Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2026-32139 MEDIUM This Month

Stored XSS in Dataease 2.10.19 and earlier allows authenticated users to upload malicious SVG files that bypass backend validation by lacking proper sanitization of event handlers and script-capable attributes. An attacker can exploit this vulnerability to execute arbitrary JavaScript in victims' browsers when they access the uploaded static resource, achieving persistent code execution. The vulnerability was patched in version 2.10.20.

XSS Dataease
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-31873 npm NONE PATCH Awaiting Data

The `link.href` check in `makeTagSafe` (safe.ts, line 68-71) uses `String.includes()`, which is case-sensitive: ```typescript if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } ``` Browsers treat URI schemes case-insensitively. `DATA:text/css,...` is the same as `data:text/css,...` to the browser, but `'DATA:...'.includes('data:')` returns `false`. ### PoC ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: 'DATA:text/css,body{display:none}' }] }) ``` SSR output: ```html <link rel="stylesheet" href="DATA:text/css,body{display:none}"> ``` The browser loads this as a CSS stylesheet. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. Any case variation works: `DATA:`, `Data:`, `dAtA:`, `JAVASCRIPT:`, etc. ## Suggested fix ```typescript if (key === 'href') { const lower = val.toLowerCase() if (lower.includes('javascript:') || lower.includes('data:')) { return } next[key] = val } ```

XSS Unhead
NVD GitHub
EPSS
0.0%
CVE-2026-31860 npm MEDIUM PATCH This Month

## Summary `useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. ## Details **XSS via `data-*` attribute name injection** The `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. ```typescript function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')), ) } ``` This result gets merged into every tag's props at line 114: ```typescript tag.props = { ...acceptDataAttrs(prev), ...next } ``` Then `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization: ```typescript attrs += value === true ? ` ${key}` : ` ${key}="${encodeAttribute(value)}"` ``` A space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes. ### PoC The most practical vector uses a `link` tag. `<link rel="stylesheet">` fires `onload` once the stylesheet loads, giving reliable script execution: ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: '/valid-stylesheet.css', 'data-x onload=alert(document.domain) y': 'z' }] }) ``` SSR output: ```html <link data-x onload=alert(document.domain) y="z" rel="stylesheet" href="/valid-stylesheet.css"> ``` The browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires. The same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements): ```javascript useHeadSafe({ meta: [{ name: 'description', content: 'legitimate content', 'data-x onclick=alert(document.domain) y': 'z' }] }) ``` ### Realistic scenario A Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load. ## Suggested fix For vulnerability 1, validate that attribute names only contain characters legal in HTML attributes: ```typescript const SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\-]*$/ function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter( ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key) ), ) } ```

XSS Unhead
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-25529 HIGH This Week

Postal SMTP server versions below 3.3.5 contain a stored cross-site scripting (XSS) vulnerability in the admin interface where the API's "send/raw" method fails to properly escape user-supplied data, allowing authenticated attackers to inject malicious HTML and JavaScript. An attacker with API access could manipulate the admin dashboard or execute unauthorized actions in the context of an administrator's session. No patch is currently available for affected versions.

XSS
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2987 MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into WordPress sites running the Simple Ajax Chat plugin (versions up to 20260217) through improper sanitization of the 'c' parameter, allowing arbitrary JavaScript execution in victim browsers. The vulnerability affects any user viewing an injected page and requires no user interaction beyond normal site access. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2514 This Week

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

XSS
NVD VulDB
EPSS
0.0%
CVE-2026-2513 This Week

This vulnerability allows attackers to trick administrators into performing unintended actions within Flowmon ADS by clicking malicious links while logged in. It affects Progress Flowmon ADS versions before 12.5.5 and 13.0.3. An attacker could exploit an administrator's authenticated session to make unauthorized changes to the system without the administrator's knowledge or consent.

XSS
NVD VulDB
EPSS
0.0%
CVE-2026-3993 LOW Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3990 LOW Monitor

Stored cross-site scripting in CesiumJS up to version 1.137.0 allows unauthenticated remote attackers to inject malicious scripts through the parameter 'c' in Apps/Sandcastle/standalone.html, with public exploit code already available. While the vendor classifies this as demo code outside the core library product, the vulnerability affects users running vulnerable versions of the application. No patch is currently available.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3984 LOW Monitor

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3983 LOW Monitor

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2687 MEDIUM This Month

The Reading progressbar WordPress plugin fails to properly clean user inputs in its settings, allowing administrators to inject malicious code that gets stored and executed when other users view the site. This affects WordPress installations using this plugin before version 1.3.1, particularly multisite setups. An admin-level attacker could execute arbitrary JavaScript in visitors' browsers to steal data or compromise accounts.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3982 LOW Monitor

Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3962 LOW Monitor

Stored cross-site scripting (XSS) in Jcharis Machine-Learning-Web-Apps affects the Jinja2 template handler in Flask applications, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction to trigger and can compromise data integrity through DOM manipulation. Public exploit code exists for this vulnerability, and the project maintainers have not yet released a patch.

XSS Python
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-32117 HIGH This Week

Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.

Grafana XSS Grafanacubism Panel
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-62328 LOW Monitor

HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. [CVSS 3.7 LOW]

XSS
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32125 MEDIUM This Month

Stored cross-site scripting in OpenEMR versions prior to 8.0.0.1 allows authenticated users with Track Anything feature access to inject malicious scripts into item names that execute in the browsers of all users viewing the corresponding Dygraph charts. An attacker with create or edit permissions can craft payloads that run in victims' sessions without their knowledge, potentially enabling session hijacking or unauthorized actions within the application. No patch is currently available for affected versions.

XSS Openemr
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32124 MEDIUM This Month

Stored cross-site scripting (XSS) in OpenEMR prior to 8.0.0.1 allows administrators or users with code management privileges to inject malicious scripts into code descriptions that execute in the browsers of all users accessing the dynamic code picker. All OpenEMR instances running affected versions are at risk, as any authenticated admin can inject payloads affecting the entire user base. No patch is currently available for this vulnerability.

XSS Openemr
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32121 HIGH This Week

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

PHP XSS Openemr
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-32118 MEDIUM This Month

Stored XSS in OpenEMR's Pain Map form prior to version 8.0.0.1 allows authenticated users to inject malicious JavaScript into encounter records that executes when other clinicians view the affected form. Since session cookies lack HttpOnly protection, attackers can hijack sessions of other users including administrators. This vulnerability requires user interaction and network access but poses significant risk in multi-user healthcare environments.

XSS Openemr
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32112 PyPI MEDIUM PATCH This Month

Medium severity vulnerability in Home Assistant MCP. #

Python XSS Home Assistant Mcp Server
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32109 PyPI LOW PATCH Monitor

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename `.prologue.html` and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. ## Impact If successful, the malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the link.

XSS Copyparty
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-3951 LOW Monitor

Reflected cross-site scripting in LockerProject Locker versions 0.0.0 through 0.1.0 allows unauthenticated remote attackers to inject malicious scripts through the ID parameter in the Error Response Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch despite early notification.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-32095 MEDIUM This Month

Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Plunk
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-31879 MEDIUM This Month

Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).

XSS Frappe
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-31876 MEDIUM This Month

Stored XSS in Notesnook Mobile and Desktop versions prior to 3.3.9 allows authenticated users to execute arbitrary JavaScript by injecting malicious code into Twitter/X embed URLs through the editor component. An attacker with user account access can craft a malicious note containing a specially crafted embed URL that executes when the note is viewed, potentially compromising user data or session tokens. No patch is currently available for affected versions.

XSS Notesnook Mobile Notesnook Desktop
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-31868 npm MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31859 PHP MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30235 MEDIUM This Month

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Openproject
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-20162 MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-20117 MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into Cisco Unified CCX's web management interface due to insufficient input validation, enabling XSS attacks against administrators and users. Successful exploitation allows arbitrary JavaScript execution within the browser context or theft of sensitive session information. No patch is currently available.

Cisco XSS Unified Contact Center Express
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20116 MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into the web management interfaces of multiple Cisco contact center products (Finesse, Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center) due to insufficient input validation. Successful exploitation allows arbitrary script execution in the victim's browser context, potentially enabling session hijacking or credential theft from administrators. No patch is currently available for this cross-site scripting vulnerability.

Cisco XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1090 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 versions up to 18.7.6 is affected by cross-site scripting (xss) (CVSS 8.7).

Gitlab XSS
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-3946 LOW Monitor

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3178 HIGH This Week

Unauthenticated attackers can inject malicious scripts into the Name Directory WordPress plugin (versions up to 1.32.1) through the 'name_directory_name' parameter, which are then executed in users' browsers when they visit affected pages. The vulnerability stems from inadequate input sanitization and output escaping, allowing stored cross-site scripting attacks that impact all unauthenticated visitors. No patch is currently available, though partial mitigations were attempted in versions 1.30.3 and 1.32.1.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3492 MEDIUM This Month

Stored XSS in Gravity Forms WordPress plugin through version 2.9.28.1 allows authenticated subscribers and above to inject malicious JavaScript via the form creation endpoint, which executes when administrators interact with the Form Switcher dropdown. The vulnerability stems from inadequate input sanitization and missing output escaping in the form title field. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3231 HIGH This Week

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress PHP XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1454 HIGH This Week

The Responsive Contact Form Builder & Lead Generation Plugin for WordPress through version 2.0.1 fails to properly sanitize form field submissions, allowing unauthenticated attackers to inject malicious scripts that execute in the administrator dashboard when viewing lead entries. The vulnerability stems from incomplete input validation in the sanitization function combined with overly permissive output filtering that permits onclick attributes on links. Attackers can exploit this to steal admin credentials, modify site content, or perform arbitrary actions within WordPress.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2918 MEDIUM This Month

Authenticated contributors to WordPress sites running Happy Addons for Elementor up to version 3.21.0 can modify display conditions of published templates due to improper authorization checks in the `ha_condition_update` AJAX action and missing capability validation in `ha_get_current_condition`. The vulnerability allows attackers to alter template visibility rules and potentially inject unescaped content into HTML attributes, affecting site content delivery and potentially enabling stored XSS attacks.

WordPress XSS Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3825 MEDIUM This Month

Reflected XSS in the Organization Portal System's IFTOP module enables authenticated attackers to inject malicious JavaScript that executes in victims' browsers via social engineering or phishing links. This vulnerability requires user interaction to trigger and affects confidentiality and integrity with no current patch available.

XSS Organization Portal System
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3534 MEDIUM This Month

Stored cross-site scripting in the Astra WordPress theme through versions 4.12.3 allows authenticated contributors and higher-privileged users to inject malicious scripts into post meta fields that execute when pages are viewed. The vulnerability stems from improper sanitization of background-related meta fields and missing output escaping in CSS property handling. Attackers with contributor-level access can compromise page content and redirect or manipulate user sessions.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3884 LOW Monitor

Spin.js versions before 3.0.0 allow attackers to execute arbitrary JavaScript through a combination of prototype pollution and XSS in the spin() function, requiring user interaction via a crafted URL. An attacker can exploit this to manipulate Object.prototype and trigger malicious code execution in affected users' browsers. No patch is currently available.

XSS Spin Js
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2707 MEDIUM This Month

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

WordPress PHP XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2466 HIGH This Week

DukaPress WordPress plugin versions up to 3.2.4 contain a reflected XSS vulnerability due to improper input sanitization and output encoding, allowing attackers to inject malicious scripts that execute in the browsers of high-privilege users like administrators. The vulnerability requires user interaction to exploit and can result in session hijacking, credential theft, or unauthorized administrative actions. No patch is currently available.

WordPress XSS
NVD WPScan
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2358 MEDIUM This Month

Stored XSS in the WP ULike WordPress plugin up to version 5.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts into pages through the shortcode template attribute, which executes when visitors view affected content. The vulnerability stems from improper use of html_entity_decode() that circumvents WordPress sanitization filters, requiring at least one like on a post to trigger payload execution. No patch is currently available.

WordPress XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-21361 HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.

Adobe XSS Commerce B2b Magento Commerce
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-21311 HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.

Adobe XSS Commerce Magento Commerce B2b
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-21292 MEDIUM This Month

Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.

Adobe XSS Magento Commerce Commerce B2b
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21291 MEDIUM This Month

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.

Adobe XSS Magento Commerce B2b Commerce
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-21290 HIGH This Week

Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.

Adobe XSS Commerce Magento Commerce B2b
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-21284 HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.

Adobe XSS Commerce Magento Commerce B2b
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-12473 MEDIUM This Month

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27266 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27265 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27264 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27263 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27262 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27261 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27260 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27259 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27257 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27256 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27255 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27254 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27253 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27252 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27251 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27250 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27249 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27248 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27247 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27244 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27242 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27241 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27240 MEDIUM This Month

Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27239 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27237 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27236 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27235 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27234 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27233 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in victims' browsers when they access affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27232 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and is currently unpatched, with no active exploitation reported.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27231 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the affected pages are accessed. An attacker with login credentials can craft payloads that persist in the application and compromise victim sessions or steal sensitive data. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27230 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers when they access affected pages. An attacker can exploit this to steal session tokens, perform unauthorized actions, or deface content with minimal user interaction required. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27229 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when the affected pages are accessed. An attacker with login credentials can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of users viewing the compromised forms. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27228 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims through their browsers. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27226 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts through form fields, which execute in victims' browsers when they view affected pages. The vulnerability requires user interaction and network access but can impact confidentiality and integrity across security domains. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27225 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts affecting other users who view the compromised pages. When a victim browses to a page containing the injected payload, the malicious JavaScript executes in their browser context, potentially enabling session hijacking or credential theft. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27224 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when they view affected pages. This requires user interaction and an authenticated attacker, but could compromise the confidentiality and integrity of user sessions. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27223 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier enables authenticated attackers to inject malicious scripts into form fields that execute when users view affected pages. An attacker with login credentials can compromise victim browsers and steal sensitive data or perform actions on their behalf. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Dataease 2.10.19 and earlier allows authenticated users to upload malicious SVG files that bypass backend validation by lacking proper sanitization of event handlers and script-capable attributes. An attacker can exploit this vulnerability to execute arbitrary JavaScript in victims' browsers when they access the uploaded static resource, achieving persistent code execution. The vulnerability was patched in version 2.10.20.

XSS Dataease
NVD GitHub VulDB
EPSS 0%
NONE PATCH Awaiting Data

The `link.href` check in `makeTagSafe` (safe.ts, line 68-71) uses `String.includes()`, which is case-sensitive: ```typescript if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } ``` Browsers treat URI schemes case-insensitively. `DATA:text/css,...` is the same as `data:text/css,...` to the browser, but `'DATA:...'.includes('data:')` returns `false`. ### PoC ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: 'DATA:text/css,body{display:none}' }] }) ``` SSR output: ```html <link rel="stylesheet" href="DATA:text/css,body{display:none}"> ``` The browser loads this as a CSS stylesheet. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. Any case variation works: `DATA:`, `Data:`, `dAtA:`, `JAVASCRIPT:`, etc. ## Suggested fix ```typescript if (key === 'href') { const lower = val.toLowerCase() if (lower.includes('javascript:') || lower.includes('data:')) { return } next[key] = val } ```

XSS Unhead
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

## Summary `useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. ## Details **XSS via `data-*` attribute name injection** The `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. ```typescript function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')), ) } ``` This result gets merged into every tag's props at line 114: ```typescript tag.props = { ...acceptDataAttrs(prev), ...next } ``` Then `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization: ```typescript attrs += value === true ? ` ${key}` : ` ${key}="${encodeAttribute(value)}"` ``` A space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes. ### PoC The most practical vector uses a `link` tag. `<link rel="stylesheet">` fires `onload` once the stylesheet loads, giving reliable script execution: ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: '/valid-stylesheet.css', 'data-x onload=alert(document.domain) y': 'z' }] }) ``` SSR output: ```html <link data-x onload=alert(document.domain) y="z" rel="stylesheet" href="/valid-stylesheet.css"> ``` The browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires. The same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements): ```javascript useHeadSafe({ meta: [{ name: 'description', content: 'legitimate content', 'data-x onclick=alert(document.domain) y': 'z' }] }) ``` ### Realistic scenario A Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load. ## Suggested fix For vulnerability 1, validate that attribute names only contain characters legal in HTML attributes: ```typescript const SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\-]*$/ function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter( ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key) ), ) } ```

XSS Unhead
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Postal SMTP server versions below 3.3.5 contain a stored cross-site scripting (XSS) vulnerability in the admin interface where the API's "send/raw" method fails to properly escape user-supplied data, allowing authenticated attackers to inject malicious HTML and JavaScript. An attacker with API access could manipulate the admin dashboard or execute unauthorized actions in the context of an administrator's session. No patch is currently available for affected versions.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into WordPress sites running the Simple Ajax Chat plugin (versions up to 20260217) through improper sanitization of the 'c' parameter, allowing arbitrary JavaScript execution in victim browsers. The vulnerability affects any user viewing an injected page and requires no user interaction beyond normal site access. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD VulDB
EPSS 0%
This Week

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

XSS
NVD VulDB
EPSS 0%
This Week

This vulnerability allows attackers to trick administrators into performing unintended actions within Flowmon ADS by clicking malicious links while logged in. It affects Progress Flowmon ADS versions before 12.5.5 and 13.0.3. An attacker could exploit an administrator's authenticated session to make unauthorized changes to the system without the administrator's knowledge or consent.

XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting in CesiumJS up to version 1.137.0 allows unauthenticated remote attackers to inject malicious scripts through the parameter 'c' in Apps/Sandcastle/standalone.html, with public exploit code already available. While the vendor classifies this as demo code outside the core library product, the vulnerability affects users running vulnerable versions of the application. No patch is currently available.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Reading progressbar WordPress plugin fails to properly clean user inputs in its settings, allowing administrators to inject malicious code that gets stored and executed when other users view the site. This affects WordPress installations using this plugin before version 1.3.1, particularly multisite setups. An admin-level attacker could execute arbitrary JavaScript in visitors' browsers to steal data or compromise accounts.

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting (XSS) in Jcharis Machine-Learning-Web-Apps affects the Jinja2 template handler in Flask applications, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction to trigger and can compromise data integrity through DOM manipulation. Public exploit code exists for this vulnerability, and the project maintainers have not yet released a patch.

XSS Python
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.

Grafana XSS Grafanacubism Panel
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. [CVSS 3.7 LOW]

XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in OpenEMR versions prior to 8.0.0.1 allows authenticated users with Track Anything feature access to inject malicious scripts into item names that execute in the browsers of all users viewing the corresponding Dygraph charts. An attacker with create or edit permissions can craft payloads that run in victims' sessions without their knowledge, potentially enabling session hijacking or unauthorized actions within the application. No patch is currently available for affected versions.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in OpenEMR prior to 8.0.0.1 allows administrators or users with code management privileges to inject malicious scripts into code descriptions that execute in the browsers of all users accessing the dynamic code picker. All OpenEMR instances running affected versions are at risk, as any authenticated admin can inject payloads affecting the entire user base. No patch is currently available for this vulnerability.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

PHP XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in OpenEMR's Pain Map form prior to version 8.0.0.1 allows authenticated users to inject malicious JavaScript into encounter records that executes when other clinicians view the affected form. Since session cookies lack HttpOnly protection, attackers can hijack sessions of other users including administrators. This vulnerability requires user interaction and network access but poses significant risk in multi-user healthcare environments.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Medium severity vulnerability in Home Assistant MCP. #

Python XSS Home Assistant Mcp Server
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename `.prologue.html` and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. ## Impact If successful, the malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the link.

XSS Copyparty
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting in LockerProject Locker versions 0.0.0 through 0.1.0 allows unauthenticated remote attackers to inject malicious scripts through the ID parameter in the Error Response Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch despite early notification.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Plunk
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).

XSS Frappe
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Notesnook Mobile and Desktop versions prior to 3.3.9 allows authenticated users to execute arbitrary JavaScript by injecting malicious code into Twitter/X embed URLs through the editor component. An attacker with user account access can craft a malicious note containing a specially crafted embed URL that executes when the note is viewed, potentially compromising user data or session tokens. No patch is currently available for affected versions.

XSS Notesnook Mobile Notesnook Desktop
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into Cisco Unified CCX's web management interface due to insufficient input validation, enabling XSS attacks against administrators and users. Successful exploitation allows arbitrary JavaScript execution within the browser context or theft of sensitive session information. No patch is currently available.

Cisco XSS Unified Contact Center Express
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into the web management interfaces of multiple Cisco contact center products (Finesse, Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center) due to insufficient input validation. Successful exploitation allows arbitrary script execution in the victim's browser context, potentially enabling session hijacking or credential theft from administrators. No patch is currently available for this cross-site scripting vulnerability.

Cisco XSS
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 versions up to 18.7.6 is affected by cross-site scripting (xss) (CVSS 8.7).

Gitlab XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can inject malicious scripts into the Name Directory WordPress plugin (versions up to 1.32.1) through the 'name_directory_name' parameter, which are then executed in users' browsers when they visit affected pages. The vulnerability stems from inadequate input sanitization and output escaping, allowing stored cross-site scripting attacks that impact all unauthenticated visitors. No patch is currently available, though partial mitigations were attempted in versions 1.30.3 and 1.32.1.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Gravity Forms WordPress plugin through version 2.9.28.1 allows authenticated subscribers and above to inject malicious JavaScript via the form creation endpoint, which executes when administrators interact with the Form Switcher dropdown. The vulnerability stems from inadequate input sanitization and missing output escaping in the form title field. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress PHP XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Responsive Contact Form Builder & Lead Generation Plugin for WordPress through version 2.0.1 fails to properly sanitize form field submissions, allowing unauthenticated attackers to inject malicious scripts that execute in the administrator dashboard when viewing lead entries. The vulnerability stems from incomplete input validation in the sanitization function combined with overly permissive output filtering that permits onclick attributes on links. Attackers can exploit this to steal admin credentials, modify site content, or perform arbitrary actions within WordPress.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated contributors to WordPress sites running Happy Addons for Elementor up to version 3.21.0 can modify display conditions of published templates due to improper authorization checks in the `ha_condition_update` AJAX action and missing capability validation in `ha_get_current_condition`. The vulnerability allows attackers to alter template visibility rules and potentially inject unescaped content into HTML attributes, affecting site content delivery and potentially enabling stored XSS attacks.

WordPress XSS Authentication Bypass
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the Organization Portal System's IFTOP module enables authenticated attackers to inject malicious JavaScript that executes in victims' browsers via social engineering or phishing links. This vulnerability requires user interaction to trigger and affects confidentiality and integrity with no current patch available.

XSS Organization Portal System
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Astra WordPress theme through versions 4.12.3 allows authenticated contributors and higher-privileged users to inject malicious scripts into post meta fields that execute when pages are viewed. The vulnerability stems from improper sanitization of background-related meta fields and missing output escaping in CSS property handling. Attackers with contributor-level access can compromise page content and redirect or manipulate user sessions.

WordPress XSS
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Spin.js versions before 3.0.0 allow attackers to execute arbitrary JavaScript through a combination of prototype pollution and XSS in the spin() function, requiring user interaction via a crafted URL. An attacker can exploit this to manipulate Object.prototype and trigger malicious code execution in affected users' browsers. No patch is currently available.

XSS Spin Js
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

WordPress PHP XSS
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

DukaPress WordPress plugin versions up to 3.2.4 contain a reflected XSS vulnerability due to improper input sanitization and output encoding, allowing attackers to inject malicious scripts that execute in the browsers of high-privilege users like administrators. The vulnerability requires user interaction to exploit and can result in session hijacking, credential theft, or unauthorized administrative actions. No patch is currently available.

WordPress XSS
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the WP ULike WordPress plugin up to version 5.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts into pages through the shortcode template attribute, which executes when visitors view affected content. The vulnerability stems from improper use of html_entity_decode() that circumvents WordPress sanitization filters, requiring at least one like on a post to trigger payload execution. No patch is currently available.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.

Adobe XSS Commerce B2b +2
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.

Adobe XSS Commerce +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.

Adobe XSS Magento +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.

Adobe XSS Magento +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.

Adobe XSS Commerce +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.

Adobe XSS Commerce +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in victims' browsers when they access affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and is currently unpatched, with no active exploitation reported.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the affected pages are accessed. An attacker with login credentials can craft payloads that persist in the application and compromise victim sessions or steal sensitive data. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers when they access affected pages. An attacker can exploit this to steal session tokens, perform unauthorized actions, or deface content with minimal user interaction required. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when the affected pages are accessed. An attacker with login credentials can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of users viewing the compromised forms. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims through their browsers. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts through form fields, which execute in victims' browsers when they view affected pages. The vulnerability requires user interaction and network access but can impact confidentiality and integrity across security domains. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts affecting other users who view the compromised pages. When a victim browses to a page containing the injected payload, the malicious JavaScript executes in their browser context, potentially enabling session hijacking or credential theft. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when they view affected pages. This requires user interaction and an authenticated attacker, but could compromise the confidentiality and integrity of user sessions. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier enables authenticated attackers to inject malicious scripts into form fields that execute when users view affected pages. An attacker with login credentials can compromise victim browsers and steal sensitive data or perform actions on their behalf. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
Prev Page 34 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy