Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2025-15363 MEDIUM POC PATCH This Month

The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-1780 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the [CR]Paid Link Manager WordPress plugin through version 0.5, caused by insufficient input sanitization and output escaping in the URL path parameter. Unauthenticated attackers can craft malicious URLs containing arbitrary JavaScript that executes in the browsers of users who click the link, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a moderate CVSS score of 6.1 and requires user interaction (UI:R), but the network-accessible attack vector (AV:N) and lack of privilege requirements make it a practical threat for WordPress sites using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-4268 MEDIUM This Month

WP Go Maps (formerly WP Google Maps) plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'wpgmza_custom_js' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Subscriber-level privileges or higher can inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 10.0.05, with a CVSS score of 6.4 indicating moderate severity but significant practical impact due to low attack complexity and the ability to affect site-wide functionality.

WordPress XSS Google
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4356 LOW POC Monitor

A Cross-Site Scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0, specifically in the /add_result.php file where the 'vr' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. A public proof-of-concept exploit is available on GitHub, and while the CVSS score is low (2.4), the vulnerability is actively documented in security databases and poses a real risk in educational environments.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4355 LOW Monitor

A stored or reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.11 through improper input validation on the Name parameter in the /intranet/educar_servidor_curso_lst.php endpoint. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially enabling session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, indicating no patch is currently available.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4354 LOW Monitor

A reflected cross-site scripting (XSS) vulnerability exists in TRENDnet TEW-824DRU wireless router firmware versions 1.010B01 and 1.04B01, affecting the apply_sec.cgi web interface component. An authenticated attacker can inject malicious JavaScript through the Language parameter in the sub_420A78 function, which is then executed in the context of another user's browser session. The vulnerability is publicly exploitable (working proof-of-concept available on GitHub), has a low CVSS score (3.5) due to authentication requirements and user interaction, but represents a real security concern for router administration interfaces where multiple users may access the web UI.

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-29859 CRITICAL Act Now

aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.

XSS RCE File Upload
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30048 npm MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in NotChatbot WebChat widget versions through 1.4.4, where user-supplied input in chat messages is not properly sanitized before being stored and rendered in the chat history. This allows attackers to inject arbitrary JavaScript code that executes whenever the chat history is reloaded, affecting all independent implementations of the widget. A proof-of-concept has been publicly disclosed on GitHub (https://github.com/0xN4no/CVE-2026-30048) and a detailed technical writeup is available via Gist (https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe), indicating active demonstration of exploitability.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30695 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess physical access control devices across multiple product lines (XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+). The vulnerability stems from improper sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing attackers to inject malicious scripts that execute in the context of authenticated administrators. A public proof-of-concept has been disclosed on GitHub (https://github.com/iremnurylmz/CVE-2026-30695), and given the lack of CVSS/EPSS scoring data and KEV status confirmation, the true exploitation likelihood remains uncertain but the presence of a POC elevates practical risk.

XSS N A
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-32840 MEDIUM This Month

Stored cross-site scripting in Edimax GS-5008PL firmware version 1.00.54 and earlier allows authenticated attackers to inject malicious scripts through the sysName parameter in system_name_set.cgi, which execute when administrators access management pages. An attacker with login credentials can craft a POST request to persistently inject arbitrary JavaScript that compromises administrative sessions and enables unauthorized actions within the device management interface.

XSS Edimax Gs 5008pl
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33035 PHP MEDIUM PATCH This Month

Reflected XSS in AVideo's error message handling allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious code through a URL parameter that bypasses `json_encode()` filtering. An attacker can craft a malicious link to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites. A patch is available.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-31938 npm MEDIUM PATCH This Month

HTML injection in PDF output functions allows remote attackers to execute arbitrary scripts in the browser context where generated PDFs are opened, exploitable when untrusted user input is passed unsanitized to the pdfObjectUrl, pdfJsUrl, or filename options. An attacker can craft malicious values through a web interface that, when used by victims to generate and open PDFs, execute arbitrary JavaScript in their browser with high impact on confidentiality and integrity. A patch is available to remediate this critical vulnerability affecting all users who process user-controlled PDF output parameters.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-62320 MEDIUM This Month

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage.

XSS Sametime
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-32757 PHP MEDIUM PATCH This Month

Admidio's eCard functionality is vulnerable to stored XSS when authenticated users send greeting cards, as the application uses unsanitized POST data instead of properly filtered values during email construction. An authenticated attacker can inject malicious HTML and JavaScript into eCard emails sent to other members, bypassing the HTMLPurifier sanitization that occurs during form validation. No patch is currently available for this vulnerability affecting PHP-based Admidio installations.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30882 MEDIUM This Month

Chamilo LMS versions 1.11.34 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page where the keyword parameter is echoed directly into an HTML href attribute without encoding or sanitization. An attacker can inject arbitrary JavaScript by breaking out of the attribute context using a ">" payload, enabling session hijacking, credential theft, or malware distribution to any user who clicks a malicious link. The vulnerability is triggered when pagination controls render for datasets exceeding 20 items, and a patch is available in version 1.11.36.

XSS Chamilo Lms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-32751 Go CRITICAL PATCH Act Now

SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.

Docker RCE XSS Node.js Command Injection +4
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-32728 npm HIGH PATCH This Week

File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.

Information Disclosure XSS
NVD GitHub VulDB
EPSS
0.1%
CVE-2026-29520 MEDIUM This Month

Reflected XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables attackers to inject malicious scripts through the Network Diagnosis ping function's ping_ipaddr parameter. An attacker can craft a malicious link that, when clicked by an authenticated administrator, executes arbitrary JavaScript in their browser session, potentially compromising the device. No patch is currently available.

XSS Eth Imc408M Firmware
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-29513 MEDIUM This Month

Stored XSS in Hereta ETH-IMC408M firmware v1.0.15 and earlier allows authenticated users to execute arbitrary JavaScript in other users' browsers via unsanitized input in the Device Location field on the System Status interface. An attacker with valid credentials can inject malicious scripts that persist and execute when legitimate users access the status page, potentially enabling session hijacking or credential theft. No patch is currently available.

XSS Eth Imc408M Firmware
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-29510 MEDIUM This Month

Stored XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables authenticated attackers to execute arbitrary JavaScript in the System Status interface by injecting malicious code through the Device Name field. The vulnerability affects any user viewing the compromised status page, potentially leading to session hijacking or credential theft. No patch is currently available for this issue.

XSS Eth Imc408M Firmware
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32722 PyPI LOW PATCH Monitor

## Summary Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping.

Python XSS
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-28499 MEDIUM PATCH This Month

LeafKit's HTML escaping mechanism fails to properly sanitize arrays and dictionaries when rendered via templates, enabling cross-site scripting (XSS) attacks where untrusted data is output unescaped. Applications using LeafKit templates to display user-controlled collections are vulnerable to arbitrary JavaScript execution in user browsers. A patch is available to address this vulnerability.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-2274 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation in Forcepoint Web Security (On-Prem) on Windows allows Stored XSS.This issue affects Web Security through 8.5.6.

XSS Microsoft
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-25369 HIGH This Week

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Flexmls® IDX WordPress plugin through version 3.15.9, allowing attackers to inject malicious scripts into web pages that execute in victims' browsers when they click specially crafted links. The vulnerability has a CVSS score of 7.1 and requires user interaction but can impact confidentiality, integrity, and availability across different origins due to its scope change characteristic. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability represents a moderate risk for WordPress sites using this real estate listing plugin.

XSS Flexmls Idx
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69245 MEDIUM PATCH This Month

Raytha CMS contains a Reflected Cross-Site Scripting (XSS) vulnerability in the logon functionality's returnUrl parameter that allows attackers to inject arbitrary JavaScript code. When an authenticated victim clicks a malicious URL crafted by an attacker, the injected script executes in the victim's browser with the victim's privileges, potentially enabling session hijacking, credential theft, or unauthorized actions within the CMS. The vulnerability was remediated in version 1.4.6, and while no CVSS score or EPSS data is currently available, the nature of XSS in authentication contexts represents a significant security risk requiring prompt patching.

XSS Open Redirect Raytha
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-69242 MEDIUM PATCH This Month

Raytha CMS contains a reflected cross-site scripting (XSS) vulnerability in the backToListUrl parameter that allows unauthenticated attackers to inject arbitrary JavaScript code. When an authenticated victim visits a specially crafted malicious URL, the injected script executes in their browser context, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 1.4.6, and while the CVSS score of 5.1 is moderate, the attack requires user interaction (UI:A) but no authentication, making it a practical attack vector against admin users.

XSS Raytha
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-69241 MEDIUM PATCH This Month

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the profile editing functionality, specifically within the FirstName and LastName parameters. An authenticated attacker can inject arbitrary HTML and JavaScript code that persists in the application and executes in the browsers of users viewing the compromised profile, potentially leading to session hijacking, credential theft, or defacement. This vulnerability has been remediated in version 1.4.6.

XSS Raytha
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-69237 MEDIUM PATCH This Month

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the page creation functionality through the FieldValues[0].Value parameter, allowing authenticated attackers with content creation permissions to inject malicious HTML and JavaScript that executes when other users visit the edited page. The vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 5.1 with limited scope impact due to required authentication and user interaction. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the low attack complexity and availability of vendor patch make this a moderate but manageable risk for deployed instances.

XSS Authentication Bypass Raytha
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-69236 MEDIUM PATCH This Month

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the post editing functionality, specifically within the FieldValues[1].Value parameter that fails to sanitize user input before storage and rendering. An authenticated attacker with post editing permissions can inject malicious HTML and JavaScript code that persists in the database and executes in the browsers of any user viewing the affected post, potentially leading to session hijacking, credential theft, or defacement. The vulnerability affects versions prior to 1.4.6 and does not appear to be actively exploited in the wild based on available intelligence, though the low CVSS score of 5.1 reflects the requirement for prior authentication and user interaction rather than the severity of the potential impact.

XSS Raytha
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3024 MEDIUM PATCH This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.

XSS Privilege Escalation Information Disclosure Wakyma Application Web
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-4225 LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in CMS Made Simple versions up to 2.2.21 affecting the User Management Module's admin/listusers.php file. An attacker with high-level privileges can inject malicious JavaScript through the Message parameter to compromise other users' sessions or steal sensitive data. Public exploit code is available and the vulnerability has been actively exploited, making this a tangible threat despite its low CVSS score of 2.4.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-57543 MEDIUM This Month

Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-65734 MEDIUM This Month

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.

RCE XSS File Upload
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4186 LOW POC Monitor

A vulnerability was determined in UEditor up to 1.4.3.2.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2017-20219 MEDIUM POC This Month

A DOM-based cross-site scripting (XSS) vulnerability exists in Serviio PRO's mediabrowser component that allows unauthenticated remote attackers to execute arbitrary JavaScript code in a user's browser context. The vulnerability affects multiple versions of Serviio PRO (1.6.1 through 1.8.0.0) and exploits unsafe handling of URL parameters passed from document.location to document.write(). Publicly available proof-of-concept exploits exist, making this a moderate-to-high priority vulnerability despite the CVSS 6.1 score.

XSS Serviio Pro
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2016-20036 MEDIUM POC This Month

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting (XSS) vulnerabilities in the enginemanager interface where user-supplied input through parameters (appName, vhost, uiAppType, wowzaCloudDestinationType) is not properly sanitized before being returned to users. An attacker can inject malicious JavaScript to execute arbitrary code in a victim's browser session, potentially compromising administrator credentials or session tokens. A public proof-of-concept exploit exists, increasing real-world exploitation risk.

XSS Wowza Streaming Engine
NVD Exploit-DB VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2015-20119 MEDIUM POC This Month

RealtyScript 4.0.2 contains a stored cross-site scripting (XSS) vulnerability in the pages.php admin interface that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter. Attackers can craft POST requests to store malicious content that executes in the browsers of users viewing affected pages. A public proof-of-concept exploit exists (Exploit-DB 38496), making this vulnerability actively exploitable by authenticated threat actors.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2015-20118 HIGH POC This Week

A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).

RCE PHP XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2015-20116 MEDIUM POC This Month

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows unauthenticated attackers to inject malicious scripts through unsanitized CSV file upload filenames. When users process or view uploaded files, arbitrary JavaScript executes in their browsers with the ability to steal session cookies, modify page content, and perform actions on behalf of the victim. A public proof-of-concept exploit exists (Exploit-DB #38496), though no evidence of active KEV exploitation has been documented; the moderate CVSS score (6.1) reflects the requirement for user interaction to trigger the vulnerability.

XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2015-20115 HIGH POC This Week

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2015-20114 MEDIUM POC This Month

A cross-site scripting vulnerability in Next Click Ventures RealtyScript 4.0.2 (CVSS 6.1) that allows attackers. Risk factors: public PoC available.

XSS Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2015-20113 MEDIUM POC This Month

RealtyScript 4.0.2 by Next Click Ventures contains both cross-site request forgery (CSRF) and persistent cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to perform unauthorized administrative actions and inject malicious scripts into the application. An attacker can craft malicious web pages that trick authenticated users into performing unintended administrative actions, or inject persistent scripts that execute in the application context for all users. With a CVSS score of 5.3 and a network-based attack vector requiring no privileges or user interaction beyond initial application access, this represents a moderate integrity risk to affected deployments.

XSS CSRF Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2013-20006 HIGH POC This Week

Persistent cross-site scripting (XSS) vulnerability affecting Qool CMS 2.0, allowing unauthenticated attackers to inject malicious JavaScript through multiple administrative POST parameters that execute in administrator browsers. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation is reported (not in KEV), and the CVSS score appears inflated given the actual attack requirements.

XSS Qool Cms
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2013-20005 MEDIUM POC This Month

Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.

CSRF XSS Qool Cms
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2016-20032 MEDIUM POC This Month

Stored cross-site scripting (XSS) vulnerability in ZKTeco ZKAccess Security System 5.3.1 that allows remote attackers to inject malicious scripts via the 'holiday_name' and 'memo' POST parameters without authentication. Multiple public proof-of-concept exploits are available, making this vulnerability actively exploitable in unpatched systems.

XSS Zkteco Zkaccess Security System
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2016-20027 MEDIUM POC This Month

Reflected cross-site scripting (XSS) vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to execute arbitrary HTML and JavaScript code in a victim's browser session through malicious URLs containing unsanitized parameters. The vulnerability affects all versions of ZKBioSecurity 3.0 across the product line, and publicly available exploits exist (confirmed via PacketStorm Security), making it a moderate-risk vulnerability (CVSS 6.1) with demonstrated real-world exploitation potential.

XSS Zkteco Zkbiosecurity
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4175 PHP MEDIUM PATCH This Month

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4169 MEDIUM PATCH This Month

A security flaw has been discovered in Tecnick TCExam up to 16.6.0.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-4168 LOW POC PATCH Monitor

A vulnerability was identified in Tecnick TCExam 16.5.0.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4166 LOW POC Monitor

A vulnerability was found in Wavlink WL-NU516U1 240425.

XSS Wl Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4165 LOW Monitor

A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25.

XSS Hr Crm And Project Management
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-32774 npm MEDIUM PATCH This Month

A cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts (CVSS 6.4) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

XSS Vulnogram
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-32732 npm POC PATCH This Week

Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.

XSS Vscode Lean4
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-32635 npm HIGH POC PATCH This Week

A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.

XSS RCE
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-32626 CRITICAL Act Now

XSS in AnythingLLM 1.11.1 and earlier.

XSS RCE AI / ML Anything Llm
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-32612 PHP MEDIUM PATCH This Month

Statamic CMS versions prior to 6.6.2 contain a stored cross-site scripting (XSS) vulnerability in the control panel color mode preference functionality that allows authenticated users to inject malicious JavaScript code. When a higher-privileged administrator impersonates or accesses the account of an authenticated user who has injected malicious code, the JavaScript executes in the administrator's browser session with their elevated privileges. This vulnerability is network-accessible and requires low privileges but user interaction from the victim, resulting in a CVSS score of 5.4 with potential for session hijacking, data theft, or further privilege escalation depending on the administrator's role and permissions.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32308 npm HIGH PATCH This Week

Cross-site scripting (XSS) vulnerability in OneUptime monitoring platform versions prior to 10.0.23, where the Markdown viewer component renders Mermaid diagrams with insecure settings that allow arbitrary JavaScript execution. An authenticated attacker with low privileges can inject malicious JavaScript through any markdown field (incident descriptions, status pages, monitor notes), potentially compromising other users' sessions. With an EPSS score of only 0.03% and no KEV listing, this appears to be a theoretical risk with no observed exploitation in the wild.

XSS Oneuptime
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2023-40693 MEDIUM PATCH This Month

This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI. An attacker with valid credentials can craft malicious payloads that execute in the context of other users' sessions, potentially leading to credential theft, session hijacking, or unauthorized actions within a trusted environment. With a CVSS score of 5.4 and requiring low attack complexity plus user interaction (clicking a malicious link), this vulnerability poses a moderate risk primarily in environments where user trust is high and credentials are valuable.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14504 MEDIUM PATCH This Month

This is a stored cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript into the Web UI, potentially compromising session security and enabling credential theft. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version ranges, and while not yet listed as actively exploited in known vulnerability databases, the authentication requirement and UI-based attack surface present a moderate real-world risk for enterprises running these B2B integration platforms.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0835 MEDIUM PATCH This Month

This is a stored or reflected cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially compromising credentials and session integrity. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple release lines. While the CVSS score of 5.4 is moderate and exploitation requires authenticated access, the ability to alter UI functionality and exfiltrate credentials within a trusted session poses a real insider threat risk.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13702 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can alter application functionality and potentially exfiltrate sensitive data (including credentials) from trusted user sessions. A patch is available from IBM; exploitation requires user interaction (UI:R) but no elevated privileges.

XSS IBM
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-12453 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in OpenText Vertica's management console application due to improper input neutralization during web page generation (CWE-79). The vulnerability affects Vertica versions 10.0 through 25.3.X, allowing attackers to inject malicious scripts that execute in users' browsers when they click attacker-controlled links. With a CVSS v4.0 score of 5.1 and network-based attack vector requiring user interaction, this represents a moderate risk with limited direct technical impact but potential for credential theft or session hijacking.

XSS Vertica
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-12454 MEDIUM This Month

This vulnerability is a Reflected Cross-Site Scripting (XSS) flaw in OpenText Vertica's management console that fails to properly neutralize user input during web page generation. The issue affects Vertica versions 10.0 through 25.1.x across multiple major version branches, allowing attackers to inject malicious scripts that execute in users' browsers. With a CVSS score of 5.1 (medium severity) and a network attack vector requiring only user interaction, this vulnerability poses a moderate but exploitable risk to Vertica deployments, particularly those exposing the management console to untrusted networks.

XSS Vertica
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32462 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.

XSS Master Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32460 MEDIUM This Month

Stored cross-site scripting in Ultimate Addons for Contact Form 7 through version 3.5.36 allows authenticated attackers with improper access controls to inject malicious scripts that execute in other users' browsers. An attacker can exploit this vulnerability to steal session tokens, modify form data, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS Ultimate Addons For Contact Form 7
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32455 MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.

XSS Mdtf
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32454 MEDIUM PATCH This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Avada Core plugin versions prior to 5.15.0, allowing authenticated users with low privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected WordPress installations. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is currently low, though the vulnerability is documented and patched.

XSS Avada Core
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32450 MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 Active Products Tables for WooCommerce plugin (versions up to 1.0.7), allowing authenticated users with low privileges to inject malicious scripts that execute in other users' browsers. The vulnerability has a moderate CVSS score of 6.5 but carries a low exploitation probability (EPSS 0.03%, percentile 8%), indicating minimal real-world active exploitation risk despite the technical severity.

WordPress XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32449 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Themify Event Post WordPress plugin (versions up to 1.3.4) that allows authenticated users with low privileges to inject malicious scripts into web pages, which are then executed in the browsers of other site visitors. An attacker with login credentials can craft malicious input that persists in the database and affects all users viewing affected pages, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk.

XSS Themify Event Post
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32448 MEDIUM This Month

A cross-site scripting vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

WordPress XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32431 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Brainstorm Force Astra Bulk Edit WordPress plugin through version 1.2.10, allowing authenticated attackers to inject malicious scripts that execute in the context of other users' browsers. An attacker with low-privilege account access (e.g., contributor or editor role) can craft malicious input that, when processed by the bulk edit functionality, results in arbitrary JavaScript execution affecting site administrators and other users. The vulnerability requires user interaction (UI:R) but can affect multiple users across the site due to its stored/DOM-based nature, making it a persistent attack vector for privilege escalation or data exfiltration.

XSS Astra Bulk Edit
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32430 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in PowerPack Addons for Elementor (powerpack-lite-for-elementor) versions up to 2.9.9, allowing authenticated attackers with limited privileges to inject malicious scripts that persist in the application and execute in other users' browsers. While the CVSS score is moderate (6.5) and EPSS exploitation probability is low (0.03%, percentile 8%), the vulnerability requires user interaction (UI:R) and authenticated access (PR:L), reducing real-world exploitability. No evidence of active exploitation (KEV status) or public proof-of-concept has been identified at this time.

XSS Powerpack Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32429 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in Magical Addons For Elementor, a WordPress plugin for the Elementor page builder, affecting versions up to and including 1.4.1. An authenticated attacker with low privileges can inject malicious JavaScript code that persists in the application and executes in the browsers of other users, potentially leading to session hijacking, credential theft, or defacement. This is a post-authentication vulnerability with user interaction required, making it moderately exploitable in real-world WordPress environments where multiple users collaborate on page design.

XSS Magical Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32424 MEDIUM This Month

BoldGrid Sprout Clients contains a Stored Cross-Site Scripting (XSS) vulnerability in web page generation that allows authenticated users to inject and execute arbitrary JavaScript. The vulnerability affects Sprout Clients version 3.2.2 and earlier, enabling attackers with login credentials to compromise other users viewing affected pages. While the CVSS score of 6.5 indicates medium severity with network accessibility and low attack complexity, the stored nature of the XSS and requirement for user interaction (UI:R) limits immediate widespread automated exploitation.

XSS Sprout Clients
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32419 MEDIUM This Month

The List category posts WordPress plugin (versions through 0.93.1) contains a DOM-based cross-site scripting (XSS) vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into web pages viewed by other users. An attacker can exploit this through improper input neutralization during web page generation, potentially leading to session hijacking, credential theft, or defacement. With a CVSS score of 5.9 and requiring high privileges plus user interaction, this represents a moderate-severity risk primarily to WordPress sites using this specific plugin.

XSS List Category Posts
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32411 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Simpma Embed Calendly plugin (versions up to and including 4.4) that allows authenticated attackers to inject malicious scripts into web pages. An attacker with login privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected content, potentially compromising session tokens, credentials, or sensitive data. While this vulnerability requires prior authentication (lowering immediate exposure), the stored nature means the payload affects multiple victims and persists across sessions.

XSS Embed Calendly
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32403 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Toocheke Companion browser extension versions through 1.194, allowing authenticated attackers to inject malicious scripts that execute in the context of a user's web session. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, enabling session hijacking, credential theft, or malware distribution. While no active KEV exploitation or public proof-of-concept has been disclosed for this CVE, the CVSS 6.5 score reflects moderate severity due to the requirement for user interaction and authenticated access.

XSS Toocheke Companion
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32361 MEDIUM This Month

Editorial Calendar through version 3.9.0 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through improper input sanitization during web page generation. An attacker with user privileges can exploit this to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

XSS Editorial Calendar
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32360 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Rich Showcase for Google Reviews widget (richplugins plugin) affecting versions through 6.9.4.3, where improper input neutralization during web page generation allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. An attacker with administrative or plugin configuration access can store XSS payloads that will be executed for any user viewing the affected widget, potentially leading to session hijacking, credential theft, or defacement. While the CVSS score of 5.9 indicates moderate severity and requires user interaction and high privileges to exploit, the stored nature of this vulnerability means the payload persists and affects multiple users passively.

XSS Google
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32359 MEDIUM This Month

Stored XSS in bPlugins Icon List Block through version 1.2.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers. An attacker with user-level access can craft malicious input that persists in the application and compromises the confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

XSS Icon List Block
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32356 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in robosoft Robo Gallery through version 5.1.2, allowing authenticated attackers to inject malicious scripts into web pages generated by the application. An attacker with login credentials can craft malicious input that executes arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), which moderates but does not eliminate the threat.

XSS Robo Gallery
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32352 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Elementor Website Builder through version 3.35.5, allowing authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. An attacker can exploit this via a crafted page or element to steal session cookies, redirect users, or perform actions on their behalf. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), but carries a moderate CVSS score of 6.5 with cross-site impact (S:C), indicating meaningful business risk despite not being unauthenticated.

XSS Elementor Website Builder Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32351 MEDIUM This Month

Stored XSS in blubrry PowerPress Podcasting through version 11.15.13 permits authenticated administrators with high privileges to inject malicious scripts that persist in web pages and execute in other users' browsers. An attacker with admin credentials can inject arbitrary JavaScript to steal session tokens, modify content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS Powerpress Podcasting
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-31918 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in immonex Kickstart through version 1.13.0, allowing authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, resulting in arbitrary JavaScript execution with access to session cookies, user data, and the ability to perform actions on behalf of victims. While no KEV or widespread exploitation data is available for this CVE, the vulnerability is exploitable with low attack complexity and requires only user interaction (UI click), making it a moderate-to-high priority for organizations running immonex Kickstart.

XSS Immonex Kickstart
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3986 MEDIUM This Month

Medium severity vulnerability in WordPress plugin. The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-le...

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2257 MEDIUM This Month

Medium severity vulnerability in WordPress plugin. The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to S...

XSS Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-22210 MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a stored cross-site scripting (XSS) vulnerability in the WpdiscuzHelperUpload class that fails to properly escape attachment URLs when rendering HTML output. Attackers with limited privileges (contributor level or higher) can inject malicious JavaScript through crafted attachment records or WordPress filter hooks, which executes in the browsers of any WordPress user viewing the affected comments. This vulnerability requires user interaction (victim must view the comment) and has moderate real-world impact due to the authentication requirement and user interaction factor, though successful exploitation could lead to session hijacking or credential theft from comment viewers.

XSS WordPress Wpdiscuz
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-22209 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

XSS Wpdiscuz
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-22192 HIGH PATCH This Week

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler withou...

XSS Wpdiscuz
NVD VulDB GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-22183 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community.

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the [CR]Paid Link Manager WordPress plugin through version 0.5, caused by insufficient input sanitization and output escaping in the URL path parameter. Unauthenticated attackers can craft malicious URLs containing arbitrary JavaScript that executes in the browsers of users who click the link, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a moderate CVSS score of 6.1 and requires user interaction (UI:R), but the network-accessible attack vector (AV:N) and lack of privilege requirements make it a practical threat for WordPress sites using this plugin.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

WP Go Maps (formerly WP Google Maps) plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'wpgmza_custom_js' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Subscriber-level privileges or higher can inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 10.0.05, with a CVSS score of 6.4 indicating moderate severity but significant practical impact due to low attack complexity and the ability to affect site-wide functionality.

WordPress XSS Google
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A Cross-Site Scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0, specifically in the /add_result.php file where the 'vr' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. A public proof-of-concept exploit is available on GitHub, and while the CVSS score is low (2.4), the vulnerability is actively documented in security databases and poses a real risk in educational environments.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

A stored or reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.11 through improper input validation on the Name parameter in the /intranet/educar_servidor_curso_lst.php endpoint. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially enabling session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, indicating no patch is currently available.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A reflected cross-site scripting (XSS) vulnerability exists in TRENDnet TEW-824DRU wireless router firmware versions 1.010B01 and 1.04B01, affecting the apply_sec.cgi web interface component. An authenticated attacker can inject malicious JavaScript through the Language parameter in the sub_420A78 function, which is then executed in the context of another user's browser session. The vulnerability is publicly exploitable (working proof-of-concept available on GitHub), has a low CVSS score (3.5) due to authentication requirements and user interaction, but represents a real security concern for router administration interfaces where multiple users may access the web UI.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.

XSS RCE File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in NotChatbot WebChat widget versions through 1.4.4, where user-supplied input in chat messages is not properly sanitized before being stored and rendered in the chat history. This allows attackers to inject arbitrary JavaScript code that executes whenever the chat history is reloaded, affecting all independent implementations of the widget. A proof-of-concept has been publicly disclosed on GitHub (https://github.com/0xN4no/CVE-2026-30048) and a detailed technical writeup is available via Gist (https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe), indicating active demonstration of exploitability.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess physical access control devices across multiple product lines (XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+). The vulnerability stems from improper sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing attackers to inject malicious scripts that execute in the context of authenticated administrators. A public proof-of-concept has been disclosed on GitHub (https://github.com/iremnurylmz/CVE-2026-30695), and given the lack of CVSS/EPSS scoring data and KEV status confirmation, the true exploitation likelihood remains uncertain but the presence of a POC elevates practical risk.

XSS N A
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Edimax GS-5008PL firmware version 1.00.54 and earlier allows authenticated attackers to inject malicious scripts through the sysName parameter in system_name_set.cgi, which execute when administrators access management pages. An attacker with login credentials can craft a POST request to persistently inject arbitrary JavaScript that compromises administrative sessions and enables unauthorized actions within the device management interface.

XSS Edimax Gs 5008pl
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AVideo's error message handling allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious code through a URL parameter that bypasses `json_encode()` filtering. An attacker can craft a malicious link to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites. A patch is available.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTML injection in PDF output functions allows remote attackers to execute arbitrary scripts in the browser context where generated PDFs are opened, exploitable when untrusted user input is passed unsanitized to the pdfObjectUrl, pdfJsUrl, or filename options. An attacker can craft malicious values through a web interface that, when used by victims to generate and open PDFs, execute arbitrary JavaScript in their browser with high impact on confidentiality and integrity. A patch is available to remediate this critical vulnerability affecting all users who process user-controlled PDF output parameters.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage.

XSS Sametime
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Admidio's eCard functionality is vulnerable to stored XSS when authenticated users send greeting cards, as the application uses unsanitized POST data instead of properly filtered values during email construction. An authenticated attacker can inject malicious HTML and JavaScript into eCard emails sent to other members, bypassing the HTMLPurifier sanitization that occurs during form validation. No patch is currently available for this vulnerability affecting PHP-based Admidio installations.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Chamilo LMS versions 1.11.34 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page where the keyword parameter is echoed directly into an HTML href attribute without encoding or sanitization. An attacker can inject arbitrary JavaScript by breaking out of the attribute context using a ">" payload, enabling session hijacking, credential theft, or malware distribution to any user who clicks a malicious link. The vulnerability is triggered when pagination controls render for datasets exceeding 20 items, and a patch is available in version 1.11.36.

XSS Chamilo Lms
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.

Docker RCE XSS +6
NVD GitHub VulDB
EPSS 0%
HIGH PATCH This Week

File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.

Information Disclosure XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables attackers to inject malicious scripts through the Network Diagnosis ping function's ping_ipaddr parameter. An attacker can craft a malicious link that, when clicked by an authenticated administrator, executes arbitrary JavaScript in their browser session, potentially compromising the device. No patch is currently available.

XSS Eth Imc408M Firmware
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in Hereta ETH-IMC408M firmware v1.0.15 and earlier allows authenticated users to execute arbitrary JavaScript in other users' browsers via unsanitized input in the Device Location field on the System Status interface. An attacker with valid credentials can inject malicious scripts that persist and execute when legitimate users access the status page, potentially enabling session hijacking or credential theft. No patch is currently available.

XSS Eth Imc408M Firmware
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in Hereta ETH-IMC408M firmware versions 1.0.15 and earlier enables authenticated attackers to execute arbitrary JavaScript in the System Status interface by injecting malicious code through the Device Name field. The vulnerability affects any user viewing the compromised status page, potentially leading to session hijacking or credential theft. No patch is currently available for this issue.

XSS Eth Imc408M Firmware
NVD VulDB
EPSS 0% CVSS 3.6
LOW PATCH Monitor

## Summary Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping.

Python XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

LeafKit's HTML escaping mechanism fails to properly sanitize arrays and dictionaries when rendered via templates, enabling cross-site scripting (XSS) attacks where untrusted data is output unescaped. Applications using LeafKit templates to display user-controlled collections are vulnerable to arbitrary JavaScript execution in user browsers. A patch is available to address this vulnerability.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation in Forcepoint Web Security (On-Prem) on Windows allows Stored XSS.This issue affects Web Security through 8.5.6.

XSS Microsoft
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Flexmls® IDX WordPress plugin through version 3.15.9, allowing attackers to inject malicious scripts into web pages that execute in victims' browsers when they click specially crafted links. The vulnerability has a CVSS score of 7.1 and requires user interaction but can impact confidentiality, integrity, and availability across different origins due to its scope change characteristic. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability represents a moderate risk for WordPress sites using this real estate listing plugin.

XSS Flexmls Idx
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Raytha CMS contains a Reflected Cross-Site Scripting (XSS) vulnerability in the logon functionality's returnUrl parameter that allows attackers to inject arbitrary JavaScript code. When an authenticated victim clicks a malicious URL crafted by an attacker, the injected script executes in the victim's browser with the victim's privileges, potentially enabling session hijacking, credential theft, or unauthorized actions within the CMS. The vulnerability was remediated in version 1.4.6, and while no CVSS score or EPSS data is currently available, the nature of XSS in authentication contexts represents a significant security risk requiring prompt patching.

XSS Open Redirect Raytha
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Raytha CMS contains a reflected cross-site scripting (XSS) vulnerability in the backToListUrl parameter that allows unauthenticated attackers to inject arbitrary JavaScript code. When an authenticated victim visits a specially crafted malicious URL, the injected script executes in their browser context, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 1.4.6, and while the CVSS score of 5.1 is moderate, the attack requires user interaction (UI:A) but no authentication, making it a practical attack vector against admin users.

XSS Raytha
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the profile editing functionality, specifically within the FirstName and LastName parameters. An authenticated attacker can inject arbitrary HTML and JavaScript code that persists in the application and executes in the browsers of users viewing the compromised profile, potentially leading to session hijacking, credential theft, or defacement. This vulnerability has been remediated in version 1.4.6.

XSS Raytha
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the page creation functionality through the FieldValues[0].Value parameter, allowing authenticated attackers with content creation permissions to inject malicious HTML and JavaScript that executes when other users visit the edited page. The vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 5.1 with limited scope impact due to required authentication and user interaction. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the low attack complexity and availability of vendor patch make this a moderate but manageable risk for deployed instances.

XSS Authentication Bypass Raytha
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the post editing functionality, specifically within the FieldValues[1].Value parameter that fails to sanitize user input before storage and rendering. An authenticated attacker with post editing permissions can inject malicious HTML and JavaScript code that persists in the database and executes in the browsers of any user viewing the affected post, potentially leading to session hijacking, credential theft, or defacement. The vulnerability affects versions prior to 1.4.6 and does not appear to be actively exploited in the wild based on available intelligence, though the low CVSS score of 5.1 reflects the requirement for prior authentication and user interaction rather than the severity of the potential impact.

XSS Raytha
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.

XSS Privilege Escalation Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in CMS Made Simple versions up to 2.2.21 affecting the User Management Module's admin/listusers.php file. An attacker with high-level privileges can inject malicious JavaScript through the Message parameter to compromise other users' sessions or steal sensitive data. Public exploit code is available and the vulnerability has been actively exploited, making this a tangible threat despite its low CVSS score of 2.4.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.

RCE XSS File Upload
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was determined in UEditor up to 1.4.3.2.

PHP XSS
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A DOM-based cross-site scripting (XSS) vulnerability exists in Serviio PRO's mediabrowser component that allows unauthenticated remote attackers to execute arbitrary JavaScript code in a user's browser context. The vulnerability affects multiple versions of Serviio PRO (1.6.1 through 1.8.0.0) and exploits unsafe handling of URL parameters passed from document.location to document.write(). Publicly available proof-of-concept exploits exist, making this a moderate-to-high priority vulnerability despite the CVSS 6.1 score.

XSS Serviio Pro
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting (XSS) vulnerabilities in the enginemanager interface where user-supplied input through parameters (appName, vhost, uiAppType, wowzaCloudDestinationType) is not properly sanitized before being returned to users. An attacker can inject malicious JavaScript to execute arbitrary code in a victim's browser session, potentially compromising administrator credentials or session tokens. A public proof-of-concept exploit exists, increasing real-world exploitation risk.

XSS Wowza Streaming Engine
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

RealtyScript 4.0.2 contains a stored cross-site scripting (XSS) vulnerability in the pages.php admin interface that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter. Attackers can craft POST requests to store malicious content that executes in the browsers of users viewing affected pages. A public proof-of-concept exploit exists (Exploit-DB 38496), making this vulnerability actively exploitable by authenticated threat actors.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).

RCE PHP XSS +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows unauthenticated attackers to inject malicious scripts through unsanitized CSV file upload filenames. When users process or view uploaded files, arbitrary JavaScript executes in their browsers with the ability to steal session cookies, modify page content, and perform actions on behalf of the victim. A public proof-of-concept exploit exists (Exploit-DB #38496), though no evidence of active KEV exploitation has been documented; the moderate CVSS score (6.1) reflects the requirement for user interaction to trigger the vulnerability.

XSS Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.

PHP XSS Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting vulnerability in Next Click Ventures RealtyScript 4.0.2 (CVSS 6.1) that allows attackers. Risk factors: public PoC available.

XSS Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

RealtyScript 4.0.2 by Next Click Ventures contains both cross-site request forgery (CSRF) and persistent cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to perform unauthorized administrative actions and inject malicious scripts into the application. An attacker can craft malicious web pages that trick authenticated users into performing unintended administrative actions, or inject persistent scripts that execute in the application context for all users. With a CVSS score of 5.3 and a network-based attack vector requiring no privileges or user interaction beyond initial application access, this represents a moderate integrity risk to affected deployments.

XSS CSRF Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Persistent cross-site scripting (XSS) vulnerability affecting Qool CMS 2.0, allowing unauthenticated attackers to inject malicious JavaScript through multiple administrative POST parameters that execute in administrator browsers. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation is reported (not in KEV), and the CVSS score appears inflated given the actual attack requirements.

XSS Qool Cms
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.

CSRF XSS Qool Cms
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Stored cross-site scripting (XSS) vulnerability in ZKTeco ZKAccess Security System 5.3.1 that allows remote attackers to inject malicious scripts via the 'holiday_name' and 'memo' POST parameters without authentication. Multiple public proof-of-concept exploits are available, making this vulnerability actively exploitable in unpatched systems.

XSS Zkteco Zkaccess Security System
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Reflected cross-site scripting (XSS) vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to execute arbitrary HTML and JavaScript code in a victim's browser session through malicious URLs containing unsanitized parameters. The vulnerability affects all versions of ZKBioSecurity 3.0 across the product line, and publicly available exploits exist (confirmed via PacketStorm Security), making it a moderate-risk vulnerability (CVSS 6.1) with demonstrated real-world exploitation potential.

XSS Zkteco Zkbiosecurity
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A security flaw has been discovered in Tecnick TCExam up to 16.6.0.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A vulnerability was identified in Tecnick TCExam 16.5.0.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was found in Wavlink WL-NU516U1 240425.

XSS Wl Nu516U1
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW Monitor

A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25.

XSS Hr Crm And Project Management
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

A cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts (CVSS 6.4) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

XSS Vulnogram
NVD GitHub VulDB
EPSS 0%
POC PATCH This Week

Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.

XSS Vscode Lean4
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.

XSS RCE
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

XSS in AnythingLLM 1.11.1 and earlier.

XSS RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Statamic CMS versions prior to 6.6.2 contain a stored cross-site scripting (XSS) vulnerability in the control panel color mode preference functionality that allows authenticated users to inject malicious JavaScript code. When a higher-privileged administrator impersonates or accesses the account of an authenticated user who has injected malicious code, the JavaScript executes in the administrator's browser session with their elevated privileges. This vulnerability is network-accessible and requires low privileges but user interaction from the victim, resulting in a CVSS score of 5.4 with potential for session hijacking, data theft, or further privilege escalation depending on the administrator's role and permissions.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-site scripting (XSS) vulnerability in OneUptime monitoring platform versions prior to 10.0.23, where the Markdown viewer component renders Mermaid diagrams with insecure settings that allow arbitrary JavaScript execution. An authenticated attacker with low privileges can inject malicious JavaScript through any markdown field (incident descriptions, status pages, monitor notes), potentially compromising other users' sessions. With an EPSS score of only 0.03% and no KEV listing, this appears to be a theoretical risk with no observed exploitation in the wild.

XSS Oneuptime
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI. An attacker with valid credentials can craft malicious payloads that execute in the context of other users' sessions, potentially leading to credential theft, session hijacking, or unauthorized actions within a trusted environment. With a CVSS score of 5.4 and requiring low attack complexity plus user interaction (clicking a malicious link), this vulnerability poses a moderate risk primarily in environments where user trust is high and credentials are valuable.

XSS IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

This is a stored cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript into the Web UI, potentially compromising session security and enabling credential theft. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version ranges, and while not yet listed as actively exploited in known vulnerability databases, the authentication requirement and UI-based attack surface present a moderate real-world risk for enterprises running these B2B integration platforms.

XSS IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

This is a stored or reflected cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially compromising credentials and session integrity. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple release lines. While the CVSS score of 5.4 is moderate and exploitation requires authenticated access, the ability to alter UI functionality and exfiltrate credentials within a trusted session poses a real insider threat risk.

XSS IBM
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can alter application functionality and potentially exfiltrate sensitive data (including credentials) from trusted user sessions. A patch is available from IBM; exploitation requires user interaction (UI:R) but no elevated privileges.

XSS IBM
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in OpenText Vertica's management console application due to improper input neutralization during web page generation (CWE-79). The vulnerability affects Vertica versions 10.0 through 25.3.X, allowing attackers to inject malicious scripts that execute in users' browsers when they click attacker-controlled links. With a CVSS v4.0 score of 5.1 and network-based attack vector requiring user interaction, this represents a moderate risk with limited direct technical impact but potential for credential theft or session hijacking.

XSS Vertica
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

This vulnerability is a Reflected Cross-Site Scripting (XSS) flaw in OpenText Vertica's management console that fails to properly neutralize user input during web page generation. The issue affects Vertica versions 10.0 through 25.1.x across multiple major version branches, allowing attackers to inject malicious scripts that execute in users' browsers. With a CVSS score of 5.1 (medium severity) and a network attack vector requiring only user interaction, this vulnerability poses a moderate but exploitable risk to Vertica deployments, particularly those exposing the management console to untrusted networks.

XSS Vertica
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.

XSS Master Addons For Elementor Elementor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in Ultimate Addons for Contact Form 7 through version 3.5.36 allows authenticated attackers with improper access controls to inject malicious scripts that execute in other users' browsers. An attacker can exploit this vulnerability to steal session tokens, modify form data, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS Ultimate Addons For Contact Form 7
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.

XSS Mdtf
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Avada Core plugin versions prior to 5.15.0, allowing authenticated users with low privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected WordPress installations. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is currently low, though the vulnerability is documented and patched.

XSS Avada Core
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 Active Products Tables for WooCommerce plugin (versions up to 1.0.7), allowing authenticated users with low privileges to inject malicious scripts that execute in other users' browsers. The vulnerability has a moderate CVSS score of 6.5 but carries a low exploitation probability (EPSS 0.03%, percentile 8%), indicating minimal real-world active exploitation risk despite the technical severity.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Themify Event Post WordPress plugin (versions up to 1.3.4) that allows authenticated users with low privileges to inject malicious scripts into web pages, which are then executed in the browsers of other site visitors. An attacker with login credentials can craft malicious input that persists in the database and affects all users viewing affected pages, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk.

XSS Themify Event Post
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A cross-site scripting vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Brainstorm Force Astra Bulk Edit WordPress plugin through version 1.2.10, allowing authenticated attackers to inject malicious scripts that execute in the context of other users' browsers. An attacker with low-privilege account access (e.g., contributor or editor role) can craft malicious input that, when processed by the bulk edit functionality, results in arbitrary JavaScript execution affecting site administrators and other users. The vulnerability requires user interaction (UI:R) but can affect multiple users across the site due to its stored/DOM-based nature, making it a persistent attack vector for privilege escalation or data exfiltration.

XSS Astra Bulk Edit
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in PowerPack Addons for Elementor (powerpack-lite-for-elementor) versions up to 2.9.9, allowing authenticated attackers with limited privileges to inject malicious scripts that persist in the application and execute in other users' browsers. While the CVSS score is moderate (6.5) and EPSS exploitation probability is low (0.03%, percentile 8%), the vulnerability requires user interaction (UI:R) and authenticated access (PR:L), reducing real-world exploitability. No evidence of active exploitation (KEV status) or public proof-of-concept has been identified at this time.

XSS Powerpack Addons For Elementor Elementor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in Magical Addons For Elementor, a WordPress plugin for the Elementor page builder, affecting versions up to and including 1.4.1. An authenticated attacker with low privileges can inject malicious JavaScript code that persists in the application and executes in the browsers of other users, potentially leading to session hijacking, credential theft, or defacement. This is a post-authentication vulnerability with user interaction required, making it moderately exploitable in real-world WordPress environments where multiple users collaborate on page design.

XSS Magical Addons For Elementor Elementor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

BoldGrid Sprout Clients contains a Stored Cross-Site Scripting (XSS) vulnerability in web page generation that allows authenticated users to inject and execute arbitrary JavaScript. The vulnerability affects Sprout Clients version 3.2.2 and earlier, enabling attackers with login credentials to compromise other users viewing affected pages. While the CVSS score of 6.5 indicates medium severity with network accessibility and low attack complexity, the stored nature of the XSS and requirement for user interaction (UI:R) limits immediate widespread automated exploitation.

XSS Sprout Clients
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

The List category posts WordPress plugin (versions through 0.93.1) contains a DOM-based cross-site scripting (XSS) vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into web pages viewed by other users. An attacker can exploit this through improper input neutralization during web page generation, potentially leading to session hijacking, credential theft, or defacement. With a CVSS score of 5.9 and requiring high privileges plus user interaction, this represents a moderate-severity risk primarily to WordPress sites using this specific plugin.

XSS List Category Posts
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Simpma Embed Calendly plugin (versions up to and including 4.4) that allows authenticated attackers to inject malicious scripts into web pages. An attacker with login privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected content, potentially compromising session tokens, credentials, or sensitive data. While this vulnerability requires prior authentication (lowering immediate exposure), the stored nature means the payload affects multiple victims and persists across sessions.

XSS Embed Calendly
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Toocheke Companion browser extension versions through 1.194, allowing authenticated attackers to inject malicious scripts that execute in the context of a user's web session. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, enabling session hijacking, credential theft, or malware distribution. While no active KEV exploitation or public proof-of-concept has been disclosed for this CVE, the CVSS 6.5 score reflects moderate severity due to the requirement for user interaction and authenticated access.

XSS Toocheke Companion
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Editorial Calendar through version 3.9.0 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through improper input sanitization during web page generation. An attacker with user privileges can exploit this to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

XSS Editorial Calendar
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Rich Showcase for Google Reviews widget (richplugins plugin) affecting versions through 6.9.4.3, where improper input neutralization during web page generation allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. An attacker with administrative or plugin configuration access can store XSS payloads that will be executed for any user viewing the affected widget, potentially leading to session hijacking, credential theft, or defacement. While the CVSS score of 5.9 indicates moderate severity and requires user interaction and high privileges to exploit, the stored nature of this vulnerability means the payload persists and affects multiple users passively.

XSS Google
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in bPlugins Icon List Block through version 1.2.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers. An attacker with user-level access can craft malicious input that persists in the application and compromises the confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

XSS Icon List Block
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in robosoft Robo Gallery through version 5.1.2, allowing authenticated attackers to inject malicious scripts into web pages generated by the application. An attacker with login credentials can craft malicious input that executes arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), which moderates but does not eliminate the threat.

XSS Robo Gallery
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Elementor Website Builder through version 3.35.5, allowing authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. An attacker can exploit this via a crafted page or element to steal session cookies, redirect users, or perform actions on their behalf. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), but carries a moderate CVSS score of 6.5 with cross-site impact (S:C), indicating meaningful business risk despite not being unauthenticated.

XSS Elementor Website Builder Elementor
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in blubrry PowerPress Podcasting through version 11.15.13 permits authenticated administrators with high privileges to inject malicious scripts that persist in web pages and execute in other users' browsers. An attacker with admin credentials can inject arbitrary JavaScript to steal session tokens, modify content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS Powerpress Podcasting
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in immonex Kickstart through version 1.13.0, allowing authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, resulting in arbitrary JavaScript execution with access to session cookies, user data, and the ability to perform actions on behalf of victims. While no KEV or widespread exploitation data is available for this CVE, the vulnerability is exploitable with low attack complexity and requires only user interaction (UI click), making it a moderate-to-high priority for organizations running immonex Kickstart.

XSS Immonex Kickstart
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Medium severity vulnerability in WordPress plugin. The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-le...

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Medium severity vulnerability in WordPress plugin. The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to S...

XSS Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a stored cross-site scripting (XSS) vulnerability in the WpdiscuzHelperUpload class that fails to properly escape attachment URLs when rendering HTML output. Attackers with limited privileges (contributor level or higher) can inject malicious JavaScript through crafted attachment records or WordPress filter hooks, which executes in the browsers of any WordPress user viewing the affected comments. This vulnerability requires user interaction (victim must view the comment) and has moderate real-world impact due to the authentication requirement and user interaction factor, though successful exploitation could lead to session hijacking or credential theft from comment viewers.

XSS WordPress Wpdiscuz
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

XSS Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler withou...

XSS Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
Prev Page 33 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy