Skip to main content

XSS

38809 CVEs technique

Monthly

CVE-2026-55665 HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL into an unvalidated link href and execute script in a victim's authenticated Grist origin on a single click. Two entry points are affected: the /welcome/select-account page reflects its next query parameter into account-button links, and the GristDocTour table's Link_URL column renders as a clickable tour button, so a document editor can plant a payload that runs when another user opens the document. Because the script executes as the victim, it can drive Grist APIs to read or modify data and change sharing/access rules, letting an editor escalate to owner-level control. There is no public exploit identified at time of analysis and it is not in CISA KEV.

XSS Python Grist Core
NVD GitHub
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-55659 HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.

XSS Python Grist Core
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-55879 CRITICAL PATCH Act Now

Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS base score is 9.3 and a vendor fix exists in 1.25.0.

XSS Openreplay
NVD GitHub
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54163 Ruby MEDIUM PATCH GHSA This Month

CSP header injection in the `secure_headers` RubyGems library (≤ 7.2.0) allows an attacker who can influence input to the `:sandbox`, `:plugin_types`, or `:report_to` per-request override APIs to inject an arbitrary `script-src 'unsafe-inline' *` directive that wins over the application's configured strict `script-src` under the W3C CSP first-occurrence rule, achieving full XSS reachability. The three affected directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive`, `build_report_to_directive`) emit caller-supplied bytes verbatim into the CSP header value, unlike the sibling `build_source_list_directive` which has sanitized `;`, `\r`, and `\n` since CVE-2020-5217. A fully browser-verified proof of concept is publicly available; exploitation is not confirmed in CISA KEV but the attack is concrete and code-complete.

XSS Google
NVD GitHub
CVSS 3.1
4.7
CVE-2026-57214 HIGH PATCH This Week

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange declaration permissions inject JavaScript that executes in another user's browser when they view the Queues or Exchanges pages. The malicious payload is supplied via the x-internal-purpose queue or exchange argument, which is rendered into an HTML title attribute without escaping. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in RabbitMQ 4.2.5.

XSS Microsoft Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55481 MEDIUM PATCH This Month

CSS injection in Snipe-IT's superadmin branding configuration (versions prior to 8.6.2) allows arbitrary stylesheet content to persist in the database and render for all authenticated users on every subsequent page load. The template default.blade.php applies HTML entity encoding to the header_color and related color settings before embedding them inside a CSS style block - encoding that is context-incorrect and insufficient to prevent CSS breakout via constructs such as closing braces or url() references. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector (SC:H/SI:H) reflects that, once injected, the payload affects every authenticated user's session regardless of their privilege level, making this a persistent, cross-user impact from a single privileged action.

XSS PHP Snipe It
NVD GitHub VulDB
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-55466 MEDIUM PATCH This Month

Stored cross-site scripting in Snipe-IT prior to 8.6.2 enables a low-privilege authenticated user to upload malicious XHTML or XML files that bypass the SVG sanitization gate and execute arbitrary JavaScript in any viewer's browser when the attachment is opened inline. The bypass works because UploadFileRequest only sanitizes SVG content when PHP's finfo extension reports image/svg+xml - uploading XHTML or generic XML evades this check - while UploadedFilesController serves the file same-origin without invoking StorageHelper::allowSafeInline(), completing the injection path. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor released a confirmed fix in version 8.6.2.

XSS PHP Snipe It
NVD GitHub
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-54714 MEDIUM PATCH This Month

Reflected XSS in Logto's SAML application flow allows unauthenticated remote attackers to inject and execute arbitrary JavaScript on the Logto tenant origin by supplying a crafted RelayState parameter. Versions prior to 1.41.0 of @logto/core reflect the SAML RelayState, SAMLResponse, and actionUrl directly into an auto-submit HTML form without HTML-attribute escaping, meaning a victim who follows a crafted SAML authentication link and completes the login sequence will execute attacker-controlled script within the identity provider's origin context. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a GitHub security advisory and fix commit are publicly available.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15295 MEDIUM This Month

Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-57213 MEDIUM PATCH This Month

Stored cross-site scripting in the RabbitMQ federation management plugin allows any user with federation upstream or policy configuration privileges to execute arbitrary JavaScript in the browser of an administrator viewing the Federation Status page. The rabbitmq_federation_management plugin renders the consumer_tag field without HTML escaping, making it a persistent injection vector that fires passively when a victim navigates to the page. No public exploit code and no CISA KEV listing are identified at time of analysis; the CVSS 4.0 score of 5.7 reflects meaningful but constrained risk due to the high-privilege prerequisite.

XSS Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.3%
CVE-2026-55464 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Snipe-IT before 8.6.2 allows a low-privileged user with the assets.edit permission to plant a malicious javascript: URI inside a Markdown hyperlink in a custom textarea field. When any other user opens the affected asset detail page and clicks the crafted link, arbitrary JavaScript executes in their browser session. No public exploit code or active exploitation has been identified at time of analysis, and the vendor has released a patch in v8.6.2.

XSS Snipe It
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2025-30008 MEDIUM PATCH This Month

Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.

XSS PHP Hestiacp
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56667 HIGH PATCH This Week

Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Zitadel
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-3251 MEDIUM This Month

Stored cross-site scripting in Mezunum Satiyorum (versions 1.2.504 through 10072026) allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages served to other users. The scope change (S:C) in the CVSS vector confirms the payload executes in the victim's browser context, enabling session hijacking, credential theft, or malicious redirects against any user who loads the affected page. No public exploit code has been identified at time of analysis, and the vendor did not respond to TR-CERT's disclosure, leaving the vulnerability unpatched.

XSS Mezunum Satiyorum
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-57167 MEDIUM PATCH This Month

Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. The payload executes automatically for every visitor to the affected video's watch page, and no public exploit has been identified at time of analysis.

XSS Peertube
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-1667 HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS Geo Plugin By Squirrly Seo
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-61492 MEDIUM PATCH This Month

Stored XSS in JetBrains YouTrack before 2026.2.17394 allows low-privileged authenticated users to inject malicious scripts into article titles, which are then rendered unsanitized within digest emails delivered to other users. When a recipient opens the digest email in an HTML-capable client and interacts with the affected content, the injected script executes in their browser context, enabling session token or credential theft. No public exploit or active exploitation has been identified; the CVSS score of 3.5 (Low) reflects the constrained impact due to required authentication, mandatory user interaction, and limited confidentiality-only impact.

XSS Youtrack
NVD VulDB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-59795 MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-59794 MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-59791 LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2026-29519 MEDIUM POC This Month

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.

XSS Lucee
NVD GitHub
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-61456 MEDIUM PATCH This Month

Stored XSS in the Grav API plugin (getgrav/grav-plugin-api) before version 1.0.3 allows an authenticated attacker holding the api.media.write permission to upload a malicious SVG file that executes arbitrary JavaScript in an administrator's browser session. The POST /api/v1/media endpoint's HandlesMediaUploads::processUploadedFile() method validates only the file extension and never calls Security::sanitizeSVG(), so the uploaded file is stored and served verbatim with Content-Type: image/svg+xml. When an administrator opens the file directly or via an embedded object or iframe, the injected script runs in the admin's authenticated session context, enabling cookie theft and full session hijacking. No public exploit or active exploitation has been identified at time of analysis.

XSS Grav
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-56354 npm MEDIUM PATCH This Month

Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Open Redirect N8n
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-41877 MEDIUM This Month

Stored XSS in R-SOFT DMS file upload functionality allows authenticated attackers to embed arbitrary HTML and JavaScript within uploaded filenames, which subsequently execute in the browsers of any user viewing the file list or upload status pages. The vulnerability affects the document management system's filename rendering pipeline, which fails to sanitize input before output into HTML context. Fixed versions are available (v3.19-2832 and v3.17-2580); no public exploit identified at time of analysis, and the product is not listed in the CISA KEV catalog.

XSS File Upload
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-13710 MEDIUM This Month

Stored Cross-Site Scripting in Jeg Elementor Kit for WordPress versions through 3.2.6 enables authenticated Contributors to inject persistent malicious scripts via the Image Box widget's description field. The root cause is a deliberate inconsistency in the render_body() method of Image_Box_View: every other attribute is sanitized with esc_attr(), but sg_body_description is concatenated raw into HTML body context. Any user who visits a page containing the injected widget executes the payload, enabling session hijacking and potential escalation to Administrator. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.4%
CVE-2026-13247 MEDIUM This Month

Stored Cross-Site Scripting in the Logo Slider WordPress plugin (all versions through 5.5) allows authenticated contributors to inject persistent JavaScript payloads via the 'lgx_tooltip_position' parameter, executing in the browser of any user who subsequently visits an affected page. The CVSS scope change (S:C) reflects that injected scripts execute in victim browser contexts - enabling session hijacking or privilege escalation against higher-privileged users including site administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and the breadth of contributor-level accounts on WordPress sites make this a realistic risk for multi-author installations.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-9838 MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-12924 MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-3907 MEDIUM This Month

Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the `wphostel-book` shortcode, which is passed unsanitized to the `$text` variable and rendered raw into an HTML `value` attribute without `esc_attr()` escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; the primary risk is to WordPress sites that grant Contributor access to untrusted or semi-trusted users.

WordPress XSS Hostel
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12108 MEDIUM This Month

Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.

WordPress XSS Highlighting Code Block
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15301 MEDIUM This Month

Stored Cross-Site Scripting in the BuddyHolis TableSearch plugin for WordPress (all versions ≤1.1.0) permits authenticated attackers holding Contributor-level or higher role access to inject persistent JavaScript via the 'placeholder' parameter, which then executes in the browsers of every subsequent visitor to the affected page. The Scope:Changed CVSS metric reflects that payload impact crosses from the WordPress plugin into victims' browser environments, enabling session hijacking, credential theft, or administrative account takeover if an administrator views the injected page. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low authentication bar makes this relevant for any WordPress site permitting open contributor registration.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15299 MEDIUM This Month

Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.

WordPress XSS PHP
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15298 HIGH This Week

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the scope-changed CVSS 7.2 reflects execution in the privileged admin context.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-15297 MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15296 MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15292 MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15285 MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15284 MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15283 MEDIUM This Month

Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-11392 MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15321 LOW POC PATCH Monitor

Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.

XSS Myems
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-15311 LOW POC PATCH Monitor

Cross-site scripting in NousResearch hermes-agent (all versions through 2026.5.29.2) stems from unsanitized markdown-to-HTML conversion in the Matrix Adapter component, allowing an authenticated remote attacker to inject malicious scripts into Matrix platform messages. When a victim views the crafted content, the injected script executes in their browser context. Publicly available exploit code exists (GitHub issue #42667), though no public exploit identified at time of analysis maps to confirmed active exploitation - the CVSS 4.0 score of 2.0 reflects the low severity, limited scope, and required victim interaction.

XSS Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-59855 HIGH This Week

Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. No public exploit identified at time of analysis, and it is not listed in CISA KEV; user interaction is required to trigger the flaw.

XSS Siyuan
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-58144 MEDIUM This Month

Stored cross-site scripting in Cotonti Siena 0.9.26 and earlier allows any authenticated user with PFS (Personal File System) access to plant persistent JavaScript payloads by submitting a crafted folder title via the ntitle parameter. The TXT filter in pfs.main.php fails to sanitize HTML before persisting the value, so the payload executes in the browser of every subsequent visitor - including administrators - who views the folder listing. No public exploit has been confirmed beyond a researcher-published proof-of-concept gist, and no vendor patch has been identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-55424 HIGH PATCH This Week

Stored cross-site scripting in Discourse (before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5) lets a user with permission to set a topic "featured link" inject JavaScript that executes when the link is rendered in the topic list. Exploitation only succeeds where the platform's default Content Security Policy has been weakened or disabled, so out-of-the-box installs are protected in depth. No public exploit identified at time of analysis, and the issue is not in CISA KEV; official fixed releases are available.

XSS Discourse
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-59833 HIGH This Week

Stored cross-site scripting in SiYuan before 3.7.1 escalates to OS command execution inside the Electron desktop renderer because the bundled Lute Markdown/HTML engine sanitizes content but fails to block dangerous javascript schemes in form action and SVG xlink:href attributes. An attacker who plants crafted content that a victim later opens via document export-preview or a Bazaar package README render can run arbitrary code on the victim's machine. There is no public exploit identified at time of analysis, and it is not on CISA KEV; the CVSS 4.0 base score is 8.6.

XSS Siyuan
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-53963 CRITICAL PATCH Act Now

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malicious two-factor authenticator name that executes JavaScript in an administrator's browser when that admin impersonates the account and opens the 2FA delete confirmation dialog. Affected builds are Discourse before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, spanning the 2026.1.x through 2026.6.x release lines. There is no public exploit identified at time of analysis and the EPSS probability is low (0.39%), but the fix commit's regression test reveals the exact working payload, and successful exploitation runs in a full-admin context.

XSS Discourse
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-53962 MEDIUM PATCH This Month

Stored cross-site scripting in Discourse's SVG upload and user avatar handling allows authenticated users to inject malicious JavaScript that executes in victims' browsers when they visit specific non-standard URLs. The CVSS scope change (S:C) reflects that successful exploitation crosses the browser security boundary, enabling session token theft or account takeover against victims who visit the triggering URL. Vendor-confirmed patches are available across four release branches; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Discourse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-60120 MEDIUM PATCH This Month

Stored client-side template injection in Bagisto before v2.4.4 allows any attacker who can register a customer account to execute arbitrary JavaScript in an administrator's browser. The `create.blade.php` template renders customer name fields inside a Vue.js context without the `v-pre` directive, causing Vue.js to evaluate stored template expressions as live code when an administrator opens the Create Order page for the affected customer. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the stored nature of the payload and its execution in an admin session context make this a higher real-world priority than the CVSS 4.0 score of 5.1 alone suggests.

XSS PHP
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-52777 PHP CRITICAL POC PATCH GHSA Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF XSS RCE +1
NVD GitHub
CVE-2026-52774 PHP MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.

XSS Information Disclosure PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-52773 PHP MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-52772 PHP MEDIUM POC PATCH GHSA This Month

Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.

XSS CSRF PHP
NVD GitHub
CVSS 3.1
5.5
CVE-2026-0279 LOW PATCH Monitor

Multiple stored and reflected cross-site scripting vulnerabilities in PAN-OS expose the User-ID Authentication Portal (Captive Portal), GlobalProtect gateway/portal, and Clientless VPN web interfaces to unauthenticated attackers who can inject and execute arbitrary JavaScript in victim browsers. Affected deployments span PA-Series and VM-Series firewalls and Panorama management platforms; Cloud NGFW is explicitly not affected. No public exploit code exists (CVSS 4.0 E:U), and the vendor states risk is substantially reduced - potentially minimized - when portal and management access is restricted to trusted internal IP ranges per Palo Alto's recommended hardening guidelines.

XSS Paloalto Pan Os
NVD VulDB
CVSS 4.0
1.3
EPSS
1.2%
CVE-2026-15202 LOW Monitor

Cross-site scripting in YzmCMS through version 7.5 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript by manipulating the HTTP Host header processed by the `get_url` function in `/yzmphp/yzmphp.php`. The Header Handler component reflects the attacker-controlled `HTTP_HOST` value into generated page output without sanitization, enabling payload execution in a victim's browser upon page visit. A public proof-of-concept exploit has been disclosed; no patch exists and the vendor did not respond to coordinated disclosure, leaving all deployments at or below v7.5 exposed.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59214 CRITICAL PATCH Act Now

Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. No public exploit has been identified at time of analysis, and EPSS is low (0.25%), but CVSS is 9.0 with total technical impact per CISA SSVC.

XSS Python Open Webui
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-53987 HIGH PATCH This Week

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. No public exploit identified at time of analysis; the issue was reported by VulnCheck and a vendor patch (2.14.4) is available.

XSS Glpi 11
NVD GitHub
CVSS 4.0
7.3
EPSS
0.3%
CVE-2026-5005 MEDIUM PATCH This Month

Stored XSS in Twiser OKRs & Goals (builds 28220 through pre-28398) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other authenticated users' browsers. The CVSS scope change (S:C) confirms cross-user impact - a hallmark of stored XSS where one user's injected payload affects others who subsequently view the same content. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this firmly in standard patch-cycle priority.

XSS Okrs Goals
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-9253 HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13441 HIGH This Week

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.

WordPress XSS Eventprime Events Calendar Bookings And Tickets
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-2342 CRITICAL Act Now

Stored cross-site scripting in OceanicSoft ValeApp (all builds through 09072026) lets an attacker persist malicious script into the application so it executes in other users' browser sessions when they view the affected page. Reported by Turkey's national CERT (TR-CERT) and tracked in the ENISA EUVD, the flaw carries a vendor/CERT CVSS of 9.3 driven by a scope change and high confidentiality/integrity impact. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor was unresponsive to disclosure, so no fix is expected in the near term.

XSS Valeapp
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-5793 MEDIUM This Month

Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the low attack complexity and absence of authentication requirements make this straightforward to exploit once a target is socially engineered.

XSS Bieticaret
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13334 MEDIUM This Month

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. No active exploitation has been identified (not in CISA KEV) and no EPSS score was provided, but the PR:N/UI:R profile makes this a viable phishing-assisted attack against WordPress site administrators and editors.

WordPress XSS Mang Board Wp
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-31981 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (N2OS) allows authenticated administrators to embed malicious HTML into configuration data rendered in the Diagram tab and Graph view, enabling phishing and open redirect attacks against other authenticated users who view the affected pages. The vulnerability originates from a shared input validation function applied across multiple input vectors in N2OS that is insufficiently restrictive, permitting certain HTML tags to persist. Full XSS exploitation and direct information disclosure are explicitly constrained by existing input validation and a Content Security Policy, limiting realistic attacker impact to social engineering vectors. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

XSS Open Redirect Information Disclosure Guardian Cmc
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-6910 MEDIUM This Month

Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Bookero Pl System Rezerwacji Online
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13771 MEDIUM This Month

Stored Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (all versions ≤ 5.113.0) allows contributor-level authenticated users to inject arbitrary JavaScript via the 'color' attribute of the trust badge shortcode, which then executes in the browsers of every subsequent visitor to the compromised page. The trust badge rendering code in class-cr-trust-badge.php and badge-small.php fails to sanitize or escape shortcode attribute input before writing it to HTML output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a patch commit is referenced in the WordPress SVN repository.

WordPress XSS Customer Reviews For Woocommerce
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15000 HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-14343 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Download Manager
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12170 MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-13253 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-4653 MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-47646 MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Dynamics 365 Customer Voice allows a remote, unauthenticated attacker to inject script that executes in a victim's browser session and perform spoofing once the victim interacts with attacker-supplied content. The flaw carries a CVSS 9.3 rating driven largely by a scope change (S:C), meaning injected script escapes into a different security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Dynamics 365 Customer Voice
NVD VulDB
CVSS 3.1
6.1
EPSS
0.5%
CVE-2026-15128 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's Forms implementation prior to version 150.0.7871.115 permits remote, unauthenticated attackers to inject arbitrary scripts or HTML across any browser origin by luring a victim to a crafted HTML page. The Scope:Changed metric in the CVSS vector reflects the defining characteristic of UXSS: unlike conventional XSS, the injected script executes outside the attacker-controlled page's origin, effectively bypassing the Same-Origin Policy and threatening any concurrent browser session. No public exploit code or confirmed active exploitation has been identified at time of analysis; SSVC rates exploitation as none and the attack as non-automatable due to the required user interaction.

XSS Google
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15127 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's WebGL implementation prior to version 150.0.7871.115 allows remote attackers to bypass the Same-Origin Policy and inject arbitrary scripts or HTML into cross-origin contexts via a crafted HTML page. The vulnerability carries a scope change (S:C) in its CVSS vector, reflecting the cross-origin boundary violation inherent to UXSS. No public exploit has been identified at time of analysis, and CISA's SSVC assessment marks exploitation status as none with no automatable exploitation path, reducing immediate real-world urgency despite the sensitivity of cross-origin script execution.

XSS Google
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-5922 MEDIUM PATCH This Month

Stored cross-site scripting in HP IP phone WebUI allows a low-privileged authenticated attacker to inject malicious script content into configuration parameters, which the phone's web management interface later renders unsanitized to visiting users. When an administrator browses the affected WebUI page, the injected payload executes in their browser session, producing a High integrity impact within the WebUI context. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; HP has published advisory HPSBPY04108 addressing the issue.

XSS
NVD
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-6896 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in GitLab Enterprise Edition lets an authenticated user holding Developer-role permissions inject arbitrary scripts that execute in a victim user's browser session, enabling session hijacking or actions performed as the victim. It affects a broad version range (13.11 through 18.11.6, 19.0.x before 19.0.4, and 19.1.x before 19.1.2) and stems from improper sanitization of user-supplied input. There is no public exploit identified at time of analysis, though the flaw was disclosed through a HackerOne bug-bounty report.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-58191 MEDIUM PATCH This Month

Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose `compileLodashTemplate` handler reflects unsanitized user-controlled inputs - the `throwError` query parameter, the `comments` POST field, and the `User-Agent` request header - directly into rendered HTML without output encoding. No public exploit has been identified at time of analysis, but the zero-authentication requirement and permanently-mounted test routes make any network-reachable Appium server an attack surface with no opt-out mechanism below the fix version.

XSS Appium Base Driver
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-55596 HIGH PATCH This Week

Stored cross-site scripting in the Plate rich-text editor (versions 53.0.0 through 53.1.3) lets a crafted document execute attacker JavaScript when a victim opens it. The media embed renderer trusts serialized provider/sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, so an attacker can flag a URL as a legitimate video provider while keeping a javascript: payload that MediaEmbedElement renders directly as an iframe src. No public exploit has been identified at time of analysis, and the flaw is fixed in 53.1.4.

XSS
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-13320 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in GitLab CE/EE (all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2) lets an authenticated user inject unsanitized input that executes arbitrary JavaScript in a victim's browser session, enabling session hijacking or actions on the victim's behalf. The scope-changed CVSS 7.3 reflects that the payload crosses a security boundary into another user's context. There is no public exploit identified at time of analysis, though the flaw originated from a HackerOne bug bounty submission and vendor patches are already available.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-49825 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.

XSS Python Canonical Mozilla
NVD GitHub
CVSS 3.1
8.2
CVE-2026-59929 PyPI MEDIUM PATCH This Month

Cross-site scripting in Mistune prior to 3.3.0 stems from an incomplete URI scheme blocklist in the `safe_url` filter, permitting legacy and chained schemes (`feed:`, `jar:`, `livescript:`, `mocha:`, `ms-its:`, `mk:`, `res:`, `view-source:`) to pass unchecked into rendered `href` and `src` attributes. Any web application that accepts user-supplied Markdown, renders it via Mistune's HTML renderer, and serves the output to other users' browsers is exposed to stored or reflected XSS. No public exploit or CISA KEV listing has been identified at time of analysis; however, the CVSS 6.1 score with scope change (S:C) reflects genuine cross-session impact when the victim interacts with attacker-controlled content.

XSS Python Mistune
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59926 PyPI MEDIUM PATCH This Month

Cross-site scripting in Mistune (Python Markdown parser) prior to version 3.2.1 allows injection of arbitrary HTML attributes via the Admonition directive's `:class:` option, critically bypassing HTMLRenderer escape mode even when it is explicitly enabled. Applications that render user-controlled Markdown with admonition directives and serve the resulting HTML to web browsers are exposed to stored or reflected XSS, enabling session hijacking, credential theft, or malicious DOM manipulation. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v3.2.1.

XSS Python Mistune
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-59923 PyPI MEDIUM PATCH This Month

Cross-site scripting in Mistune Python Markdown parser (all versions before 3.3.0) allows attacker-controlled Markdown content containing percent-encoded javascript: URIs to bypass the HTMLRenderer.safe_url() URL sanitization filter and execute arbitrary script in victim browsers. The bypass works because safe_url() checks the raw string without first decoding percent-encoded characters, so schemes like %6Aavascript: or %6aVaScRiPt: evade detection while remaining valid to browsers. Any web application that renders user-supplied or attacker-influenced Markdown through Mistune and serves the output to other users is exposed. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Python Mistune
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59895 MEDIUM PATCH This Month

Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 6.1 Medium score with Scope:Changed reflects the cross-context server-to-browser impact.

XSS Hono
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-11903 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in the Ad Hoc Transfer module of Progress MOVEit Transfer lets an authenticated low-privilege user inject script that executes in another user's browser session, per the CVSS PR:L/UI:R vector. Affected builds are 2026.0.0 before 2026.0.1, 2025.1.0 before 2025.1.4, and 2025.0.0 before 2025.0.8. No public exploit identified at time of analysis, though MOVEit Transfer's history as a mass-exploitation target (prior GoAnywhere/MOVEit campaigns) makes prompt patching prudent.

XSS Moveit Transfer
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-57439 MEDIUM PATCH This Month

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.

XSS Cyberchef
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-60092 PHP MEDIUM This Month

Stored XSS in AVideo's Meet plugin allows an anonymous, unauthenticated attacker to inject arbitrary JavaScript into privileged administrator and host browser sessions by supplying a malicious HTTP User-Agent header when joining any public meeting. The getMeetInfo.json.php endpoint persists the raw User-Agent value in meet_join_log.user_agent, bypassing AVideo's xss_esc() setter and omitting htmlspecialchars() at the output layer in the Participants management panel, where it renders in authenticated host and admin sessions. No vendor patch was available at the time of disclosure; no public exploit code or CISA KEV listing has been identified.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-58657 MEDIUM PATCH This Month

Stored CSS injection in Grav CMS (all 2.0 branch releases through 2.0.0-rc.9) lets a lower-privileged content editor manipulate the visual interface seen by higher-privileged administrators and reviewers. The resize() Markdown media action in Excerpts::processMediaActions() writes caller-controlled values directly into rendered img style attributes without sanitization, despite prior hardening that blocked the ?style= and attribute() vectors. An attacker with editorial access can store a crafted image URL with semicolon-delimited CSS declarations that render a full-viewport overlay when a privileged user views the page, enabling UI redress and content-manipulation attacks. No public exploit has been identified at time of analysis; the vendor-confirmed fix is Grav 2.0.0.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-58654 MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP RCE File Upload
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56359 npm MEDIUM PATCH This Month

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.

XSS N8n
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL into an unvalidated link href and execute script in a victim's authenticated Grist origin on a single click. Two entry points are affected: the /welcome/select-account page reflects its next query parameter into account-button links, and the GristDocTour table's Link_URL column renders as a clickable tour button, so a document editor can plant a payload that runs when another user opens the document. Because the script executes as the victim, it can drive Grist APIs to read or modify data and change sharing/access rules, letting an editor escalate to owner-level control. There is no public exploit identified at time of analysis and it is not in CISA KEV.

XSS Python Grist Core
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.

XSS Python Grist Core
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS base score is 9.3 and a vendor fix exists in 1.25.0.

XSS Openreplay
NVD GitHub
CVSS 4.7
MEDIUM PATCH This Month

CSP header injection in the `secure_headers` RubyGems library (≤ 7.2.0) allows an attacker who can influence input to the `:sandbox`, `:plugin_types`, or `:report_to` per-request override APIs to inject an arbitrary `script-src 'unsafe-inline' *` directive that wins over the application's configured strict `script-src` under the W3C CSP first-occurrence rule, achieving full XSS reachability. The three affected directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive`, `build_report_to_directive`) emit caller-supplied bytes verbatim into the CSP header value, unlike the sibling `build_source_list_directive` which has sanitized `;`, `\r`, and `\n` since CVE-2020-5217. A fully browser-verified proof of concept is publicly available; exploitation is not confirmed in CISA KEV but the attack is concrete and code-complete.

XSS Google
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange declaration permissions inject JavaScript that executes in another user's browser when they view the Queues or Exchanges pages. The malicious payload is supplied via the x-internal-purpose queue or exchange argument, which is rendered into an HTML title attribute without escaping. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in RabbitMQ 4.2.5.

XSS Microsoft Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

CSS injection in Snipe-IT's superadmin branding configuration (versions prior to 8.6.2) allows arbitrary stylesheet content to persist in the database and render for all authenticated users on every subsequent page load. The template default.blade.php applies HTML entity encoding to the header_color and related color settings before embedding them inside a CSS style block - encoding that is context-incorrect and insufficient to prevent CSS breakout via constructs such as closing braces or url() references. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector (SC:H/SI:H) reflects that, once injected, the payload affects every authenticated user's session regardless of their privilege level, making this a persistent, cross-user impact from a single privileged action.

XSS PHP Snipe It
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Stored cross-site scripting in Snipe-IT prior to 8.6.2 enables a low-privilege authenticated user to upload malicious XHTML or XML files that bypass the SVG sanitization gate and execute arbitrary JavaScript in any viewer's browser when the attachment is opened inline. The bypass works because UploadFileRequest only sanitizes SVG content when PHP's finfo extension reports image/svg+xml - uploading XHTML or generic XML evades this check - while UploadedFilesController serves the file same-origin without invoking StorageHelper::allowSafeInline(), completing the injection path. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor released a confirmed fix in version 8.6.2.

XSS PHP Snipe It
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in Logto's SAML application flow allows unauthenticated remote attackers to inject and execute arbitrary JavaScript on the Logto tenant origin by supplying a crafted RelayState parameter. Versions prior to 1.41.0 of @logto/core reflect the SAML RelayState, SAMLResponse, and actionUrl directly into an auto-submit HTML form without HTML-attribute escaping, meaning a victim who follows a crafted SAML authentication link and completes the login sequence will execute attacker-controlled script within the identity provider's origin context. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a GitHub security advisory and fix commit are publicly available.

XSS
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.

WordPress XSS
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stored cross-site scripting in the RabbitMQ federation management plugin allows any user with federation upstream or policy configuration privileges to execute arbitrary JavaScript in the browser of an administrator viewing the Federation Status page. The rabbitmq_federation_management plugin renders the consumer_tag field without HTML escaping, making it a persistent injection vector that fires passively when a victim navigates to the page. No public exploit code and no CISA KEV listing are identified at time of analysis; the CVSS 4.0 score of 5.7 reflects meaningful but constrained risk due to the high-privilege prerequisite.

XSS Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Snipe-IT before 8.6.2 allows a low-privileged user with the assets.edit permission to plant a malicious javascript: URI inside a Markdown hyperlink in a custom textarea field. When any other user opens the affected asset detail page and clicks the crafted link, arbitrary JavaScript executes in their browser session. No public exploit code or active exploitation has been identified at time of analysis, and the vendor has released a patch in v8.6.2.

XSS Snipe It
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.

XSS PHP Hestiacp
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Zitadel
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Mezunum Satiyorum (versions 1.2.504 through 10072026) allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages served to other users. The scope change (S:C) in the CVSS vector confirms the payload executes in the victim's browser context, enabling session hijacking, credential theft, or malicious redirects against any user who loads the affected page. No public exploit code has been identified at time of analysis, and the vendor did not respond to TR-CERT's disclosure, leaving the vulnerability unpatched.

XSS Mezunum Satiyorum
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. The payload executes automatically for every visitor to the affected video's watch page, and no public exploit has been identified at time of analysis.

XSS Peertube
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in JetBrains YouTrack before 2026.2.17394 allows low-privileged authenticated users to inject malicious scripts into article titles, which are then rendered unsanitized within digest emails delivered to other users. When a recipient opens the digest email in an HTML-capable client and interacts with the affected content, the injected script executes in their browser context, enabling session token or credential theft. No public exploit or active exploitation has been identified; the CVSS score of 3.5 (Low) reflects the constrained impact due to required authentication, mandatory user interaction, and limited confidentiality-only impact.

XSS Youtrack
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Teamcity
NVD
EPSS 0% CVSS 3.5
LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
EPSS 0% CVSS 6.2
MEDIUM POC This Month

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.

XSS Lucee
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in the Grav API plugin (getgrav/grav-plugin-api) before version 1.0.3 allows an authenticated attacker holding the api.media.write permission to upload a malicious SVG file that executes arbitrary JavaScript in an administrator's browser session. The POST /api/v1/media endpoint's HandlesMediaUploads::processUploadedFile() method validates only the file extension and never calls Security::sanitizeSVG(), so the uploaded file is stored and served verbatim with Content-Type: image/svg+xml. When an administrator opens the file directly or via an embedded object or iframe, the injected script runs in the admin's authenticated session context, enabling cookie theft and full session hijacking. No public exploit or active exploitation has been identified at time of analysis.

XSS Grav
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Open Redirect N8n
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in R-SOFT DMS file upload functionality allows authenticated attackers to embed arbitrary HTML and JavaScript within uploaded filenames, which subsequently execute in the browsers of any user viewing the file list or upload status pages. The vulnerability affects the document management system's filename rendering pipeline, which fails to sanitize input before output into HTML context. Fixed versions are available (v3.19-2832 and v3.17-2580); no public exploit identified at time of analysis, and the product is not listed in the CISA KEV catalog.

XSS File Upload
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Jeg Elementor Kit for WordPress versions through 3.2.6 enables authenticated Contributors to inject persistent malicious scripts via the Image Box widget's description field. The root cause is a deliberate inconsistency in the render_body() method of Image_Box_View: every other attribute is sanitized with esc_attr(), but sg_body_description is concatenated raw into HTML body context. Any user who visits a page containing the injected widget executes the payload, enabling session hijacking and potential escalation to Administrator. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Logo Slider WordPress plugin (all versions through 5.5) allows authenticated contributors to inject persistent JavaScript payloads via the 'lgx_tooltip_position' parameter, executing in the browser of any user who subsequently visits an affected page. The CVSS scope change (S:C) reflects that injected scripts execute in victim browser contexts - enabling session hijacking or privilege escalation against higher-privileged users including site administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and the breadth of contributor-level accounts on WordPress sites make this a realistic risk for multi-author installations.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the `wphostel-book` shortcode, which is passed unsanitized to the `$text` variable and rendered raw into an HTML `value` attribute without `esc_attr()` escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; the primary risk is to WordPress sites that grant Contributor access to untrusted or semi-trusted users.

WordPress XSS Hostel
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.

WordPress XSS Highlighting Code Block
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the BuddyHolis TableSearch plugin for WordPress (all versions ≤1.1.0) permits authenticated attackers holding Contributor-level or higher role access to inject persistent JavaScript via the 'placeholder' parameter, which then executes in the browsers of every subsequent visitor to the affected page. The Scope:Changed CVSS metric reflects that payload impact crosses from the WordPress plugin into victims' browser environments, enabling session hijacking, credential theft, or administrative account takeover if an administrator views the injected page. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low authentication bar makes this relevant for any WordPress site permitting open contributor registration.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.

WordPress XSS PHP
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the scope-changed CVSS 7.2 reflects execution in the privileged admin context.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.

XSS Myems
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC PATCH Monitor

Cross-site scripting in NousResearch hermes-agent (all versions through 2026.5.29.2) stems from unsanitized markdown-to-HTML conversion in the Matrix Adapter component, allowing an authenticated remote attacker to inject malicious scripts into Matrix platform messages. When a victim views the crafted content, the injected script executes in their browser context. Publicly available exploit code exists (GitHub issue #42667), though no public exploit identified at time of analysis maps to confirmed active exploitation - the CVSS 4.0 score of 2.0 reflects the low severity, limited scope, and required victim interaction.

XSS Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. No public exploit identified at time of analysis, and it is not listed in CISA KEV; user interaction is required to trigger the flaw.

XSS Siyuan
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Cotonti Siena 0.9.26 and earlier allows any authenticated user with PFS (Personal File System) access to plant persistent JavaScript payloads by submitting a crafted folder title via the ntitle parameter. The TXT filter in pfs.main.php fails to sanitize HTML before persisting the value, so the payload executes in the browser of every subsequent visitor - including administrators - who views the folder listing. No public exploit has been confirmed beyond a researcher-published proof-of-concept gist, and no vendor patch has been identified at time of analysis.

XSS PHP
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Stored cross-site scripting in Discourse (before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5) lets a user with permission to set a topic "featured link" inject JavaScript that executes when the link is rendered in the topic list. Exploitation only succeeds where the platform's default Content Security Policy has been weakened or disabled, so out-of-the-box installs are protected in depth. No public exploit identified at time of analysis, and the issue is not in CISA KEV; official fixed releases are available.

XSS Discourse
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Stored cross-site scripting in SiYuan before 3.7.1 escalates to OS command execution inside the Electron desktop renderer because the bundled Lute Markdown/HTML engine sanitizes content but fails to block dangerous javascript schemes in form action and SVG xlink:href attributes. An attacker who plants crafted content that a victim later opens via document export-preview or a Bazaar package README render can run arbitrary code on the victim's machine. There is no public exploit identified at time of analysis, and it is not on CISA KEV; the CVSS 4.0 base score is 8.6.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malicious two-factor authenticator name that executes JavaScript in an administrator's browser when that admin impersonates the account and opens the 2FA delete confirmation dialog. Affected builds are Discourse before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, spanning the 2026.1.x through 2026.6.x release lines. There is no public exploit identified at time of analysis and the EPSS probability is low (0.39%), but the fix commit's regression test reveals the exact working payload, and successful exploitation runs in a full-admin context.

XSS Discourse
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Discourse's SVG upload and user avatar handling allows authenticated users to inject malicious JavaScript that executes in victims' browsers when they visit specific non-standard URLs. The CVSS scope change (S:C) reflects that successful exploitation crosses the browser security boundary, enabling session token theft or account takeover against victims who visit the triggering URL. Vendor-confirmed patches are available across four release branches; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Discourse
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored client-side template injection in Bagisto before v2.4.4 allows any attacker who can register a customer account to execute arbitrary JavaScript in an administrator's browser. The `create.blade.php` template renders customer name fields inside a Vue.js context without the `v-pre` directive, causing Vue.js to evaluate stored template expressions as live code when an administrator opens the Create Order page for the affected customer. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the stored nature of the payload and its execution in an admin session context make this a higher real-world priority than the CVSS 4.0 score of 5.1 alone suggests.

XSS PHP
NVD GitHub
CRITICAL POC PATCH Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF +3
NVD GitHub
CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.

XSS Information Disclosure PHP
NVD GitHub
CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE +1
NVD GitHub
CVSS 5.5
MEDIUM POC PATCH This Month

Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.

XSS CSRF PHP
NVD GitHub
EPSS 1% CVSS 1.3
LOW PATCH Monitor

Multiple stored and reflected cross-site scripting vulnerabilities in PAN-OS expose the User-ID Authentication Portal (Captive Portal), GlobalProtect gateway/portal, and Clientless VPN web interfaces to unauthenticated attackers who can inject and execute arbitrary JavaScript in victim browsers. Affected deployments span PA-Series and VM-Series firewalls and Panorama management platforms; Cloud NGFW is explicitly not affected. No public exploit code exists (CVSS 4.0 E:U), and the vendor states risk is substantially reduced - potentially minimized - when portal and management access is restricted to trusted internal IP ranges per Palo Alto's recommended hardening guidelines.

XSS Paloalto Pan Os
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in YzmCMS through version 7.5 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript by manipulating the HTTP Host header processed by the `get_url` function in `/yzmphp/yzmphp.php`. The Header Handler component reflects the attacker-controlled `HTTP_HOST` value into generated page output without sanitization, enabling payload execution in a victim's browser upon page visit. A public proof-of-concept exploit has been disclosed; no patch exists and the vendor did not respond to coordinated disclosure, leaving all deployments at or below v7.5 exposed.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. No public exploit has been identified at time of analysis, and EPSS is low (0.25%), but CVSS is 9.0 with total technical impact per CISA SSVC.

XSS Python Open Webui
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. No public exploit identified at time of analysis; the issue was reported by VulnCheck and a vendor patch (2.14.4) is available.

XSS Glpi 11
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Twiser OKRs & Goals (builds 28220 through pre-28398) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other authenticated users' browsers. The CVSS scope change (S:C) confirms cross-user impact - a hallmark of stored XSS where one user's injected payload affects others who subsequently view the same content. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this firmly in standard patch-cycle priority.

XSS Okrs Goals
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.

WordPress XSS Eventprime Events Calendar Bookings And Tickets
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Stored cross-site scripting in OceanicSoft ValeApp (all builds through 09072026) lets an attacker persist malicious script into the application so it executes in other users' browser sessions when they view the affected page. Reported by Turkey's national CERT (TR-CERT) and tracked in the ENISA EUVD, the flaw carries a vendor/CERT CVSS of 9.3 driven by a scope change and high confidentiality/integrity impact. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor was unresponsive to disclosure, so no fix is expected in the near term.

XSS Valeapp
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the low attack complexity and absence of authentication requirements make this straightforward to exploit once a target is socially engineered.

XSS Bieticaret
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. No active exploitation has been identified (not in CISA KEV) and no EPSS score was provided, but the PR:N/UI:R profile makes this a viable phishing-assisted attack against WordPress site administrators and editors.

WordPress XSS Mang Board Wp
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (N2OS) allows authenticated administrators to embed malicious HTML into configuration data rendered in the Diagram tab and Graph view, enabling phishing and open redirect attacks against other authenticated users who view the affected pages. The vulnerability originates from a shared input validation function applied across multiple input vectors in N2OS that is insufficiently restrictive, permitting certain HTML tags to persist. Full XSS exploitation and direct information disclosure are explicitly constrained by existing input validation and a Content Security Policy, limiting realistic attacker impact to social engineering vectors. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

XSS Open Redirect Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Bookero Pl System Rezerwacji Online
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (all versions ≤ 5.113.0) allows contributor-level authenticated users to inject arbitrary JavaScript via the 'color' attribute of the trust badge shortcode, which then executes in the browsers of every subsequent visitor to the compromised page. The trust badge rendering code in class-cr-trust-badge.php and badge-small.php fails to sanitize or escape shortcode attribute input before writing it to HTML output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a patch commit is referenced in the WordPress SVN repository.

WordPress XSS Customer Reviews For Woocommerce
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Download Manager
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Dynamics 365 Customer Voice allows a remote, unauthenticated attacker to inject script that executes in a victim's browser session and perform spoofing once the victim interacts with attacker-supplied content. The flaw carries a CVSS 9.3 rating driven largely by a scope change (S:C), meaning injected script escapes into a different security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Dynamics 365 Customer Voice
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's Forms implementation prior to version 150.0.7871.115 permits remote, unauthenticated attackers to inject arbitrary scripts or HTML across any browser origin by luring a victim to a crafted HTML page. The Scope:Changed metric in the CVSS vector reflects the defining characteristic of UXSS: unlike conventional XSS, the injected script executes outside the attacker-controlled page's origin, effectively bypassing the Same-Origin Policy and threatening any concurrent browser session. No public exploit code or confirmed active exploitation has been identified at time of analysis; SSVC rates exploitation as none and the attack as non-automatable due to the required user interaction.

XSS Google
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's WebGL implementation prior to version 150.0.7871.115 allows remote attackers to bypass the Same-Origin Policy and inject arbitrary scripts or HTML into cross-origin contexts via a crafted HTML page. The vulnerability carries a scope change (S:C) in its CVSS vector, reflecting the cross-origin boundary violation inherent to UXSS. No public exploit has been identified at time of analysis, and CISA's SSVC assessment marks exploitation status as none with no automatable exploitation path, reducing immediate real-world urgency despite the sensitivity of cross-origin script execution.

XSS Google
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Stored cross-site scripting in HP IP phone WebUI allows a low-privileged authenticated attacker to inject malicious script content into configuration parameters, which the phone's web management interface later renders unsanitized to visiting users. When an administrator browses the affected WebUI page, the injected payload executes in their browser session, producing a High integrity impact within the WebUI context. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; HP has published advisory HPSBPY04108 addressing the issue.

XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored/reflected cross-site scripting in GitLab Enterprise Edition lets an authenticated user holding Developer-role permissions inject arbitrary scripts that execute in a victim user's browser session, enabling session hijacking or actions performed as the victim. It affects a broad version range (13.11 through 18.11.6, 19.0.x before 19.0.4, and 19.1.x before 19.1.2) and stems from improper sanitization of user-supplied input. There is no public exploit identified at time of analysis, though the flaw was disclosed through a HackerOne bug-bounty report.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose `compileLodashTemplate` handler reflects unsanitized user-controlled inputs - the `throwError` query parameter, the `comments` POST field, and the `User-Agent` request header - directly into rendered HTML without output encoding. No public exploit has been identified at time of analysis, but the zero-authentication requirement and permanently-mounted test routes make any network-reachable Appium server an attack surface with no opt-out mechanism below the fix version.

XSS Appium Base Driver
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in the Plate rich-text editor (versions 53.0.0 through 53.1.3) lets a crafted document execute attacker JavaScript when a victim opens it. The media embed renderer trusts serialized provider/sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, so an attacker can flag a URL as a legitimate video provider while keeping a javascript: payload that MediaEmbedElement renders directly as an iframe src. No public exploit has been identified at time of analysis, and the flaw is fixed in 53.1.4.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored/reflected cross-site scripting in GitLab CE/EE (all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2) lets an authenticated user inject unsanitized input that executes arbitrary JavaScript in a victim's browser session, enabling session hijacking or actions on the victim's behalf. The scope-changed CVSS 7.3 reflects that the payload crosses a security boundary into another user's context. There is no public exploit identified at time of analysis, though the flaw originated from a HackerOne bug bounty submission and vendor patches are already available.

XSS Gitlab
NVD VulDB
CVSS 8.2
HIGH PATCH This Week

Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.

XSS Python Canonical +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Mistune prior to 3.3.0 stems from an incomplete URI scheme blocklist in the `safe_url` filter, permitting legacy and chained schemes (`feed:`, `jar:`, `livescript:`, `mocha:`, `ms-its:`, `mk:`, `res:`, `view-source:`) to pass unchecked into rendered `href` and `src` attributes. Any web application that accepts user-supplied Markdown, renders it via Mistune's HTML renderer, and serves the output to other users' browsers is exposed to stored or reflected XSS. No public exploit or CISA KEV listing has been identified at time of analysis; however, the CVSS 6.1 score with scope change (S:C) reflects genuine cross-session impact when the victim interacts with attacker-controlled content.

XSS Python Mistune
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting in Mistune (Python Markdown parser) prior to version 3.2.1 allows injection of arbitrary HTML attributes via the Admonition directive's `:class:` option, critically bypassing HTMLRenderer escape mode even when it is explicitly enabled. Applications that render user-controlled Markdown with admonition directives and serve the resulting HTML to web browsers are exposed to stored or reflected XSS, enabling session hijacking, credential theft, or malicious DOM manipulation. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v3.2.1.

XSS Python Mistune
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Mistune Python Markdown parser (all versions before 3.3.0) allows attacker-controlled Markdown content containing percent-encoded javascript: URIs to bypass the HTMLRenderer.safe_url() URL sanitization filter and execute arbitrary script in victim browsers. The bypass works because safe_url() checks the raw string without first decoding percent-encoded characters, so schemes like %6Aavascript: or %6aVaScRiPt: evade detection while remaining valid to browsers. Any web application that renders user-supplied or attacker-influenced Markdown through Mistune and serves the output to other users is exposed. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Python Mistune
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 6.1 Medium score with Scope:Changed reflects the cross-context server-to-browser impact.

XSS Hono
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored/reflected cross-site scripting in the Ad Hoc Transfer module of Progress MOVEit Transfer lets an authenticated low-privilege user inject script that executes in another user's browser session, per the CVSS PR:L/UI:R vector. Affected builds are 2026.0.0 before 2026.0.1, 2025.1.0 before 2025.1.4, and 2025.0.0 before 2025.0.8. No public exploit identified at time of analysis, though MOVEit Transfer's history as a mass-exploitation target (prior GoAnywhere/MOVEit campaigns) makes prompt patching prudent.

XSS Moveit Transfer
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.

XSS Cyberchef
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in AVideo's Meet plugin allows an anonymous, unauthenticated attacker to inject arbitrary JavaScript into privileged administrator and host browser sessions by supplying a malicious HTTP User-Agent header when joining any public meeting. The getMeetInfo.json.php endpoint persists the raw User-Agent value in meet_join_log.user_agent, bypassing AVideo's xss_esc() setter and omitting htmlspecialchars() at the output layer in the Participants management panel, where it renders in authenticated host and admin sessions. No vendor patch was available at the time of disclosure; no public exploit code or CISA KEV listing has been identified.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored CSS injection in Grav CMS (all 2.0 branch releases through 2.0.0-rc.9) lets a lower-privileged content editor manipulate the visual interface seen by higher-privileged administrators and reviewers. The resize() Markdown media action in Excerpts::processMediaActions() writes caller-controlled values directly into rendered img style attributes without sanitization, despite prior hardening that blocked the ?style= and attribute() vectors. An attacker with editorial access can store a crafted image URL with semicolon-delimited CSS declarations that render a full-viewport overlay when a privileged user views the page, enabling UI redress and content-manipulation attacks. No public exploit has been identified at time of analysis; the vendor-confirmed fix is Grav 2.0.0.

XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP +2
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.

XSS N8n
NVD GitHub VulDB
Prev Page 3 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy