7.0 allows authenticated users to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with user account access can inject unescaped input during page generation, leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis.

XSS Kubio Ai Page Builder
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in Teampass password manager versions before 3.1.5.16 enables unauthenticated remote attackers to inject malicious JavaScript through the password import functionality, achieving persistent code execution in victims' browsers including administrators. CVSS 9.3 (Critical) with EPSS data unavailable, no KEV listing, and patch available per vendor advisory. Attack requires no authentication (PR:N) and low complexity (AC:L), creating significant risk for organizational password compromise and lateral movement.

XSS PHP
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter of the /diagdns.php endpoint. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter in /diagconnect.php, potentially enabling session hijacking or unauthorized user actions. The vulnerability requires user interaction (clicking a malicious link) and has a CVSS score of 5.1 (medium severity). No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.

XSS PHP
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs targeting the 'port' and 'proxyPort' parameters in the /anon.php endpoint. Successful exploitation enables theft of session cookies and unauthorized actions on behalf of the victim. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in Dassault Systèmes DELMIA Factory Resource Manager (R2023x through R2025x) allows authenticated attackers to inject malicious scripts that execute in victims' browser sessions with changed scope impact. CVSS 8.7 severity reflects the scope change (S:C) enabling attacks beyond the vulnerable component's privileges. No public exploit code identified and not listed in CISA KEV at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once authenticated access is obtained.

XSS Delmia Factory Resource Manager
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Stored Cross-Site Scripting (XSS) in Dassault Systèmes ENOVIA Collaborative Industry Innovator's Document Management module enables authenticated attackers to inject malicious scripts that execute in other users' browser sessions across 3DEXPERIENCE releases R2023x through R2025x. With CVSS 8.7 (High severity) and scope change (S:C), successful exploitation allows session hijacking, credential theft, and persistent compromise of users accessing manipulated documents. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) makes exploitation straightforward once an attacker gains low-privilege access (PR:L).

XSS Enovia Collaborative Industry Innovator
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site request forgery in Auto Post Scheduler WordPress plugin versions up to 1.84 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a malicious link, due to missing nonce validation in the aps_options_page function. The vulnerability combines CSRF with stored XSS capability, affecting any WordPress site running the vulnerable plugin. CVSS 6.1 reflects the requirement for user interaction and the limited direct impact, though the ability to inject web scripts poses a meaningful risk to site integrity and user security.

WordPress CSRF XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Ibtana - WordPress Website Builder plugin up to version 1.2.5.7 allows authenticated contributors to inject arbitrary JavaScript via the 'ive' shortcode due to insufficient input sanitization and output escaping. When an injected page is accessed by any user, the malicious script executes in their browser with the privileges of their WordPress session, enabling session hijacking, credential theft, or administrative actions depending on victim privileges. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Loco Translate WordPress plugin versions up to 2.8.2 allows unauthenticated attackers to inject arbitrary web scripts via the 'update_href' parameter due to insufficient input sanitization and output escaping. The vulnerability requires user interaction (clicking a malicious link) to execute, affecting WordPress sites with the plugin installed. CVSS 6.1 reflects moderate severity with network-accessible attack vector and cross-site scope impact on confidentiality and integrity.

WordPress XSS
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

DOM-based cross-site scripting in baserCMS tag creation functionality allows remote attackers to execute malicious JavaScript in victim browsers. Affects all baserCMS versions prior to 5.2.3. The vulnerability requires user interaction (CVSS UI:R) but needs no authentication (PR:N), enabling phishing or social engineering attacks. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch available in version 5.2.3.

XSS Basercms
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in baserCMS prior to version 5.2.3 allows attackers to inject malicious scripts into blog posts, potentially enabling session hijacking, credential theft, or malware distribution to site visitors. The vulnerability affects the blog post functionality and has been patched in version 5.2.3; no public exploit code or active exploitation has been confirmed at time of analysis.

XSS Basercms
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10 allow authenticated administrator users to inject malicious scripts via multiple UI fields, potentially compromising other administrators' sessions and enabling unauthorized actions within the administrator context. The vulnerability requires valid administrator credentials and an active login session to exploit, limiting exposure to trusted administrative users but creating significant insider risk.

XSS Papercut Ng Mf
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the cust_id parameter in /form/order.php, exploitable through user interaction (UI required). Publicly available exploit code exists; the vulnerability carries CVSS 4.3 (low severity) but poses reputational and user session hijacking risks typical of XSS attacks in e-commerce contexts.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not provided for risk probability assessment.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). Vendor-released patch version 0.31.0.0 addresses the input sanitization and output encoding failures. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE.

XSS Ci4ms
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-site scripting (XSS) in Tautulli 1.3.10 through 2.16.x allows remote attackers to inject malicious scripts via unsanitized JSONP callback parameters, enabling API key theft from authenticated users who click crafted links. The vulnerability requires social engineering (UI:A in CVSS) and affects the Plex monitoring tool's web interface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though the attack complexity is rated high (AC:H) suggesting practical exploitation requires specific conditions. GitHub security advisory indicates vendor-patched release available.

Python XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in the slippers Django package's {% attrs %} template tag allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript by passing untrusted context variables containing quote characters and event handler attributes. The vulnerability affects templates that pass user-supplied or database-derived values to {% attrs %} without prior escaping. Vendor-released patch version 0.6.3 is available.

Python XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Smoothwall Express versions before 3.1 Update 13 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers by crafting malicious URLs with javascript: schemes and delivering them through the unsanitized /redirect.cgi endpoint. The vulnerability requires user interaction (clicking a malicious link) and results in limited scope impact affecting user confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.

XSS Express
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Smoothwall Express prior to version 3.1 Update 13 allows authenticated attackers to inject arbitrary JavaScript through the VPN_IP parameter in /cgi-bin/vpnmain.cgi, which executes when other users view affected VPN configuration pages. The vulnerability requires user interaction (page view) and authenticated access, limiting immediate risk but enabling persistent session hijacking or credential theft against administrative users. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Express
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.

XSS PHP Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'msg' parameter in index.php. Publicly available proof-of-concept code exists, enabling attackers to craft malicious URLs that execute scripts in victim browsers when clicked. No CVSS vector or patch information is available; the vulnerability appears limited in scope to a single PHP parameter.

XSS PHP
NVD GitHub VulDB
Prev Page 28 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy