Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2026-5106 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_fst.php, affecting user sessions with administrator privileges. The vulnerability requires user interaction (UI:R) and carries a low CVSS score of 2.4 due to the requirement for prior administrative authentication (PR:H), but publicly available exploit code exists and may be actively used. The attack vector is network-based (AV:N) with low complexity (AC:L), creating an insider threat scenario where compromised or malicious administrators can deface content or steal session tokens of other administrators.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-30563 MEDIUM POC This Month

Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to inject malicious scripts via the unvalidated website parameter in update_details.php, which are persisted in the database and executed whenever the store details page is accessed by any user. Publicly available exploit code exists, though the vulnerability requires prior authentication and affects primarily self-hosted instances of this open-source inventory management application.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30562 CRITICAL POC Act Now

Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web script or HTML via the unvalidated 'msg' parameter in add_stock.php. The vulnerability is publicly demonstrated with available proof-of-concept code, enabling attackers to execute malicious scripts in users' browsers without requiring authentication or special privileges.

XSS PHP
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-30564 MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web scripts or HTML through the 'limit' parameter in view_payments.php due to insufficient input sanitization. Publicly available exploit code exists, enabling attackers to craft malicious URLs that execute JavaScript in victims' browsers when visited, potentially leading to session hijacking, credential theft, or defacement.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30558 MEDIUM POC This Month

Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_customer.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists demonstrating the vulnerability.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30565 MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'limit' parameter in view_supplier.php due to insufficient input sanitization. The vulnerability is accessible without authentication via crafted URLs, and publicly available exploit code exists demonstrating the attack vector.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30566 MEDIUM POC This Month

Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML via the unvalidated "limit" parameter in view_customers.php, affecting unauthenticated users who click malicious links. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS score is available to quantify severity.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30561 MEDIUM POC This Month

Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_purchase.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. The vulnerability has publicly available exploit code but lacks CVSS scoring and is not confirmed as actively exploited.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30560 MEDIUM POC This Month

Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_supplier.php, enabling session hijacking, credential theft, or malware distribution without authentication. The vulnerability has publicly available proof-of-concept code demonstrating the attack vector.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30557 MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_category.php, enabling session hijacking, credential theft, or malware distribution via malicious URLs. Publicly available exploit code exists, increasing real-world attack likelihood despite the absence of formal CVSS scoring or CVE severity data.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30559 MEDIUM POC This Month

Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_sales.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30082 MEDIUM This Month

Stored cross-site scripting (XSS) vulnerabilities in IngEstate Server v11.14.0 allow remote attackers to execute arbitrary web scripts or HTML by injecting malicious payloads into the About application, What's news, or Release note parameters within the Software Package List edit feature. The vulnerabilities affect the stored XSS class, meaning injected payloads persist and execute for all users accessing the affected page. Public exploit code is available on GitHub, and the vendor (IngEstate/Ingenico) has not released a confirmed patched version as of this analysis.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2602 MEDIUM This Month

Stored cross-site scripting (XSS) in Twentig Supercharged Block Editor plugin for WordPress versions up to 1.9.7 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'featuredImageSizeWidth' parameter, which executes in the browsers of all users who view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5015 LOW POC Monitor

Reflected cross-site scripting (XSS) in elecV2P up to version 3.8.3 allows remote attackers to inject malicious scripts via the filename parameter in the /logs endpoint, requiring user interaction to execute. The vulnerability has publicly available exploit code and affects all versions through 3.8.3, with no vendor patch released despite early notification through issue reporting.

XSS Elecv2P
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2595 MEDIUM This Month

Stored cross-site scripting (XSS) in Quads Ads Manager for Google AdSense plugin for WordPress up to version 2.0.98.1 allows authenticated attackers with Contributor-level or higher permissions to inject malicious scripts into ad metadata fields that execute in the browsers of all site visitors, potentially enabling session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for authenticated access and user interaction (page visit), but the stored nature and broad audience impact elevate real-world risk. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Google
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4995 LOW POC Monitor

Stored cross-site scripting (XSS) in wandb OpenUI up to version 1.0 via the Window Message Event Handler in frontend/public/annotator/index.html allows authenticated remote attackers to inject malicious scripts with user interaction. The vulnerability has a low CVSS score (3.5) due to authentication and user-interaction requirements, but publicly available exploit code exists and the vendor has not responded to early disclosure notifications.

XSS Openui
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4992 LOW POC Monitor

HTML injection in wandb OpenUI up to version 1.0 allows remote unauthenticated attackers to inject arbitrary HTML via manipulation of the ID argument in the create_share and get_share functions in backend/openui/server.py. The attack requires user interaction and has a publicly available exploit. CVSS score is 5.3 (moderate) with EPSS indicating limited practical exploitation probability. The vendor has not responded to disclosure attempts.

XSS Openui
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4991 MEDIUM This Month

Cross-site scripting (XSS) in QDOCS Smart School Management System up to version 7.2 allows authenticated remote attackers to inject malicious scripts via the Note parameter in the /admin/enquiry endpoint of the Admission Enquiry Module, potentially compromising session integrity and user data. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with low integrity impact. No public exploit code or active exploitation has been confirmed at the time of this analysis.

XSS Smart School Management System
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-33955 HIGH PATCH This Week

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

RCE XSS Notesnook Web Desktop
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-33976 CRITICAL PATCH Act Now

Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory.

XSS RCE Apple Google
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-32187 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.

Microsoft Google XSS
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-4973 LOW Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Quiz System up to version 1.0 allows authenticated remote attackers to inject malicious scripts via the quiz_question parameter in endpoint/add-question.php, affecting users who view the injected quiz content. The vulnerability has CVSS 5.1 (low-to-moderate severity), requires user interaction to trigger, and public exploit code is available. An attacker with quiz management privileges can compromise quiz participants through JavaScript execution in their browsers.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33739 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in FOG Project versions prior to 1.5.10.1812 allows authenticated high-privilege administrators to inject malicious scripts into management pages (Host, Storage, Group, Image, Printer, Snapin) through unsanitized record creation/update parameters, which are then executed when other administrators view the listing tables. The vulnerability requires administrative access and user interaction to trigger, resulting in potential session hijacking, credential theft, or lateral movement within the management interface.

XSS Fogproject
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-33045 PyPI HIGH PATCH GHSA This Week

Cross-site scripting in Home Assistant's mobile phone remaining charge time sensor allows authenticated attackers to inject malicious scripts via crafted sensor names imported from Android Auto. Affecting Home Assistant versions 2025.02 through 2026.00, this vulnerability requires low attack complexity and privileged access but relies on user interaction to execute stored XSS payloads. A vendor-released patch is available in version 2026.01, with EPSS data unavailable and no confirmed active exploitation at time of analysis.

XSS Google
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-33044 PyPI HIGH PATCH GHSA This Week

Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript through device entity names, executing arbitrary code in victims' browsers when they hover over map information points. Affects Home Assistant versions 2020.02 through 2026.0.x, with fix released in version 2026.01. No public exploit identified at time of analysis, though CVSS E:P indicates proof-of-concept code exists. EPSS data not available, but exploitation requires authenticated access and user interaction (hovering), limiting practical attack surface.

XSS Home Assistant
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-4972 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Online Reviewer System up to version 1.0 allows authenticated users with high privileges to inject malicious scripts via the Description parameter in /system/system/students/assessments/databank/btn_functions.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and has publicly available exploit code, but poses minimal real-world risk given the high privilege requirement (PR:H) and low impact severity (CVSS 2.4).

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4969 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Social Networking Site 1.0 allows authenticated remote attackers to inject malicious scripts via the content parameter in the Alert Handler component (/home.php), requiring user interaction to trigger. The vulnerability carries a CVSS score of 5.1 (medium) with publicly available exploit code, though no confirmed active exploitation in the wild has been reported. Affected users can have their sessions hijacked or credentials stolen if they interact with malicious alerts crafted by authenticated attackers.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33941 npm HIGH PATCH GHSA This Week

The Handlebars npm package precompiler (bin/handlebars) allows arbitrary JavaScript injection through unsanitized string concatenation in four distinct code paths: template filenames, namespace option (-n), CommonJS path option (-c), and AMD path option (-h). Attackers who can control template filenames or CLI arguments can inject code that executes when the generated JavaScript bundle is loaded in Node.js or browser environments. Publicly available exploit code exists with multiple proof-of-concept vectors demonstrated, including file system manipulation via require('fs'). CVSS 8.3 reflects local attack vector requiring low privileges and user interaction, with changed scope allowing high confidentiality, integrity, and availability impact.

XSS Node.js Amd
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-34375 PHP HIGH GHSA This Week

Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. CVSS score of 8.2 reflects high confidentiality impact; no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-30568 MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'limit' parameter in the view_purchase.php file. The vulnerability affects unauthenticated users who click a malicious link, enabling session hijacking, credential theft, or malware distribution. Publicly available exploit code exists, elevating practical exploitation risk despite the absence of CVSS scoring data.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-30567 MEDIUM POC This Month

Reflected XSS in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript via the unvalidated 'limit' parameter in view_product.php. The vulnerability affects the web application without authentication requirements, and publicly available exploit code has been disclosed. While CVSS scoring data is unavailable, the combination of reflected XSS execution context, public POC availability, and lack of input sanitization indicates meaningful risk to deployments of this legacy system.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-33979 npm HIGH PATCH GHSA This Week

express-xss-sanitizer versions 2.0.1 and earlier silently ignore restrictive sanitization configurations when developers explicitly set empty allowedTags or allowedAttributes arrays, instead defaulting to permissive HTML allowlists that can enable XSS attacks. The CVSS score of 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-accessible, unauthenticated exploitation with high integrity impact. A public proof-of-concept demonstrating the configuration bypass exists in the GitHub security advisory, showing how input intended to be stripped of all HTML instead preserves anchor tags with href attributes and paragraph elements. No EPSS score or CISA KEV status was provided in the intelligence data.

XSS
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-30527 MEDIUM POC This Month

Stored XSS in SourceCodester Online Food Ordering System v1.0 allows authenticated administrators to inject malicious JavaScript via the Category Name field in the admin panel, with payloads executing in the browsers of any user viewing the Category list. Publicly available exploit code exists; the vulnerability stems from insufficient input sanitization on a critical administrative function that affects all downstream users who access affected categories.

XSS Online Food Ordering System
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-5026 HIGH This Week

Stored XSS in Langflow's image serving endpoint allows authenticated attackers to steal session tokens via malicious SVG uploads. The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves user-uploaded SVG files with 'image/svg+xml' content type without sanitization, enabling embedded JavaScript execution in victim browsers. Authenticated attackers with low privileges can upload crafted SVGs that execute in other users' contexts, exfiltrating JWT access and refresh tokens from cookies. EPSS probability is low (0.07%, 22nd percentile) with no active exploitation confirmed (SSVC: none), but the attack is straightforward for authenticated users with file upload permissions.

XSS Langflow
NVD VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-5010 MEDIUM PATCH This Month

Clickedu contains a reflected XSS vulnerability in the /user.php/ endpoint that permits remote attackers to execute arbitrary JavaScript in a victim's browser via malicious URL parameters, enabling session hijacking, credential theft, and unauthorized actions. The vulnerability affects all versions of Sanoma's Clickedu product (per CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*) and a vendor patch is available. No CVSS score or active exploitation data was provided; however, the reflected XSS attack vector combined with educational platform context indicates moderate to high real-world risk given typical user trust in institutional URLs.

PHP XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32859 MEDIUM PATCH This Month

ByteDance Deer-Flow artifacts API fails to sanitize user-supplied HTML and script content before storage and rendering, enabling stored cross-site scripting (XSS) attacks that execute arbitrary scripts in the browser context of users viewing artifacts. All versions prior to commit 5dbb362 are affected; attackers can compromise sessions, steal credentials, and execute arbitrary JavaScript without authentication. A patch is available from the vendor via GitHub commit 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6, and no public exploit code or active exploitation has been identified at time of analysis.

XSS Deerflow
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-25100 MEDIUM This Month

Bludit up to version 3.18.2 allows authenticated users with content upload privileges to execute arbitrary JavaScript in victim browsers via stored XSS in SVG image uploads. An attacker with Author, Editor, or Administrator role can upload a malicious SVG file that executes when accessed by any unauthenticated visitor to the uploaded resource URL, compromising browser sessions and potentially enabling account takeover or sensitive data theft. No public exploit code has been identified at time of analysis, though the vendor was notified early and subsequently ceased coordination.

XSS Bludit
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-3457 HIGH PATCH This Week

Stored cross-site scripting in Thales Sentinel LDK Runtime on Windows allows attackers with local access to inject malicious scripts that execute with high integrity impact. All versions before 10.22 are affected. The CVSS 4.0 base score of 7.0 reflects local attack vector with no privileges required and no user interaction. Proof-of-concept exploit code exists (CVSS:4.0 E:P). CISA KEV does not list this vulnerability as actively exploited at time of analysis.

XSS Microsoft
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-33559 MEDIUM This Month

Stored cross-site scripting (XSS) in the WordPress OpenStreetMap plugin by MiKa allows authenticated users with page creation or editing privileges to inject malicious scripts that execute in the browsers of other users viewing the affected pages. The vulnerability affects all versions of the plugin via CPE cpe:2.3:a:mika:openstreetmap:*:*:*:*:*:*:*:*. With a CVSS score of 5.4 and moderate attack complexity requiring user interaction, this poses a localized but meaningful risk to WordPress sites where contributors or editors cannot be fully trusted. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4909 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_s7.php, potentially compromising administrator sessions and enabling unauthorized actions. Publicly available exploit code exists for this vulnerability, though it requires high-privilege authentication to trigger. The CVSS 2.4 score reflects limited impact (information integrity only) and the requirement for authenticated access and user interaction, but the public availability of working exploit code elevates practical risk.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-61190 MEDIUM This Month

DSpace JSPUI 6.5 contains a reflected cross-site scripting (XSS) vulnerability in the search/discover filtering functionality where the filter_type_1 parameter is not properly sanitized, allowing remote attackers to inject malicious scripts that execute in the context of other users' browsers. The vulnerability affects DSpace repository instances running version 6.5. A proof-of-concept has been publicly disclosed via GitHub (https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd), though no active exploitation via CISA KEV listing has been confirmed at the time of analysis.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30569 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_stock_availability.php file's 'limit' parameter that permits remote attackers to inject arbitrary HTML and JavaScript through a crafted URL. Publicly available exploit code has been disclosed via GitHub, enabling attackers without authentication to execute malicious scripts in the context of victim browsers. The vulnerability affects an unspecified version range of the Inventory System application with no CVSS scoring or patch availability data currently confirmed.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30571 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting vulnerability in the view_category.php file where the 'limit' parameter is not sanitized, enabling remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. Publicly available exploit code exists for this vulnerability, affecting the PHP-based Inventory System application. Remote attackers can execute client-side scripts in the context of authenticated user sessions without requiring elevated privileges.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30570 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_sales.php file's 'limit' parameter that allows remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. The vulnerability stems from insufficient input sanitization and publicly available exploit code has been disclosed. Authentication requirements are not confirmed from available CVSS data.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-33916 npm MEDIUM PATCH This Month

Handlebars template engine fails to guard prototype-chain access when resolving partial templates, allowing unauthenticated remote attackers to inject unescaped HTML and JavaScript through prototype pollution. When Object.prototype is polluted with a string value matching a partial name referenced in a template, the malicious string is rendered without HTML escaping, resulting in reflected or stored XSS. Exploitation requires a separate prototype pollution vulnerability in the target application (such as via qs or minimist libraries) combined with knowledge of partial names used in templates; publicly available proof-of-concept code demonstrates the attack. The vulnerability affects npm package handlebars (pkg:npm/handlebars) across multiple versions and is distinct from earlier prototype-access issues CVE-2021-23369 and CVE-2021-23383.

XSS Red Hat
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-4899 LOW POC Monitor

The code-projects Online Food Ordering System versions up to 1.0 contain a stored cross-site scripting (XSS) vulnerability in the /dbfood/food.php file via the cuisines parameter, allowing authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability carries a CVSS score of 2.4 (low severity) but has publicly available exploit code and confirmed documentation on GitHub, limiting its practical impact due to high privilege requirements and user interaction dependency. Remote exploitation is possible, but the attack requires an authenticated user with high-level administrative privileges and victim user interaction, substantially constraining real-world exploitation likelihood.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-33664 HIGH This Week

Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. This vulnerability (CVSS 7.3) differs from CVE-2026-29082 and affects different components with lower interaction requirements. No public exploit identified at time of analysis, and patch availability remains unconfirmed per the advisory.

XSS Kestra
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-4898 LOW POC Monitor

The Online Food Ordering System 1.0 by code-projects contains a reflected cross-site scripting (XSS) vulnerability in the Name parameter of /dbfood/contact.php that allows unauthenticated remote attackers to inject malicious scripts. The vulnerability has a publicly available proof-of-concept and affects all versions of the affected product line. While the CVSS score of 4.3 is moderate, the public availability of exploit code and minimal complexity of attack execution elevate practical risk for instances exposed to the internet.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33653 MEDIUM PATCH This Month

Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.

XSS File Upload Uploady
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-33742 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.

XSS Invoiceninja
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33738 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Lychee photo-management application versions prior to 7.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript through unsanitized photo description fields rendered in publicly accessible RSS, Atom, and JSON feed endpoints. The vulnerability stems from use of Blade's unescaped output syntax ({!! !!}) in feed templates, enabling malicious descriptions to inject executable scripts that execute in the context of any RSS reader or client consuming the feed.

XSS Lychee
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-3529 PHP MEDIUM PATCH This Month

Drupal Google Analytics GA4 module versions before 1.1.14 contain a cross-site scripting (XSS) vulnerability through improper input neutralization during web page generation, allowing attackers to inject and execute arbitrary JavaScript in user browsers. Remote attackers can craft malicious requests that persist within analytics data or configuration, affecting all users of sites running vulnerable versions. The vulnerability is documented in Drupal's security advisory SA-CONTRIB-2026-024 and has been assigned EUVD-2026-16383; no public exploit code or active exploitation has been confirmed at the time of this analysis.

XSS Google
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3528 PHP MEDIUM PATCH This Month

Cross-site scripting (XSS) in Drupal Calculation Fields module versions prior to 1.0.4 permits remote attackers to inject arbitrary JavaScript into dynamically generated web pages, enabling session hijacking, credential theft, and malware distribution against users viewing affected pages. The vulnerability stems from improper input neutralization during calculation field rendering, affecting all installations running Calculation Fields 0.0.0 through 1.0.3. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Calculation Fields
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33883 PHP MEDIUM PATCH This Month

The user:reset_password_form template tag in Statamic CMS fails to escape user-supplied input before rendering it into HTML, enabling reflected cross-site scripting (XSS) attacks via crafted URLs. An unauthenticated remote attacker can exploit this by tricking a victim into clicking a malicious link, causing arbitrary JavaScript execution in the victim's browser with access to session tokens and sensitive page content. Vendor-released patches are available in versions 5.73.16 and 6.7.2.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33506 HIGH PATCH This Week

DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.

XSS Polis
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33758 Go CRITICAL PATCH Act Now

Cross-site scripting in OpenBao's OIDC/JWT authentication method allows theft of Web UI session tokens when roles are configured with callback_mode=direct. Attackers exploit the unsanitized error_description parameter on failed authentication pages to inject malicious scripts that execute in victims' browsers, granting access to authentication tokens. The vulnerability affects OpenBao installations prior to v2.5.2 and has no public exploit identified at time of analysis, though the technical implementation details are publicly documented in the vendor advisory.

XSS
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-34071 MEDIUM This Month

Stirling-PDF version 2.7.3 fails to sanitize HTML content from email bodies in the /api/v1/convert/eml/pdf endpoint when the downloadHtml=true parameter is set, allowing unauthenticated remote attackers to inject and execute arbitrary JavaScript code. An attacker can craft a malicious email that, when processed by a Stirling-PDF user through the 'Download HTML intermediate file' feature, executes JavaScript in the user's browser context with access to local data and session tokens. Proof-of-concept code has been demonstrated, and the vendor released version 2.8.0 to address the vulnerability.

XSS Stirling Pdf
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33402 LOW PATCH Monitor

Sakai Collaboration and Learning Environment versions 23.0-23.4 and 25.0-25.1 fail to sanitize group titles and descriptions, permitting stored cross-site scripting (XSS) attacks that execute in the browsers of users viewing affected group metadata. Authenticated users with group creation or modification privileges can inject malicious scripts that persist in the SAKAI_SITE_GROUP table and execute when other users access group information, compromising session security and enabling credential theft or unauthorized actions within the Sakai environment. Vendor-released patches are available in versions 23.5 and 25.2; no active exploitation has been reported, but the low CVSS score (1.3) reflects minimal baseline impact rather than true severity, given the requirement for user interaction (UI:P) and limited scope of harm (SC:L, SI:L) as documented in the CVSS:4.0 vector.

XSS Sakai
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-29933 MEDIUM This Month

YZMCMS v7.4 suffers from a reflected cross-site scripting (XSS) vulnerability in the /index/login.html component that permits attackers to execute arbitrary JavaScript in a user's browser by manipulating the referrer value in request headers. Remote attackers can exploit this to steal session credentials, perform actions on behalf of authenticated users, or redirect users to malicious sites without requiring prior authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

XSS Yzmcms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28298 MEDIUM This Month

SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting (XSS) vulnerability that permits authenticated high-privilege users to inject malicious scripts into the application, resulting in unintended script execution when other users access affected pages. The vulnerability requires high privilege level and user interaction to exploit, limiting real-world attack surface; no public exploit code or active exploitation has been identified at the time of analysis.

XSS Solarwinds Observability Self Hosted
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-28297 MEDIUM This Month

SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into the application, resulting in unintended script execution within the security context of the affected system. The vulnerability requires administrative or high-privilege access and does not currently show evidence of active exploitation, though the ability to persist malicious payloads in stored data represents a significant insider threat. Affected organizations should prioritize patching to versions after 2026.1.1 to eliminate the XSS attack surface.

XSS Solarwinds Observability Self Hosted
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2389 MEDIUM PATCH This Month

Stored Cross-Site Scripting in Complianz - GDPR/CCPA Cookie Consent plugin versions up to 7.4.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into WordPress pages via the `revert_divs_to_summary` function, which improperly converts HTML entities to unescaped characters without subsequent sanitization. The vulnerability requires both the Classic Editor plugin and authenticated user privileges, limiting exposure to internal threats. No public exploit identified at time of analysis, and CISA KEV status is not confirmed.

WordPress XSS
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-2231 HIGH This Week

Unauthenticated attackers can inject malicious scripts into Fluent Booking plugin for WordPress versions up to 2.0.01, enabling Stored Cross-Site Scripting attacks that execute in victim browsers whenever injected pages are accessed. The vulnerability stems from insufficient input sanitization across multiple parameters in LocationService.php, Booking.php, and FrontEndHandler.php. With a CVSS score of 7.2 and network-based attack vector requiring no privileges, this represents a significant threat to WordPress sites using the affected booking plugin. No public exploit identified at time of analysis, and SSVC framework indicates no current exploitation with non-automatable attack profile.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4877 LOW POC Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System version 1.0 allows remote unauthenticated attackers to inject malicious scripts via manipulation of the 'page' parameter in /index.php. The vulnerability has a CVSS v4.0 score of 5.3 with network accessibility and low integrity impact; publicly available exploit code exists, and CISA SSVC assessment confirms the flaw is exploitable and partially automatable, making it suitable for active compromise of application integrity and user sessions.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-55270 LOW Monitor

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.

XSS SQLi Command Injection Aftermarket Dpc
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-41027 MEDIUM PATCH This Month

GDTaller allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through reflected cross-site scripting (XSS) via the 'site' parameter in app_recuperarclave.php. The vulnerability affects all versions of GDTaller (version 0 and beyond) and has been assigned a CVSS 4.0 base score of 5.1 with limited scope impact. A vendor patch is available from INCIBE, and exploitation requires user interaction (UI:A) but presents moderate risk due to the network-accessible attack surface and low technical complexity.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-41026 MEDIUM PATCH This Month

GDTaller is vulnerable to reflected cross-site scripting (XSS) in the app_login.php file, specifically through the 'site' parameter, allowing unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability affects GDTaller versions prior to an unspecified patch release and carries a CVSS 5.1 score reflecting low immediate confidentiality impact but limited scope and user interaction requirement. A vendor patch is available from INCIBE, though no public exploit code has been identified at time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2018-25210 HIGH POC This Week

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Ticaret V4
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-4849 LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Simple Laundry System version 1.0 via the firstName parameter in the /modify.php file. An attacker can inject malicious JavaScript that executes in a victim's browser when they visit a crafted link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept is available on GitHub, and exploitation requires only user interaction (clicking a malicious link), making this a practical concern despite the moderate CVSS score of 5.3.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4848 LOW POC Monitor

Muucmf 1.9.5.20260309 contains a cross-site scripting (XSS) vulnerability in the /admin/extend/list.html endpoint where the Name parameter is not properly sanitized, allowing remote attackers to inject malicious scripts. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

XSS Muucmf
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4847 LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 within the /admin/config/list.html endpoint, where the Name parameter is not properly sanitized before being rendered in the response. An unauthenticated remote attacker can craft a malicious URL containing JavaScript code in the Name parameter to execute arbitrary scripts in a victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit has been published, and the vendor has not responded to early disclosure notifications, indicating no immediate patch is available.

XSS Muucmf
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1430 MEDIUM POC PATCH This Month

WP Lightbox 2 WordPress plugin before version 3.0.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its settings due to insufficient input sanitization and output escaping. High-privilege users, particularly administrators, can inject malicious JavaScript that persists in the database and executes in the browsers of other users, even in multisite installations where the unfiltered_html capability is restricted. A publicly available proof-of-concept demonstrates active exploitation potential, making this a practical threat in WordPress environments.

WordPress XSS
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-4846 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 and potentially earlier versions, affecting the autoReply.html administrative interface in the channel/admin.Account module. An unauthenticated attacker can inject malicious JavaScript through the 'keyword' parameter, which is reflected in the response without proper sanitization, allowing session hijacking, credential theft, or malware distribution to administrative users. A public proof-of-concept exploit is available, and the vendor has not responded to disclosure notifications, indicating no official patch is currently available.

XSS Muucmf
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4845 LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in Dameng100 MUUCMF version 1.9.5.20260309 within the Member management interface at /admin/Member/index.html. The vulnerability is triggered via an unsanitized Search parameter, allowing remote attackers to inject arbitrary JavaScript that executes in the context of an authenticated user's browser. A proof-of-concept exploit has been publicly disclosed, and the vendor has not responded to early disclosure attempts, leaving deployments unpatched.

XSS Muucmf
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4389 MEDIUM This Month

This is a Stored Cross-Site Scripting (XSS) vulnerability in the DSGVO Snippet for Leaflet Map and its Extensions WordPress plugin (all versions up to and including 3.1) that allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes (`unset`, `before`, `after`), enabling script execution whenever visitors access the compromised pages. With a CVSS score of 6.4 and attack complexity of low, this represents a moderate but real threat in WordPress environments where multiple content contributors exist.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4278 MEDIUM This Month

The Simple Download Counter WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'sdc_menu' shortcode due to insufficient input sanitization and output escaping of the 'text' and 'cat' attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages via these unescaped shortcode attributes, which will execute for all users visiting the affected pages. All versions up to and including 2.3 are vulnerable, with a CVSS score of 6.4 indicating moderate severity and the vulnerability requiring low attack complexity and only low privileges to exploit.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-4329 HIGH This Week

The Blackhole for Bad Bots plugin for WordPress contains a Stored Cross-Site Scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the User-Agent HTTP header. All versions up to and including 3.8 are affected. The vulnerability stems from insufficient output escaping when displaying bot data in the admin interface, enabling arbitrary JavaScript execution when administrators view the Bad Bots log page.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4075 MEDIUM This Month

The BWL Advanced FAQ Manager Lite WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'baf_sbox' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code through shortcode attributes (sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, cont_ext_class) that will execute in the browsers of all users viewing the affected pages. The vulnerability affects all versions up to and including 1.1.1, and while no public exploit code or KEV designation is currently documented, the CVSS 6.4 score and straightforward nature of the flaw indicate moderate real-world risk.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1986 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in FloristPress for Woo (BakkBone) plugin versions up to 7.8.2, where the 'noresults' parameter is insufficiently sanitized and escaped, allowing unauthenticated attackers to inject arbitrary JavaScript. An attacker can craft a malicious URL and trick users into clicking it, resulting in script execution within the victim's browser session with access to sensitive data and session tokens. The vulnerability requires user interaction (UI:R) but has a network attack vector with low complexity, and while no KEV or confirmed active exploitation data is available in the provided intelligence, Wordfence has documented the issue with references to vulnerable code locations.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-4335 MEDIUM This Month

The ShortPixel Image Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.3, affecting the getEditorPopup() function and media-popup.php template. Authenticated attackers with Author-level permissions can inject arbitrary JavaScript into attachment post titles via the REST API, which executes when administrators open the ShortPixel AI editor popup for the poisoned attachment. This vulnerability has a CVSS score of 5.4 (moderate severity) and requires user interaction from a higher-privileged administrator to trigger, limiting its immediate exploitation scope but still presenting a meaningful privilege escalation risk in multi-author WordPress environments.

WordPress PHP XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4835 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Accounting System 1.0 within the customer management interface (/my_account/add_costumer.php), where the costumer_name parameter fails to properly sanitize user input. Attackers with low privileges and user interaction can inject malicious JavaScript that will execute in the browsers of other users viewing the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions within the accounting system. A public proof-of-concept exploit is available, significantly increasing the likelihood of real-world exploitation.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33933 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in the custom template editor of OpenEMR, a widely-deployed open-source electronic health records system. Attackers can craft malicious URLs that, when clicked by authenticated staff members, execute arbitrary JavaScript within their browser sessions and gain access to sensitive medical data and system functions; notably, the attacker does not require an OpenEMR account themselves. The vulnerability affects OpenEMR versions 7.0.2.1 through 8.0.0.2, and while there is no evidence of active exploitation in the wild or public proof-of-concept code, the moderate CVSS score of 6.1 combined with the user-interaction requirement and the context-sensitive nature of healthcare data makes this a meaningful priority for healthcare organizations.

XSS Openemr
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33932 HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's CCDA document preview functionality that allows authenticated attackers to execute arbitrary JavaScript in clinician browser sessions. OpenEMR versions prior to 8.0.0.3 are affected. The vulnerability occurs because the XSL stylesheet fails to sanitize linkHtml attributes in CCDA documents, allowing javascript: URLs and event handlers to execute when documents are previewed.

XSS Openemr
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-29969 MEDIUM This Month

StaffWiki v7.0.1.19219 contains a reflected cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint that enables remote attackers to execute arbitrary JavaScript in a user's browser context through a crafted HTTP request. The vulnerability affects StaffWiki versions up to at least 7.0.1.19219, and publicly available exploit code has been disclosed via GitHub, though no active exploitation has been confirmed by CISA at the time of analysis.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30162 MEDIUM This Month

Timo 2.0.3 contains a stored cross-site scripting (XSS) vulnerability in the title field that allows unauthenticated remote attackers to inject malicious scripts via crafted links, resulting in session hijacking, credential theft, or malware distribution to other users viewing affected content. Publicly available exploit code exists (referenced via GitHub issue), and the vulnerability is rated CVSS 6.1 with cross-site scope impact, though no evidence of active exploitation in the wild has been confirmed at the time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29934 MEDIUM This Month

Lightcms v2.0 contains a reflected cross-site scripting vulnerability in the /admin/menus component that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the HTTP referer header. The vulnerability requires user interaction (clicking a crafted link) to trigger exploitation. A proof-of-concept has been publicly disclosed on GitHub, though no evidence of active exploitation in the CISA Known Exploited Vulnerabilities catalog was identified. With a CVSS score of 6.1 and low attack complexity, this represents a moderate-severity risk requiring prompt patching.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33912 MEDIUM This Month

OpenEMR versions prior to 8.0.0.3 contain a stored cross-site scripting (XSS) vulnerability in form handling that allows authenticated attackers to inject malicious JavaScript into forms, which executes in the browser sessions of victims who submit those forms. An attacker with valid OpenEMR credentials can craft a malicious form that, upon submission by any user, executes arbitrary JavaScript with the privileges of the victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability is low-to-moderate severity (CVSS 5.4) due to the requirement for authentication and user interaction, but it poses significant risk in healthcare environments where attackers may have legitimate credentials and victims include healthcare providers with broad system access.

XSS Openemr
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33911 MEDIUM This Month

This is a stored/reflected cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.3 where the POST parameter 'title' is improperly encoded in JSON responses but served with a text/html Content-Type header, causing browsers to execute injected JavaScript rather than treat the output as data. An authenticated attacker can craft a malicious request to execute arbitrary JavaScript in a victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability carries a moderate CVSS score of 5.4 but requires authentication and user interaction (UI:R), reducing immediate exploitation likelihood, though a proof-of-concept fix commit is available in the GitHub repository.

XSS Openemr
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33348 HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's Eye Exam form functionality that allows authenticated users with the 'Notes - my encounters' role to inject malicious JavaScript payloads through form answers. OpenEMR versions prior to 8.0.0.3 are affected. Attackers can execute arbitrary JavaScript in the browsers of other authenticated users when they view the compromised encounter pages or visit history, potentially leading to session hijacking, credential theft, or unauthorized actions within the EHR system.

XSS Openemr
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-14807 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

XSS IBM
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 1.9
LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_fst.php, affecting user sessions with administrator privileges. The vulnerability requires user interaction (UI:R) and carries a low CVSS score of 2.4 due to the requirement for prior administrative authentication (PR:H), but publicly available exploit code exists and may be actively used. The attack vector is network-based (AV:N) with low complexity (AC:L), creating an insider threat scenario where compromised or malicious administrators can deface content or steal session tokens of other administrators.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to inject malicious scripts via the unvalidated website parameter in update_details.php, which are persisted in the database and executed whenever the store details page is accessed by any user. Publicly available exploit code exists, though the vulnerability requires prior authentication and affects primarily self-hosted instances of this open-source inventory management application.

XSS PHP
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web script or HTML via the unvalidated 'msg' parameter in add_stock.php. The vulnerability is publicly demonstrated with available proof-of-concept code, enabling attackers to execute malicious scripts in users' browsers without requiring authentication or special privileges.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web scripts or HTML through the 'limit' parameter in view_payments.php due to insufficient input sanitization. Publicly available exploit code exists, enabling attackers to craft malicious URLs that execute JavaScript in victims' browsers when visited, potentially leading to session hijacking, credential theft, or defacement.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_customer.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists demonstrating the vulnerability.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'limit' parameter in view_supplier.php due to insufficient input sanitization. The vulnerability is accessible without authentication via crafted URLs, and publicly available exploit code exists demonstrating the attack vector.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML via the unvalidated "limit" parameter in view_customers.php, affecting unauthenticated users who click malicious links. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS score is available to quantify severity.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_purchase.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. The vulnerability has publicly available exploit code but lacks CVSS scoring and is not confirmed as actively exploited.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_supplier.php, enabling session hijacking, credential theft, or malware distribution without authentication. The vulnerability has publicly available proof-of-concept code demonstrating the attack vector.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_category.php, enabling session hijacking, credential theft, or malware distribution via malicious URLs. Publicly available exploit code exists, increasing real-world attack likelihood despite the absence of formal CVSS scoring or CVE severity data.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_sales.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists.

XSS PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting (XSS) vulnerabilities in IngEstate Server v11.14.0 allow remote attackers to execute arbitrary web scripts or HTML by injecting malicious payloads into the About application, What's news, or Release note parameters within the Software Package List edit feature. The vulnerabilities affect the stored XSS class, meaning injected payloads persist and execute for all users accessing the affected page. Public exploit code is available on GitHub, and the vendor (IngEstate/Ingenico) has not released a confirmed patched version as of this analysis.

XSS N A
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting (XSS) in Twentig Supercharged Block Editor plugin for WordPress versions up to 1.9.7 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'featuredImageSizeWidth' parameter, which executes in the browsers of all users who view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in elecV2P up to version 3.8.3 allows remote attackers to inject malicious scripts via the filename parameter in the /logs endpoint, requiring user interaction to execute. The vulnerability has publicly available exploit code and affects all versions through 3.8.3, with no vendor patch released despite early notification through issue reporting.

XSS Elecv2P
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in Quads Ads Manager for Google AdSense plugin for WordPress up to version 2.0.98.1 allows authenticated attackers with Contributor-level or higher permissions to inject malicious scripts into ad metadata fields that execute in the browsers of all site visitors, potentially enabling session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for authenticated access and user interaction (page visit), but the stored nature and broad audience impact elevate real-world risk. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Google
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in wandb OpenUI up to version 1.0 via the Window Message Event Handler in frontend/public/annotator/index.html allows authenticated remote attackers to inject malicious scripts with user interaction. The vulnerability has a low CVSS score (3.5) due to authentication and user-interaction requirements, but publicly available exploit code exists and the vendor has not responded to early disclosure notifications.

XSS Openui
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

HTML injection in wandb OpenUI up to version 1.0 allows remote unauthenticated attackers to inject arbitrary HTML via manipulation of the ID argument in the create_share and get_share functions in backend/openui/server.py. The attack requires user interaction and has a publicly available exploit. CVSS score is 5.3 (moderate) with EPSS indicating limited practical exploitation probability. The vendor has not responded to disclosure attempts.

XSS Openui
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site scripting (XSS) in QDOCS Smart School Management System up to version 7.2 allows authenticated remote attackers to inject malicious scripts via the Note parameter in the /admin/enquiry endpoint of the Admission Enquiry Module, potentially compromising session integrity and user data. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with low integrity impact. No public exploit code or active exploitation has been confirmed at the time of this analysis.

XSS Smart School Management System
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

RCE XSS Notesnook Web Desktop
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory.

XSS RCE Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.

Microsoft Google XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Quiz System up to version 1.0 allows authenticated remote attackers to inject malicious scripts via the quiz_question parameter in endpoint/add-question.php, affecting users who view the injected quiz content. The vulnerability has CVSS 5.1 (low-to-moderate severity), requires user interaction to trigger, and public exploit code is available. An attacker with quiz management privileges can compromise quiz participants through JavaScript execution in their browsers.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in FOG Project versions prior to 1.5.10.1812 allows authenticated high-privilege administrators to inject malicious scripts into management pages (Host, Storage, Group, Image, Printer, Snapin) through unsanitized record creation/update parameters, which are then executed when other administrators view the listing tables. The vulnerability requires administrative access and user interaction to trigger, resulting in potential session hijacking, credential theft, or lateral movement within the management interface.

XSS Fogproject
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-site scripting in Home Assistant's mobile phone remaining charge time sensor allows authenticated attackers to inject malicious scripts via crafted sensor names imported from Android Auto. Affecting Home Assistant versions 2025.02 through 2026.00, this vulnerability requires low attack complexity and privileged access but relies on user interaction to execute stored XSS payloads. A vendor-released patch is available in version 2026.01, with EPSS data unavailable and no confirmed active exploitation at time of analysis.

XSS Google
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript through device entity names, executing arbitrary code in victims' browsers when they hover over map information points. Affects Home Assistant versions 2020.02 through 2026.0.x, with fix released in version 2026.01. No public exploit identified at time of analysis, though CVSS E:P indicates proof-of-concept code exists. EPSS data not available, but exploitation requires authenticated access and user interaction (hovering), limiting practical attack surface.

XSS Home Assistant
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Online Reviewer System up to version 1.0 allows authenticated users with high privileges to inject malicious scripts via the Description parameter in /system/system/students/assessments/databank/btn_functions.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and has publicly available exploit code, but poses minimal real-world risk given the high privilege requirement (PR:H) and low impact severity (CVSS 2.4).

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Social Networking Site 1.0 allows authenticated remote attackers to inject malicious scripts via the content parameter in the Alert Handler component (/home.php), requiring user interaction to trigger. The vulnerability carries a CVSS score of 5.1 (medium) with publicly available exploit code, though no confirmed active exploitation in the wild has been reported. Affected users can have their sessions hijacked or credentials stolen if they interact with malicious alerts crafted by authenticated attackers.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

The Handlebars npm package precompiler (bin/handlebars) allows arbitrary JavaScript injection through unsanitized string concatenation in four distinct code paths: template filenames, namespace option (-n), CommonJS path option (-c), and AMD path option (-h). Attackers who can control template filenames or CLI arguments can inject code that executes when the generated JavaScript bundle is loaded in Node.js or browser environments. Publicly available exploit code exists with multiple proof-of-concept vectors demonstrated, including file system manipulation via require('fs'). CVSS 8.3 reflects local attack vector requiring low privileges and user interaction, with changed scope allowing high confidentiality, integrity, and availability impact.

XSS Node.js Amd
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. CVSS score of 8.2 reflects high confidentiality impact; no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'limit' parameter in the view_purchase.php file. The vulnerability affects unauthenticated users who click a malicious link, enabling session hijacking, credential theft, or malware distribution. Publicly available exploit code exists, elevating practical exploitation risk despite the absence of CVSS scoring data.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript via the unvalidated 'limit' parameter in view_product.php. The vulnerability affects the web application without authentication requirements, and publicly available exploit code has been disclosed. While CVSS scoring data is unavailable, the combination of reflected XSS execution context, public POC availability, and lack of input sanitization indicates meaningful risk to deployments of this legacy system.

PHP XSS
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

express-xss-sanitizer versions 2.0.1 and earlier silently ignore restrictive sanitization configurations when developers explicitly set empty allowedTags or allowedAttributes arrays, instead defaulting to permissive HTML allowlists that can enable XSS attacks. The CVSS score of 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-accessible, unauthenticated exploitation with high integrity impact. A public proof-of-concept demonstrating the configuration bypass exists in the GitHub security advisory, showing how input intended to be stripped of all HTML instead preserves anchor tags with href attributes and paragraph elements. No EPSS score or CISA KEV status was provided in the intelligence data.

XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Stored XSS in SourceCodester Online Food Ordering System v1.0 allows authenticated administrators to inject malicious JavaScript via the Category Name field in the admin panel, with payloads executing in the browsers of any user viewing the Category list. Publicly available exploit code exists; the vulnerability stems from insufficient input sanitization on a critical administrative function that affects all downstream users who access affected categories.

XSS Online Food Ordering System
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Stored XSS in Langflow's image serving endpoint allows authenticated attackers to steal session tokens via malicious SVG uploads. The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves user-uploaded SVG files with 'image/svg+xml' content type without sanitization, enabling embedded JavaScript execution in victim browsers. Authenticated attackers with low privileges can upload crafted SVGs that execute in other users' contexts, exfiltrating JWT access and refresh tokens from cookies. EPSS probability is low (0.07%, 22nd percentile) with no active exploitation confirmed (SSVC: none), but the attack is straightforward for authenticated users with file upload permissions.

XSS Langflow
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Clickedu contains a reflected XSS vulnerability in the /user.php/ endpoint that permits remote attackers to execute arbitrary JavaScript in a victim's browser via malicious URL parameters, enabling session hijacking, credential theft, and unauthorized actions. The vulnerability affects all versions of Sanoma's Clickedu product (per CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*) and a vendor patch is available. No CVSS score or active exploitation data was provided; however, the reflected XSS attack vector combined with educational platform context indicates moderate to high real-world risk given typical user trust in institutional URLs.

PHP XSS
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

ByteDance Deer-Flow artifacts API fails to sanitize user-supplied HTML and script content before storage and rendering, enabling stored cross-site scripting (XSS) attacks that execute arbitrary scripts in the browser context of users viewing artifacts. All versions prior to commit 5dbb362 are affected; attackers can compromise sessions, steal credentials, and execute arbitrary JavaScript without authentication. A patch is available from the vendor via GitHub commit 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6, and no public exploit code or active exploitation has been identified at time of analysis.

XSS Deerflow
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Bludit up to version 3.18.2 allows authenticated users with content upload privileges to execute arbitrary JavaScript in victim browsers via stored XSS in SVG image uploads. An attacker with Author, Editor, or Administrator role can upload a malicious SVG file that executes when accessed by any unauthenticated visitor to the uploaded resource URL, compromising browser sessions and potentially enabling account takeover or sensitive data theft. No public exploit code has been identified at time of analysis, though the vendor was notified early and subsequently ceased coordination.

XSS Bludit
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stored cross-site scripting in Thales Sentinel LDK Runtime on Windows allows attackers with local access to inject malicious scripts that execute with high integrity impact. All versions before 10.22 are affected. The CVSS 4.0 base score of 7.0 reflects local attack vector with no privileges required and no user interaction. Proof-of-concept exploit code exists (CVSS:4.0 E:P). CISA KEV does not list this vulnerability as actively exploited at time of analysis.

XSS Microsoft
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting (XSS) in the WordPress OpenStreetMap plugin by MiKa allows authenticated users with page creation or editing privileges to inject malicious scripts that execute in the browsers of other users viewing the affected pages. The vulnerability affects all versions of the plugin via CPE cpe:2.3:a:mika:openstreetmap:*:*:*:*:*:*:*:*. With a CVSS score of 5.4 and moderate attack complexity requiring user interaction, this poses a localized but meaningful risk to WordPress sites where contributors or editors cannot be fully trusted. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_s7.php, potentially compromising administrator sessions and enabling unauthorized actions. Publicly available exploit code exists for this vulnerability, though it requires high-privilege authentication to trigger. The CVSS 2.4 score reflects limited impact (information integrity only) and the requirement for authenticated access and user interaction, but the public availability of working exploit code elevates practical risk.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

DSpace JSPUI 6.5 contains a reflected cross-site scripting (XSS) vulnerability in the search/discover filtering functionality where the filter_type_1 parameter is not properly sanitized, allowing remote attackers to inject malicious scripts that execute in the context of other users' browsers. The vulnerability affects DSpace repository instances running version 6.5. A proof-of-concept has been publicly disclosed via GitHub (https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd), though no active exploitation via CISA KEV listing has been confirmed at the time of analysis.

XSS N A
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_stock_availability.php file's 'limit' parameter that permits remote attackers to inject arbitrary HTML and JavaScript through a crafted URL. Publicly available exploit code has been disclosed via GitHub, enabling attackers without authentication to execute malicious scripts in the context of victim browsers. The vulnerability affects an unspecified version range of the Inventory System application with no CVSS scoring or patch availability data currently confirmed.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting vulnerability in the view_category.php file where the 'limit' parameter is not sanitized, enabling remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. Publicly available exploit code exists for this vulnerability, affecting the PHP-based Inventory System application. Remote attackers can execute client-side scripts in the context of authenticated user sessions without requiring elevated privileges.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_sales.php file's 'limit' parameter that allows remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. The vulnerability stems from insufficient input sanitization and publicly available exploit code has been disclosed. Authentication requirements are not confirmed from available CVSS data.

PHP XSS
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Handlebars template engine fails to guard prototype-chain access when resolving partial templates, allowing unauthenticated remote attackers to inject unescaped HTML and JavaScript through prototype pollution. When Object.prototype is polluted with a string value matching a partial name referenced in a template, the malicious string is rendered without HTML escaping, resulting in reflected or stored XSS. Exploitation requires a separate prototype pollution vulnerability in the target application (such as via qs or minimist libraries) combined with knowledge of partial names used in templates; publicly available proof-of-concept code demonstrates the attack. The vulnerability affects npm package handlebars (pkg:npm/handlebars) across multiple versions and is distinct from earlier prototype-access issues CVE-2021-23369 and CVE-2021-23383.

XSS Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

The code-projects Online Food Ordering System versions up to 1.0 contain a stored cross-site scripting (XSS) vulnerability in the /dbfood/food.php file via the cuisines parameter, allowing authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability carries a CVSS score of 2.4 (low severity) but has publicly available exploit code and confirmed documentation on GitHub, limiting its practical impact due to high privilege requirements and user interaction dependency. Remote exploitation is possible, but the attack requires an authenticated user with high-level administrative privileges and victim user interaction, substantially constraining real-world exploitation likelihood.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. This vulnerability (CVSS 7.3) differs from CVE-2026-29082 and affects different components with lower interaction requirements. No public exploit identified at time of analysis, and patch availability remains unconfirmed per the advisory.

XSS Kestra
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

The Online Food Ordering System 1.0 by code-projects contains a reflected cross-site scripting (XSS) vulnerability in the Name parameter of /dbfood/contact.php that allows unauthenticated remote attackers to inject malicious scripts. The vulnerability has a publicly available proof-of-concept and affects all versions of the affected product line. While the CVSS score of 4.3 is moderate, the public availability of exploit code and minimal complexity of attack execution elevate practical risk for instances exposed to the internet.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.

XSS File Upload Uploady
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.

XSS Invoiceninja
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Lychee photo-management application versions prior to 7.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript through unsanitized photo description fields rendered in publicly accessible RSS, Atom, and JSON feed endpoints. The vulnerability stems from use of Blade's unescaped output syntax ({!! !!}) in feed templates, enabling malicious descriptions to inject executable scripts that execute in the context of any RSS reader or client consuming the feed.

XSS Lychee
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Drupal Google Analytics GA4 module versions before 1.1.14 contain a cross-site scripting (XSS) vulnerability through improper input neutralization during web page generation, allowing attackers to inject and execute arbitrary JavaScript in user browsers. Remote attackers can craft malicious requests that persist within analytics data or configuration, affecting all users of sites running vulnerable versions. The vulnerability is documented in Drupal's security advisory SA-CONTRIB-2026-024 and has been assigned EUVD-2026-16383; no public exploit code or active exploitation has been confirmed at the time of this analysis.

XSS Google
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Drupal Calculation Fields module versions prior to 1.0.4 permits remote attackers to inject arbitrary JavaScript into dynamically generated web pages, enabling session hijacking, credential theft, and malware distribution against users viewing affected pages. The vulnerability stems from improper input neutralization during calculation field rendering, affecting all installations running Calculation Fields 0.0.0 through 1.0.3. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Calculation Fields
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The user:reset_password_form template tag in Statamic CMS fails to escape user-supplied input before rendering it into HTML, enabling reflected cross-site scripting (XSS) attacks via crafted URLs. An unauthenticated remote attacker can exploit this by tricking a victim into clicking a malicious link, causing arbitrary JavaScript execution in the victim's browser with access to session tokens and sensitive page content. Vendor-released patches are available in versions 5.73.16 and 6.7.2.

XSS
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.

XSS Polis
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Cross-site scripting in OpenBao's OIDC/JWT authentication method allows theft of Web UI session tokens when roles are configured with callback_mode=direct. Attackers exploit the unsanitized error_description parameter on failed authentication pages to inject malicious scripts that execute in victims' browsers, granting access to authentication tokens. The vulnerability affects OpenBao installations prior to v2.5.2 and has no public exploit identified at time of analysis, though the technical implementation details are publicly documented in the vendor advisory.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stirling-PDF version 2.7.3 fails to sanitize HTML content from email bodies in the /api/v1/convert/eml/pdf endpoint when the downloadHtml=true parameter is set, allowing unauthenticated remote attackers to inject and execute arbitrary JavaScript code. An attacker can craft a malicious email that, when processed by a Stirling-PDF user through the 'Download HTML intermediate file' feature, executes JavaScript in the user's browser context with access to local data and session tokens. Proof-of-concept code has been demonstrated, and the vendor released version 2.8.0 to address the vulnerability.

XSS Stirling Pdf
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Sakai Collaboration and Learning Environment versions 23.0-23.4 and 25.0-25.1 fail to sanitize group titles and descriptions, permitting stored cross-site scripting (XSS) attacks that execute in the browsers of users viewing affected group metadata. Authenticated users with group creation or modification privileges can inject malicious scripts that persist in the SAKAI_SITE_GROUP table and execute when other users access group information, compromising session security and enabling credential theft or unauthorized actions within the Sakai environment. Vendor-released patches are available in versions 23.5 and 25.2; no active exploitation has been reported, but the low CVSS score (1.3) reflects minimal baseline impact rather than true severity, given the requirement for user interaction (UI:P) and limited scope of harm (SC:L, SI:L) as documented in the CVSS:4.0 vector.

XSS Sakai
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

YZMCMS v7.4 suffers from a reflected cross-site scripting (XSS) vulnerability in the /index/login.html component that permits attackers to execute arbitrary JavaScript in a user's browser by manipulating the referrer value in request headers. Remote attackers can exploit this to steal session credentials, perform actions on behalf of authenticated users, or redirect users to malicious sites without requiring prior authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

XSS Yzmcms
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting (XSS) vulnerability that permits authenticated high-privilege users to inject malicious scripts into the application, resulting in unintended script execution when other users access affected pages. The vulnerability requires high privilege level and user interaction to exploit, limiting real-world attack surface; no public exploit code or active exploitation has been identified at the time of analysis.

XSS Solarwinds Observability Self Hosted
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into the application, resulting in unintended script execution within the security context of the affected system. The vulnerability requires administrative or high-privilege access and does not currently show evidence of active exploitation, though the ability to persist malicious payloads in stored data represents a significant insider threat. Affected organizations should prioritize patching to versions after 2026.1.1 to eliminate the XSS attack surface.

XSS Solarwinds Observability Self Hosted
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Stored Cross-Site Scripting in Complianz - GDPR/CCPA Cookie Consent plugin versions up to 7.4.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into WordPress pages via the `revert_divs_to_summary` function, which improperly converts HTML entities to unescaped characters without subsequent sanitization. The vulnerability requires both the Classic Editor plugin and authenticated user privileges, limiting exposure to internal threats. No public exploit identified at time of analysis, and CISA KEV status is not confirmed.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can inject malicious scripts into Fluent Booking plugin for WordPress versions up to 2.0.01, enabling Stored Cross-Site Scripting attacks that execute in victim browsers whenever injected pages are accessed. The vulnerability stems from insufficient input sanitization across multiple parameters in LocationService.php, Booking.php, and FrontEndHandler.php. With a CVSS score of 7.2 and network-based attack vector requiring no privileges, this represents a significant threat to WordPress sites using the affected booking plugin. No public exploit identified at time of analysis, and SSVC framework indicates no current exploitation with non-automatable attack profile.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System version 1.0 allows remote unauthenticated attackers to inject malicious scripts via manipulation of the 'page' parameter in /index.php. The vulnerability has a CVSS v4.0 score of 5.3 with network accessibility and low integrity impact; publicly available exploit code exists, and CISA SSVC assessment confirms the flaw is exploitable and partially automatable, making it suitable for active compromise of application integrity and user sessions.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 3.5
LOW Monitor

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.

XSS SQLi Command Injection +1
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

GDTaller allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through reflected cross-site scripting (XSS) via the 'site' parameter in app_recuperarclave.php. The vulnerability affects all versions of GDTaller (version 0 and beyond) and has been assigned a CVSS 4.0 base score of 5.1 with limited scope impact. A vendor patch is available from INCIBE, and exploitation requires user interaction (UI:A) but presents moderate risk due to the network-accessible attack surface and low technical complexity.

XSS PHP
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

GDTaller is vulnerable to reflected cross-site scripting (XSS) in the app_login.php file, specifically through the 'site' parameter, allowing unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability affects GDTaller versions prior to an unspecified patch release and carries a CVSS 5.1 score reflecting low immediate confidentiality impact but limited scope and user interaction requirement. A vendor patch is available from INCIBE, though no public exploit code has been identified at time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Ticaret V4
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Simple Laundry System version 1.0 via the firstName parameter in the /modify.php file. An attacker can inject malicious JavaScript that executes in a victim's browser when they visit a crafted link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept is available on GitHub, and exploitation requires only user interaction (clicking a malicious link), making this a practical concern despite the moderate CVSS score of 5.3.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Muucmf 1.9.5.20260309 contains a cross-site scripting (XSS) vulnerability in the /admin/extend/list.html endpoint where the Name parameter is not properly sanitized, allowing remote attackers to inject malicious scripts. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

XSS Muucmf
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 within the /admin/config/list.html endpoint, where the Name parameter is not properly sanitized before being rendered in the response. An unauthenticated remote attacker can craft a malicious URL containing JavaScript code in the Name parameter to execute arbitrary scripts in a victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit has been published, and the vendor has not responded to early disclosure notifications, indicating no immediate patch is available.

XSS Muucmf
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

WP Lightbox 2 WordPress plugin before version 3.0.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its settings due to insufficient input sanitization and output escaping. High-privilege users, particularly administrators, can inject malicious JavaScript that persists in the database and executes in the browsers of other users, even in multisite installations where the unfiltered_html capability is restricted. A publicly available proof-of-concept demonstrates active exploitation potential, making this a practical threat in WordPress environments.

WordPress XSS
NVD WPScan
EPSS 0% CVSS 2.1
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 and potentially earlier versions, affecting the autoReply.html administrative interface in the channel/admin.Account module. An unauthenticated attacker can inject malicious JavaScript through the 'keyword' parameter, which is reflected in the response without proper sanitization, allowing session hijacking, credential theft, or malware distribution to administrative users. A public proof-of-concept exploit is available, and the vendor has not responded to disclosure notifications, indicating no official patch is currently available.

XSS Muucmf
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in Dameng100 MUUCMF version 1.9.5.20260309 within the Member management interface at /admin/Member/index.html. The vulnerability is triggered via an unsanitized Search parameter, allowing remote attackers to inject arbitrary JavaScript that executes in the context of an authenticated user's browser. A proof-of-concept exploit has been publicly disclosed, and the vendor has not responded to early disclosure attempts, leaving deployments unpatched.

XSS Muucmf
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

This is a Stored Cross-Site Scripting (XSS) vulnerability in the DSGVO Snippet for Leaflet Map and its Extensions WordPress plugin (all versions up to and including 3.1) that allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes (`unset`, `before`, `after`), enabling script execution whenever visitors access the compromised pages. With a CVSS score of 6.4 and attack complexity of low, this represents a moderate but real threat in WordPress environments where multiple content contributors exist.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Simple Download Counter WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'sdc_menu' shortcode due to insufficient input sanitization and output escaping of the 'text' and 'cat' attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages via these unescaped shortcode attributes, which will execute for all users visiting the affected pages. All versions up to and including 2.3 are vulnerable, with a CVSS score of 6.4 indicating moderate severity and the vulnerability requiring low attack complexity and only low privileges to exploit.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Blackhole for Bad Bots plugin for WordPress contains a Stored Cross-Site Scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the User-Agent HTTP header. All versions up to and including 3.8 are affected. The vulnerability stems from insufficient output escaping when displaying bot data in the admin interface, enabling arbitrary JavaScript execution when administrators view the Bad Bots log page.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The BWL Advanced FAQ Manager Lite WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'baf_sbox' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code through shortcode attributes (sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, cont_ext_class) that will execute in the browsers of all users viewing the affected pages. The vulnerability affects all versions up to and including 1.1.1, and while no public exploit code or KEV designation is currently documented, the CVSS 6.4 score and straightforward nature of the flaw indicate moderate real-world risk.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in FloristPress for Woo (BakkBone) plugin versions up to 7.8.2, where the 'noresults' parameter is insufficiently sanitized and escaped, allowing unauthenticated attackers to inject arbitrary JavaScript. An attacker can craft a malicious URL and trick users into clicking it, resulting in script execution within the victim's browser session with access to sensitive data and session tokens. The vulnerability requires user interaction (UI:R) but has a network attack vector with low complexity, and while no KEV or confirmed active exploitation data is available in the provided intelligence, Wordfence has documented the issue with references to vulnerable code locations.

WordPress XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The ShortPixel Image Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.3, affecting the getEditorPopup() function and media-popup.php template. Authenticated attackers with Author-level permissions can inject arbitrary JavaScript into attachment post titles via the REST API, which executes when administrators open the ShortPixel AI editor popup for the poisoned attachment. This vulnerability has a CVSS score of 5.4 (moderate severity) and requires user interaction from a higher-privileged administrator to trigger, limiting its immediate exploitation scope but still presenting a meaningful privilege escalation risk in multi-author WordPress environments.

WordPress PHP XSS
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Accounting System 1.0 within the customer management interface (/my_account/add_costumer.php), where the costumer_name parameter fails to properly sanitize user input. Attackers with low privileges and user interaction can inject malicious JavaScript that will execute in the browsers of other users viewing the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions within the accounting system. A public proof-of-concept exploit is available, significantly increasing the likelihood of real-world exploitation.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in the custom template editor of OpenEMR, a widely-deployed open-source electronic health records system. Attackers can craft malicious URLs that, when clicked by authenticated staff members, execute arbitrary JavaScript within their browser sessions and gain access to sensitive medical data and system functions; notably, the attacker does not require an OpenEMR account themselves. The vulnerability affects OpenEMR versions 7.0.2.1 through 8.0.0.2, and while there is no evidence of active exploitation in the wild or public proof-of-concept code, the moderate CVSS score of 6.1 combined with the user-interaction requirement and the context-sensitive nature of healthcare data makes this a meaningful priority for healthcare organizations.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's CCDA document preview functionality that allows authenticated attackers to execute arbitrary JavaScript in clinician browser sessions. OpenEMR versions prior to 8.0.0.3 are affected. The vulnerability occurs because the XSL stylesheet fails to sanitize linkHtml attributes in CCDA documents, allowing javascript: URLs and event handlers to execute when documents are previewed.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

StaffWiki v7.0.1.19219 contains a reflected cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint that enables remote attackers to execute arbitrary JavaScript in a user's browser context through a crafted HTTP request. The vulnerability affects StaffWiki versions up to at least 7.0.1.19219, and publicly available exploit code has been disclosed via GitHub, though no active exploitation has been confirmed by CISA at the time of analysis.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Timo 2.0.3 contains a stored cross-site scripting (XSS) vulnerability in the title field that allows unauthenticated remote attackers to inject malicious scripts via crafted links, resulting in session hijacking, credential theft, or malware distribution to other users viewing affected content. Publicly available exploit code exists (referenced via GitHub issue), and the vulnerability is rated CVSS 6.1 with cross-site scope impact, though no evidence of active exploitation in the wild has been confirmed at the time of analysis.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Lightcms v2.0 contains a reflected cross-site scripting vulnerability in the /admin/menus component that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the HTTP referer header. The vulnerability requires user interaction (clicking a crafted link) to trigger exploitation. A proof-of-concept has been publicly disclosed on GitHub, though no evidence of active exploitation in the CISA Known Exploited Vulnerabilities catalog was identified. With a CVSS score of 6.1 and low attack complexity, this represents a moderate-severity risk requiring prompt patching.

XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

OpenEMR versions prior to 8.0.0.3 contain a stored cross-site scripting (XSS) vulnerability in form handling that allows authenticated attackers to inject malicious JavaScript into forms, which executes in the browser sessions of victims who submit those forms. An attacker with valid OpenEMR credentials can craft a malicious form that, upon submission by any user, executes arbitrary JavaScript with the privileges of the victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability is low-to-moderate severity (CVSS 5.4) due to the requirement for authentication and user interaction, but it poses significant risk in healthcare environments where attackers may have legitimate credentials and victims include healthcare providers with broad system access.

XSS Openemr
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

This is a stored/reflected cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.3 where the POST parameter 'title' is improperly encoded in JSON responses but served with a text/html Content-Type header, causing browsers to execute injected JavaScript rather than treat the output as data. An authenticated attacker can craft a malicious request to execute arbitrary JavaScript in a victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability carries a moderate CVSS score of 5.4 but requires authentication and user interaction (UI:R), reducing immediate exploitation likelihood, though a proof-of-concept fix commit is available in the GitHub repository.

XSS Openemr
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's Eye Exam form functionality that allows authenticated users with the 'Notes - my encounters' role to inject malicious JavaScript payloads through form answers. OpenEMR versions prior to 8.0.0.3 are affected. Attackers can execute arbitrary JavaScript in the browsers of other authenticated users when they view the compromised encounter pages or visit history, potentially leading to session hijacking, credential theft, or unauthorized actions within the EHR system.

XSS Openemr
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

XSS IBM
NVD VulDB
Prev Page 29 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy