Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2026-2569 MEDIUM This Month

Stored XSS in Dear Flipbook WordPress plugin through version 2.4.20 allows authenticated users with Author privileges or higher to inject malicious scripts via PDF page labels due to inadequate input sanitization. These injected scripts execute in the browsers of any user viewing the affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-31833 NuGet MEDIUM PATCH This Month

Umbraco is an ASP.NET CMS. From 16.2.0 to versions up to 16.5.1 is affected by cross-site scripting (xss) (CVSS 6.7).

XSS Umbraco Cms
NVD GitHub VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-31823 PHP MEDIUM PATCH This Month

Stored XSS vulnerabilities in Sylius allow authenticated attackers with high privileges to inject malicious scripts through unsanitized entity names (taxons, products) that are rendered as raw HTML in breadcrumbs and admin interfaces. An attacker could craft malicious product or category names to execute arbitrary JavaScript in the browsers of shop visitors and administrators, potentially leading to session hijacking or credential theft. No patch is currently available for this medium-severity vulnerability.

XSS Sylius
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-31822 PHP MEDIUM PATCH This Month

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentication error messages that are unsafely rendered via innerHTML. An attacker can craft a failed login attempt containing JavaScript payload that executes in the browser of any user viewing the checkout page, potentially stealing session tokens or credentials. The vulnerability affects Sylius versions prior to 2.0.16, 2.1.12, and 2.2.3, with no current patch available for older releases.

XSS Sylius
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31809 Go MEDIUM POC PATCH This Month

SiYuan's SVG sanitizer fails to properly filter malicious href attributes when whitespace characters are inserted into javascript: URLs, allowing reflected cross-site scripting on the unauthenticated /api/icon/getDynamicIcon endpoint. Public exploit code exists for this vulnerability, which bypasses the previous fix for CVE-2026-29183. Attackers can inject executable JavaScript to target unauthenticated users of SiYuan versions prior to 3.5.10.

XSS Siyuan Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31807 Go MEDIUM POC PATCH This Month

Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows unauthenticated attackers to inject malicious JavaScript through SVG animation elements that bypass the sanitizer's static filters. The vulnerability exists because the SVG sanitizer blocks script tags and event handlers but fails to restrict <animate> and <set> elements, which can dynamically modify attributes at runtime to execute code. Public exploit code exists and patches are not yet available for affected versions prior to 3.5.10.

XSS Siyuan Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30948 npm MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13213 MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2266 MEDIUM This Month

DOM-based XSS in GitHub Enterprise Server prior to version 3.20 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious HTML through task list content in issues and pull requests. The vulnerability stems from improper input neutralization in the task list rendering logic, which fails to re-encode user-supplied content before display. An attacker with repository access could exploit this to steal session tokens or perform actions on behalf of other users.

Github XSS Enterprise Server
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-29177 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce Order details allows authenticated users to inject malicious scripts through Shipping Method Name, Order Reference, or Site Name fields that execute when administrators view order information. Public exploit code exists for this vulnerability affecting versions before 4.10.2 and 5.5.3. Patches are available to remediate the issue.

XSS Craft Commerce
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-29176 PHP MEDIUM PATCH This Month

Stored XSS in Craft Commerce versions before 5.5.3 allows authenticated users with product editing permissions to inject malicious JavaScript through the Inventory Locations Name field, which executes when administrators view affected product variants. An attacker with these privileges can steal session tokens, modify product data, or perform other administrative actions within the application. A patch is available in version 5.5.3.

XSS Craft Commerce
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-29175 PHP MEDIUM POC PATCH This Month

Craft Commerce versions before 5.5.3 contain stored cross-site scripting (XSS) vulnerabilities in the inventory management interface where product and variant fields lack proper HTML escaping. An attacker can inject malicious JavaScript through these fields that executes in the browsers of any user viewing the inventory page, including administrators, with public exploit code currently available. The vulnerability requires authenticated access and user interaction to exploit but can compromise sensitive administrative functions.

XSS Craft Commerce
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-29173 PHP MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft Commerce versions before 4.10.2 and 5.5.3 allows authenticated users with high privileges to inject malicious scripts through unescaped Order Status Name fields. Public exploit code exists for this vulnerability, which can be leveraged to execute arbitrary JavaScript in the browser context of other administrators. The vulnerability is restricted by high privilege requirements and user interaction, but affects the integrity and confidentiality of the Commerce Orders management interface.

XSS Craft Commerce
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-70128 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. [CVSS 6.1 MEDIUM]

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-36227 MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36226 MEDIUM This Month

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3862 MEDIUM This Month

Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page.

XSS Symantec Siteminder
NVD VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-3228 MEDIUM This Month

Stored XSS in NextScripts Social Networks Auto-Poster plugin for WordPress (versions up to 4.4.6) allows authenticated Contributor-level users to inject malicious scripts through the `[nxs_fbembed]` shortcode due to insufficient input sanitization. Attackers can embed arbitrary JavaScript that executes when other users access the affected pages. A patch is not currently available.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-30977 LOW Monitor

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. versions up to 0.1.1 is affected by cross-site scripting (xss).

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-30974 PyPI MEDIUM PATCH This Month

Copyparty versions before 1.20.11 fail to apply the nohtml security restriction to SVG files, allowing authenticated users with write permissions to upload SVG images containing malicious JavaScript that executes when opened by other users. This cross-site scripting vulnerability bypasses the intended protection against JavaScript execution in user-uploaded content. The vulnerability has been patched in version 1.20.11.

XSS Copyparty
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-30934 Go HIGH PATCH This Week

Stored cross-site scripting in FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable allows authenticated attackers to inject malicious scripts through share metadata fields that are improperly rendered without HTML escaping. When victims visit affected share URLs, the injected scripts execute in their browsers with full privileges, potentially leading to session hijacking, credential theft, or further compromise. A patch is available in the fixed versions, though exploitation currently shows 0% adoption likelihood.

XSS Filebrowser Suse
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-2724 HIGH This Week

Unlimited Elements for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-26144 HIGH PATCH This Week

Information disclosure in Microsoft 365 Apps Excel allows unauthenticated remote attackers to extract sensitive data through stored cross-site scripting attacks in generated web content. The vulnerability requires no user interaction and affects all Excel users who process untrusted documents. No patch is currently available, leaving users dependent on mitigation strategies until Microsoft releases a fix.

Microsoft XSS 365 Apps
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26105 HIGH PATCH This Week

Microsoft SharePoint Server contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary scripts in users' browsers through malicious links, enabling spoofing attacks and credential theft. The vulnerability requires user interaction to trigger and affects all SharePoint deployments with no available patch. With a CVSS score of 8.1, this poses a significant risk to organizations relying on SharePoint for collaboration.

Microsoft XSS Sharepoint Server
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-25972 MEDIUM This Month

FortiSIEM 7.3.0-7.3.4 and 7.4.0 are vulnerable to reflected cross-site scripting that allows unauthenticated remote attackers to inject malicious scripts through URL parameters, enabling social engineering attacks against users who click malicious links. The vulnerability requires user interaction to trigger but has no authentication requirements, making it practical for phishing campaigns that redirect victims to spoofed pages.

Fortinet XSS Fortisiem
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1261 HIGH This Week

Stored XSS in MetForm Pro's Quiz feature allows unauthenticated attackers to inject malicious scripts through insufficient input sanitization in WordPress versions up to 3.9.6. When users access affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-70025 MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. [CVSS 6.1 MEDIUM]

XSS Generatedata
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-53608 MEDIUM This Month

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated privileged attacker to execute code via crafted requests. [CVSS 4.8 MEDIUM]

Fortinet XSS Fortisandbox
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-40943 CRITICAL CISA Emergency

Siemens devices have a stored XSS in trace file handling (CVSS 9.6) enabling code execution when administrators view diagnostic data.

XSS
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-13902 MEDIUM CISA This Month

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.

XSS Modicon M258 Firmware Modicon Lmc058 Firmware Modicon M251 Firmware Modicon M241 Firmware
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-30919 HIGH This Week

facileManager is a modular suite of web apps built with the sysadmin in mind. versions up to 6.0.4 is affected by cross-site scripting (xss) (CVSS 7.6).

XSS Facilemanager
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-30918 HIGH This Week

FacileManager versions prior to 6.0.4 contain a reflected cross-site scripting vulnerability in the fmDNS module's log_search_query parameter that allows authenticated attackers to inject malicious JavaScript through crafted URLs. An attacker with login credentials can exploit this to execute arbitrary scripts in users' browsers, potentially compromising sensitive administrative data or session tokens. No patch is currently available for affected deployments.

XSS Facilemanager
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-30917 HIGH This Week

Bucket is a MediaWiki extension to store and retrieve structured data on articles. versions up to 2.1.1 is affected by cross-site scripting (xss).

XSS
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-30913 PHP MEDIUM PATCH This Month

Flarum's nicknames extension allows authenticated users to inject email-like hyperlinks into their nicknames, which are rendered verbatim in plain-text notification emails sent to other users. An attacker can exploit this to craft malicious nicknames that email clients interpret as clickable links, potentially redirecting recipients to attacker-controlled domains for phishing or credential harvesting. No patch is currently available for this vulnerability.

XSS
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-30862 CRITICAL Act Now

Appsmith platform prior to version 1.96 has a critical stored XSS enabling account takeover through crafted admin panel content.

XSS Appsmith
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-0489 MEDIUM This Month

DOM-based XSS in SAP Business One Job Service allows unauthenticated attackers to inject malicious code through unvalidated URL query parameters, compromising user sessions when victims interact with crafted links. Successful exploitation could leak sensitive data or modify application content, though availability is not affected. No patch is currently available.

SAP XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-36173 MEDIUM This Month

Affected Product(s)Version(s)InfoSphere Data Architect9.2.1 [CVSS 6.1 MEDIUM]

XSS Infosphere Data Architect
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70038 HIGH This Week

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. [CVSS 8.8 HIGH]

RCE XSS Twake
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-70033 MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. [CVSS 5.4 MEDIUM]

XSS Sunbirded Portal
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70060 MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. [CVSS 5.4 MEDIUM]

XSS Yapi
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3819 LOW POC Monitor

A vulnerability has been found in SourceCodester Resort Reservation System 1.0. The affected element is an unknown function of the file /?page=manage_reservation of the component Reservation Management Module. [CVSS 3.5 LOW]

XSS Resort Reservation System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-40638 MEDIUM This Month

A reflected Cross-Site Scripting (XSS) vulnerability has been found in Eventobot. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the 'name' parameter in '/search-results'. [CVSS 6.1 MEDIUM]

XSS Eventobot
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3812 LOW POC Monitor

Stored cross-site scripting in itsourcecode Payroll Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the ID parameter in /manage_employee_allowances.php. Public exploit code exists for this vulnerability, though no patch is currently available. Successful exploitation could enable credential theft or unauthorized actions within the payroll system.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3766 LOW POC Monitor

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3763 LOW POC Monitor

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3743 LOW POC Monitor

A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3742 LOW POC Monitor

A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3741 LOW POC Monitor

A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3721 LOW Monitor

A weakness has been identified in 1024-lab/lab1024 SmartAdmin versions up to 3.29. is affected by cross-site scripting (xss) (CVSS 3.5).

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3720 LOW Monitor

A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for a...

XSS Smartadmin
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3716 LOW POC Monitor

A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. [CVSS 2.4 LOW]

XSS Wl Wn579x3 C Firmware
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3702 LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-30838 PHP MEDIUM PATCH This Month

The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

PHP XSS Commonmark
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29192 Go HIGH PATCH This Week

Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

XSS Zitadel Suse
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-29191 Go CRITICAL PATCH Act Now

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

XSS Zitadel Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-2433 MEDIUM This Month

DOM-based XSS in the RSS Aggregator plugin for WordPress (versions up to 5.0.11) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by exploiting missing origin validation in postMessage handlers. An attacker can craft a malicious website that tricks an admin into visiting it, sending crafted payloads that bypass the plugin's unsafe URL handling in admin-shell.js. This affects all WordPress installations running the vulnerable plugin versions without authentication requirements.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2420 MEDIUM This Month

Stored XSS in LotekMedia Popup Form plugin for WordPress through version 1.0.6 allows administrators to inject malicious scripts into popup settings due to improper input sanitization. When site visitors view pages containing the affected popup, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1825 MEDIUM This Month

Stored XSS in the Show YouTube video WordPress plugin through improper sanitization of the 'syv' shortcode attributes allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available for versions up to 1.1.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1824 MEDIUM This Month

Infomaniak Connect for OpenID (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1823 MEDIUM This Month

Stored XSS in the WordPress Consensus Embed plugin through version 1.6 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1820 MEDIUM This Month

Media Library Alt Text Editor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1805 MEDIUM This Month

The DA Media GigList WordPress plugin up to version 1.9.0 contains stored cross-site scripting (XSS) in its shortcode functionality due to improper input validation, allowing authenticated contributors and above to inject malicious scripts that execute for all users viewing affected pages. This vulnerability requires valid WordPress account credentials but no user interaction to exploit, enabling persistent code injection across the site.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1574 MEDIUM This Month

The MyQtip WordPress plugin through version 2.0.5 contains a stored cross-site scripting vulnerability in its shortcode handler that fails to properly sanitize user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute in the browsers of visitors viewing affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1569 MEDIUM This Month

Stored cross-site scripting in the WordPress Wueen plugin through version 0.2.0 allows authenticated users with contributor-level permissions to inject malicious scripts via the wueen-blocket shortcode due to inadequate input validation. Injected scripts execute in the browsers of any user viewing affected pages, potentially enabling session hijacking, credential theft, or defacement. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1074 HIGH This Week

Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1071 MEDIUM This Month

Stored XSS in the Carta Online WordPress plugin through version 2.13.0 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users accessing affected pages. The vulnerability requires administrator privileges and only impacts WordPress multisite installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-30841 MEDIUM POC PATCH This Month

Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.

PHP XSS Wallos
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30830 npm MEDIUM POC PATCH This Month

Defuddle versions prior to 0.9.0 fail to properly escape image attributes in HTML processing, allowing attackers to inject malicious event handlers through specially crafted alt text containing quote characters. Public exploit code exists for this cross-site scripting vulnerability. The vulnerability affects all users of Defuddle before version 0.9.0, and a patch is available.

XSS Defuddle
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2722 MEDIUM This Month

Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2721 MEDIUM This Month

Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.

WordPress XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2431 MEDIUM This Month

Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1902 MEDIUM This Month

Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS HP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-25073 MEDIUM This Month

Stored cross-site scripting in Zikestor SKS8310-8X firmware versions 1.04.B07 and earlier allows authenticated users to inject malicious scripts via the System Name field, which execute when other administrators view the configuration. The lack of proper output encoding enables attackers with login credentials to compromise the security of administrative sessions viewing the affected switch settings.

XSS Zikestor Sks8310 8x Firmware
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30238 MEDIUM POC This Month

Reflected cross-site scripting in GroupOffice versions before 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the Base64-encoded f parameter. The vulnerability exists in the external/index flow where user input is decoded and inserted into inline JavaScript without proper sanitization. Public exploit code exists for this vulnerability.

XSS Group Office
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30237 MEDIUM POC This Month

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to inject arbitrary scripts through the license parameter in install/license.php. Public exploit code exists for this vulnerability, enabling attackers to execute malicious JavaScript in users' browsers with moderate impact to confidentiality and integrity. The vulnerability requires user interaction and affects the web-accessible installation endpoint.

PHP XSS Group Office
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27142 Go MEDIUM PATCH This Month

HTML meta tags with http-equiv="refresh" attributes fail to properly escape URLs inserted through certain actions, enabling cross-site scripting (XSS) attacks against applications using this functionality. An unauthenticated attacker can exploit this to execute arbitrary JavaScript in users' browsers by crafting malicious URLs. No patch is currently available, though a GODEBUG setting (htmlmetacontenturlescape=0) can be configured as a temporary mitigation.

XSS Go
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-29082 HIGH POC This Week

Kestra versions 1.1.10 and earlier allow authenticated users to perform cross-site scripting (XSS) attacks through the execution-file preview feature, which renders unsanitized Markdown as HTML. An attacker with login credentials can inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. Public exploit code exists and no patch is currently available.

XSS Kestra
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2024-35644 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Languages: from n/a through 2.2.2. [CVSS 5.9 MEDIUM]

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-2830 MEDIUM This Month

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

WordPress XSS Code Injection Google RCE
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-29183 Go CRITICAL POC PATCH Act Now

Reflected XSS in SiYuan knowledge management before 3.5.9.

XSS Siyuan Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-29048 MEDIUM PATCH This Month

Cross-site scripting in HumHub 1.18.0's Button component allows unauthenticated attackers to inject and execute malicious scripts in users' browsers through inconsistent output encoding. Affected users could have their sessions compromised or be redirected to malicious content without any user interaction beyond visiting a crafted page. A patch is available in version 1.18.1.

XSS Humhub
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29038 PyPI MEDIUM POC PATCH This Month

Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.

Flask XSS Changedetection
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28787 npm HIGH POC This Week

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. No patches are currently available for this high-severity flaw.

Authentication Bypass XSS Oneuptime
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-28683 Go HIGH PATCH This Week

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

XSS Gokapi Suse
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28509 MEDIUM This Month

LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).

XSS AI / ML Langbot
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-27605 MEDIUM POC This Month

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation, enabling stored XSS attacks through malicious HTML files served from the uploads directory. An attacker can exploit this to steal authentication tokens stored in localStorage and achieve account takeover. Public exploit code exists for this vulnerability, and no patch is currently available.

XSS Chartbrew
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-59543 CRITICAL Act Now

Second stored XSS in Chamilo LMS before 1.11.34.

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-59542 CRITICAL Act Now

Stored XSS in Chamilo LMS before 1.11.34.

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-59540 MEDIUM This Month

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. [CVSS 5.4 MEDIUM]

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-55289 HIGH This Week

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Dear Flipbook WordPress plugin through version 2.4.20 allows authenticated users with Author privileges or higher to inject malicious scripts via PDF page labels due to inadequate input sanitization. These injected scripts execute in the browsers of any user viewing the affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Umbraco is an ASP.NET CMS. From 16.2.0 to versions up to 16.5.1 is affected by cross-site scripting (xss) (CVSS 6.7).

XSS Umbraco Cms
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS vulnerabilities in Sylius allow authenticated attackers with high privileges to inject malicious scripts through unsanitized entity names (taxons, products) that are rendered as raw HTML in breadcrumbs and admin interfaces. An attacker could craft malicious product or category names to execute arbitrary JavaScript in the browsers of shop visitors and administrators, potentially leading to session hijacking or credential theft. No patch is currently available for this medium-severity vulnerability.

XSS Sylius
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentication error messages that are unsafely rendered via innerHTML. An attacker can craft a failed login attempt containing JavaScript payload that executes in the browser of any user viewing the checkout page, potentially stealing session tokens or credentials. The vulnerability affects Sylius versions prior to 2.0.16, 2.1.12, and 2.2.3, with no current patch available for older releases.

XSS Sylius
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

SiYuan's SVG sanitizer fails to properly filter malicious href attributes when whitespace characters are inserted into javascript: URLs, allowing reflected cross-site scripting on the unauthenticated /api/icon/getDynamicIcon endpoint. Public exploit code exists for this vulnerability, which bypasses the previous fix for CVE-2026-29183. Attackers can inject executable JavaScript to target unauthenticated users of SiYuan versions prior to 3.5.10.

XSS Siyuan Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows unauthenticated attackers to inject malicious JavaScript through SVG animation elements that bypass the sanitizer's static filters. The vulnerability exists because the SVG sanitizer blocks script tags and event handlers but fails to restrict <animate> and <set> elements, which can dynamically modify attributes at runtime to execute code. Public exploit code exists and patches are not yet available for affected versions prior to 3.5.10.

XSS Siyuan Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

DOM-based XSS in GitHub Enterprise Server prior to version 3.20 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious HTML through task list content in issues and pull requests. The vulnerability stems from improper input neutralization in the task list rendering logic, which fails to re-encode user-supplied content before display. An attacker with repository access could exploit this to steal session tokens or perform actions on behalf of other users.

Github XSS Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce Order details allows authenticated users to inject malicious scripts through Shipping Method Name, Order Reference, or Site Name fields that execute when administrators view order information. Public exploit code exists for this vulnerability affecting versions before 4.10.2 and 5.5.3. Patches are available to remediate the issue.

XSS Craft Commerce
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in Craft Commerce versions before 5.5.3 allows authenticated users with product editing permissions to inject malicious JavaScript through the Inventory Locations Name field, which executes when administrators view affected product variants. An attacker with these privileges can steal session tokens, modify product data, or perform other administrative actions within the application. A patch is available in version 5.5.3.

XSS Craft Commerce
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Craft Commerce versions before 5.5.3 contain stored cross-site scripting (XSS) vulnerabilities in the inventory management interface where product and variant fields lack proper HTML escaping. An attacker can inject malicious JavaScript through these fields that executes in the browsers of any user viewing the inventory page, including administrators, with public exploit code currently available. The vulnerability requires authenticated access and user interaction to exploit but can compromise sensitive administrative functions.

XSS Craft Commerce
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft Commerce versions before 4.10.2 and 5.5.3 allows authenticated users with high privileges to inject malicious scripts through unescaped Order Status Name fields. Public exploit code exists for this vulnerability, which can be leveraged to execute arbitrary JavaScript in the browser context of other administrators. The vulnerability is restricted by high privilege requirements and user interaction, but affects the integrity and confidentiality of the Commerce Orders management interface.

XSS Craft Commerce
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. [CVSS 6.1 MEDIUM]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Aspera Faspex
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page.

XSS Symantec Siteminder
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in NextScripts Social Networks Auto-Poster plugin for WordPress (versions up to 4.4.6) allows authenticated Contributor-level users to inject malicious scripts through the `[nxs_fbembed]` shortcode due to insufficient input sanitization. Attackers can embed arbitrary JavaScript that executes when other users access the affected pages. A patch is not currently available.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. versions up to 0.1.1 is affected by cross-site scripting (xss).

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Copyparty versions before 1.20.11 fail to apply the nohtml security restriction to SVG files, allowing authenticated users with write permissions to upload SVG images containing malicious JavaScript that executes when opened by other users. This cross-site scripting vulnerability bypasses the intended protection against JavaScript execution in user-uploaded content. The vulnerability has been patched in version 1.20.11.

XSS Copyparty
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Stored cross-site scripting in FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable allows authenticated attackers to inject malicious scripts through share metadata fields that are improperly rendered without HTML escaping. When victims visit affected share URLs, the injected scripts execute in their browsers with full privileges, potentially leading to session hijacking, credential theft, or further compromise. A patch is available in the fixed versions, though exploitation currently shows 0% adoption likelihood.

XSS Filebrowser Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unlimited Elements for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Microsoft 365 Apps Excel allows unauthenticated remote attackers to extract sensitive data through stored cross-site scripting attacks in generated web content. The vulnerability requires no user interaction and affects all Excel users who process untrusted documents. No patch is currently available, leaving users dependent on mitigation strategies until Microsoft releases a fix.

Microsoft XSS 365 Apps
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Microsoft SharePoint Server contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary scripts in users' browsers through malicious links, enabling spoofing attacks and credential theft. The vulnerability requires user interaction to trigger and affects all SharePoint deployments with no available patch. With a CVSS score of 8.1, this poses a significant risk to organizations relying on SharePoint for collaboration.

Microsoft XSS Sharepoint Server
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

FortiSIEM 7.3.0-7.3.4 and 7.4.0 are vulnerable to reflected cross-site scripting that allows unauthenticated remote attackers to inject malicious scripts through URL parameters, enabling social engineering attacks against users who click malicious links. The vulnerability requires user interaction to trigger but has no authentication requirements, making it practical for phishing campaigns that redirect victims to spoofed pages.

Fortinet XSS Fortisiem
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in MetForm Pro's Quiz feature allows unauthenticated attackers to inject malicious scripts through insufficient input sanitization in WordPress versions up to 3.9.6. When users access affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. [CVSS 6.1 MEDIUM]

XSS Generatedata
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated privileged attacker to execute code via crafted requests. [CVSS 4.8 MEDIUM]

Fortinet XSS Fortisandbox
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Emergency

Siemens devices have a stored XSS in trace file handling (CVSS 9.6) enabling code execution when administrators view diagnostic data.

XSS
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.

XSS Modicon M258 Firmware Modicon Lmc058 Firmware +2
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

facileManager is a modular suite of web apps built with the sysadmin in mind. versions up to 6.0.4 is affected by cross-site scripting (xss) (CVSS 7.6).

XSS Facilemanager
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

FacileManager versions prior to 6.0.4 contain a reflected cross-site scripting vulnerability in the fmDNS module's log_search_query parameter that allows authenticated attackers to inject malicious JavaScript through crafted URLs. An attacker with login credentials can exploit this to execute arbitrary scripts in users' browsers, potentially compromising sensitive administrative data or session tokens. No patch is currently available for affected deployments.

XSS Facilemanager
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Bucket is a MediaWiki extension to store and retrieve structured data on articles. versions up to 2.1.1 is affected by cross-site scripting (xss).

XSS
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Flarum's nicknames extension allows authenticated users to inject email-like hyperlinks into their nicknames, which are rendered verbatim in plain-text notification emails sent to other users. An attacker can exploit this to craft malicious nicknames that email clients interpret as clickable links, potentially redirecting recipients to attacker-controlled domains for phishing or credential harvesting. No patch is currently available for this vulnerability.

XSS
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Appsmith platform prior to version 1.96 has a critical stored XSS enabling account takeover through crafted admin panel content.

XSS Appsmith
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

DOM-based XSS in SAP Business One Job Service allows unauthenticated attackers to inject malicious code through unvalidated URL query parameters, compromising user sessions when victims interact with crafted links. Successful exploitation could leak sensitive data or modify application content, though availability is not affected. No patch is currently available.

SAP XSS
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Affected Product(s)Version(s)InfoSphere Data Architect9.2.1 [CVSS 6.1 MEDIUM]

XSS Infosphere Data Architect
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. [CVSS 8.8 HIGH]

RCE XSS Twake
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. [CVSS 5.4 MEDIUM]

XSS Sunbirded Portal
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. [CVSS 5.4 MEDIUM]

XSS Yapi
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability has been found in SourceCodester Resort Reservation System 1.0. The affected element is an unknown function of the file /?page=manage_reservation of the component Reservation Management Module. [CVSS 3.5 LOW]

XSS Resort Reservation System
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A reflected Cross-Site Scripting (XSS) vulnerability has been found in Eventobot. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the 'name' parameter in '/search-results'. [CVSS 6.1 MEDIUM]

XSS Eventobot
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Stored cross-site scripting in itsourcecode Payroll Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the ID parameter in /manage_employee_allowances.php. Public exploit code exists for this vulnerability, though no patch is currently available. Successful exploitation could enable credential theft or unauthorized actions within the payroll system.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A weakness has been identified in 1024-lab/lab1024 SmartAdmin versions up to 3.29. is affected by cross-site scripting (xss) (CVSS 3.5).

Java XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for a...

XSS Smartadmin
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. [CVSS 2.4 LOW]

XSS Wl Wn579x3 C Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

PHP XSS Commonmark
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

XSS Zitadel Suse
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

XSS Zitadel Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

DOM-based XSS in the RSS Aggregator plugin for WordPress (versions up to 5.0.11) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by exploiting missing origin validation in postMessage handlers. An attacker can craft a malicious website that tricks an admin into visiting it, sending crafted payloads that bypass the plugin's unsafe URL handling in admin-shell.js. This affects all WordPress installations running the vulnerable plugin versions without authentication requirements.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in LotekMedia Popup Form plugin for WordPress through version 1.0.6 allows administrators to inject malicious scripts into popup settings due to improper input sanitization. When site visitors view pages containing the affected popup, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. A patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Show YouTube video WordPress plugin through improper sanitization of the 'syv' shortcode attributes allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available for versions up to 1.1.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Infomaniak Connect for OpenID (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the WordPress Consensus Embed plugin through version 1.6 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Media Library Alt Text Editor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The DA Media GigList WordPress plugin up to version 1.9.0 contains stored cross-site scripting (XSS) in its shortcode functionality due to improper input validation, allowing authenticated contributors and above to inject malicious scripts that execute for all users viewing affected pages. This vulnerability requires valid WordPress account credentials but no user interaction to exploit, enabling persistent code injection across the site.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The MyQtip WordPress plugin through version 2.0.5 contains a stored cross-site scripting vulnerability in its shortcode handler that fails to properly sanitize user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute in the browsers of visitors viewing affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WordPress Wueen plugin through version 0.2.0 allows authenticated users with contributor-level permissions to inject malicious scripts via the wueen-blocket shortcode due to inadequate input validation. Injected scripts execute in the browsers of any user viewing affected pages, potentially enabling session hijacking, credential theft, or defacement. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the Carta Online WordPress plugin through version 2.13.0 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users accessing affected pages. The vulnerability requires administrator privileges and only impacts WordPress multisite installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.

PHP XSS Wallos
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Defuddle versions prior to 0.9.0 fail to properly escape image attributes in HTML processing, allowing attackers to inject malicious event handlers through specially crafted alt text containing quote characters. Public exploit code exists for this cross-site scripting vulnerability. The vulnerability affects all users of Defuddle before version 0.9.0, and a patch is available.

XSS Defuddle
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS HP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Zikestor SKS8310-8X firmware versions 1.04.B07 and earlier allows authenticated users to inject malicious scripts via the System Name field, which execute when other administrators view the configuration. The lack of proper output encoding enables attackers with login credentials to compromise the security of administrative sessions viewing the affected switch settings.

XSS Zikestor Sks8310 8x Firmware
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting in GroupOffice versions before 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the Base64-encoded f parameter. The vulnerability exists in the external/index flow where user input is decoded and inserted into inline JavaScript without proper sanitization. Public exploit code exists for this vulnerability.

XSS Group Office
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to inject arbitrary scripts through the license parameter in install/license.php. Public exploit code exists for this vulnerability, enabling attackers to execute malicious JavaScript in users' browsers with moderate impact to confidentiality and integrity. The vulnerability requires user interaction and affects the web-accessible installation endpoint.

PHP XSS Group Office
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTML meta tags with http-equiv="refresh" attributes fail to properly escape URLs inserted through certain actions, enabling cross-site scripting (XSS) attacks against applications using this functionality. An unauthenticated attacker can exploit this to execute arbitrary JavaScript in users' browsers by crafting malicious URLs. No patch is currently available, though a GODEBUG setting (htmlmetacontenturlescape=0) can be configured as a temporary mitigation.

XSS Go
NVD VulDB
EPSS 0% CVSS 7.3
HIGH POC This Week

Kestra versions 1.1.10 and earlier allow authenticated users to perform cross-site scripting (XSS) attacks through the execution-file preview feature, which renders unsanitized Markdown as HTML. An attacker with login credentials can inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. Public exploit code exists and no patch is currently available.

XSS Kestra
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Languages: from n/a through 2.2.2. [CVSS 5.9 MEDIUM]

XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

WordPress XSS Code Injection +2
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Reflected XSS in SiYuan knowledge management before 3.5.9.

XSS Siyuan Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in HumHub 1.18.0's Button component allows unauthenticated attackers to inject and execute malicious scripts in users' browsers through inconsistent output encoding. Affected users could have their sessions compromised or be redirected to malicious content without any user interaction beyond visiting a crafted page. A patch is available in version 1.18.1.

XSS Humhub
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.

Flask XSS Changedetection
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. No patches are currently available for this high-severity flaw.

Authentication Bypass XSS Oneuptime
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

XSS Gokapi Suse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).

XSS AI / ML Langbot
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC This Month

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation, enabling stored XSS attacks through malicious HTML files served from the uploads directory. An attacker can exploit this to steal authentication tokens stored in localStorage and achieve account takeover. Public exploit code exists for this vulnerability, and no patch is currently available.

XSS Chartbrew
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Second stored XSS in Chamilo LMS before 1.11.34.

XSS Chamilo Lms
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Stored XSS in Chamilo LMS before 1.11.34.

XSS Chamilo Lms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. [CVSS 5.4 MEDIUM]

XSS Chamilo Lms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]

XSS Chamilo Lms
NVD GitHub
Prev Page 35 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy