Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2026-3610 LOW Monitor

Reflected cross-site scripting in HSC Cybersecurity Mailinspector through version 5.3.2-3 allows remote attackers to inject malicious scripts via the error_description parameter in the URL handler component. Public exploit code exists for this vulnerability, which could enable attackers to steal session cookies or perform actions on behalf of authenticated users. Users should upgrade to version 5.4.0 or apply the available hotfix immediately.

PHP XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2593 MEDIUM This Month

Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-28436 LOW Monitor

Stored cross-site scripting in Frappe versions prior to 16.11.0 and 15.102.0 allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through malicious image URLs in avatar fields and website comments. The vulnerability affects any user viewing a page containing the compromised avatar, enabling session hijacking, credential theft, or malware distribution without user interaction.

XSS Frappe
NVD GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-28405 HIGH PATCH This Week

MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.

XSS Markus
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-55208 CRITICAL Act Now

Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-28350 PyPI MEDIUM POC PATCH This Month

lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.

XSS Lxml Html Clean Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28348 PyPI MEDIUM POC PATCH This Month

lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.

XSS Lxml Html Clean Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28343 npm MEDIUM PATCH This Month

CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.

XSS RCE Ckeditor5
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-28223 PyPI MEDIUM PATCH This Month

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Django XSS Wagtail
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-28222 PyPI MEDIUM PATCH This Month

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Django XSS Wagtail
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-26276 Go HIGH This Week

Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26195 Go MEDIUM PATCH This Month

Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26022 Go HIGH POC PATCH This Week

Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-26377 MEDIUM POC This Month

Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.

XSS Koha
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-29052 MEDIUM This Month

HumHub Calendar module versions prior to 1.8.11 contain a stored XSS vulnerability in Event Types that allows attackers to inject malicious scripts viewed by users accessing events created by administrative accounts. An attacker with event creation privileges can execute arbitrary JavaScript in the browsers of users viewing affected events, potentially compromising session tokens or sensitive information. No patch is currently available for affected installations.

XSS Calendar
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28137 HIGH This Week

QuanticaLabs MediCenter - Health Medical Clinic medicenter is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28130 HIGH This Week

Reflected cross-site scripting in AndonDesign UDesign versions up to 4.14.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to click a malicious link but can affect any organization using the affected UDesign versions. No patch is currently available to remediate this issue.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28127 HIGH This Week

The e-plugins Lawyer Directory plugin through version 1.3.2 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28126 HIGH This Week

Reflected cross-site scripting in sizam RH Frontend Publishing Pro through version 4.3.2 enables attackers to inject malicious scripts that execute in users' browsers when they click a crafted link. The vulnerability requires user interaction but can compromise session integrity and steal sensitive data across affected sites. No patch is currently available.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28122 HIGH This Week

The ListingPro plugin for CridioStudio through version 2.9.8 contains a reflected cross-site scripting vulnerability that allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. Successful exploitation requires user interaction but can compromise confidentiality, integrity, and availability across security domains. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28113 HIGH This Week

Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28112 HIGH This Week

Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28110 HIGH This Week

Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28109 HIGH This Week

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28108 HIGH This Week

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28103 HIGH This Week

Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28102 HIGH This Week

Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28101 HIGH This Week

Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28100 HIGH This Week

Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28099 HIGH This Week

Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28075 HIGH This Week

Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28072 HIGH This Week

Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28042 HIGH This Week

Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28037 HIGH This Week

Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27385 HIGH This Week

designthemes DesignThemes Portfolio designthemes-portfolio is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27382 HIGH This Week

DOM-based cross-site scripting in RadiusTheme Metro versions 2.13 and earlier allows unauthenticated attackers to inject malicious scripts that execute in users' browsers with no interaction required beyond viewing a crafted page. Successful exploitation enables attackers to steal session tokens, perform unauthorized actions, or deface content for affected users. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27376 HIGH This Week

The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27375 HIGH This Week

JanStudio Gecko version 1.9.8 and earlier contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated remote attackers to inject malicious scripts through improper input validation during web page generation. Successful exploitation requires user interaction and can lead to unauthorized access to sensitive information, data modification, or service disruption. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27367 HIGH This Week

Reflected cross-site scripting in ThemeGoods Musico through version 3.2.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user credentials. The vulnerability requires user interaction to trigger and affects all installations of the affected Musico versions, with no patch currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27363 HIGH This Week

kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27359 HIGH This Week

Reflected XSS in Awa Plugins through version 1.4.4 enables unauthenticated attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction via a crafted link and has cross-site impact, affecting all installations of the affected plugin versions. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27358 HIGH This Week

Reflected cross-site scripting in ThemeGoods Architecturer versions up to 3.8.8 enables attackers to inject malicious scripts that execute in victims' browsers when they click a crafted link, potentially allowing session hijacking or credential theft. The vulnerability requires user interaction and affects all users of the vulnerable plugin versions. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27354 MEDIUM This Month

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27353 HIGH This Week

Reflected cross-site scripting in ThemeGoods Grand News version 3.4.3 and earlier enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing credential theft or session hijacking. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27352 HIGH This Week

ThemeGoods Starto versions 2.1.9 and earlier are vulnerable to reflected cross-site scripting (XSS) that can be exploited remotely without authentication, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can trick users into clicking a malicious link to steal session cookies, redirect to phishing sites, or perform actions on behalf of the victim. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27348 HIGH This Week

DOM-based cross-site scripting in ThemeGoods Photography plugin version 7.6.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers without authentication, potentially compromising sensitive data or session tokens. The vulnerability requires user interaction to trigger and has network-wide impact, affecting any website running the affected Photography plugin version.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27332 HIGH This Week

Skygroup Agrofood versions 1.3.0 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks that allow unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. An attacker can exploit this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims. No patch is currently available.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22467 HIGH This Week

DeepDigital versions 1.0.2 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation during web page generation, allowing unauthenticated remote attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction (clicking a malicious link) but can affect the entire application context, enabling attackers to steal sensitive data or perform actions on behalf of victims. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22465 HIGH This Week

SeventhQueen BuddyApp through version 1.9.2 is vulnerable to reflected cross-site scripting (XSS) due to improper input validation during web page generation, allowing attackers to inject malicious scripts that execute in users' browsers when they click malicious links. An unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of users, or redirect them to phishing sites. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22455 HIGH This Week

Reflected XSS in Thebe up to version 1.3.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user interactions across different sites. The vulnerability requires user interaction through a crafted link but has no authentication requirement, making it accessible to unauthenticated attackers. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22440 HIGH This Week

Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22438 HIGH This Week

Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69343 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 6.5 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3034 MEDIUM This Month

OoohBoi Steroids for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2365 HIGH This Week

Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-66024 Maven HIGH PATCH GHSA This Week

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious J...

XSS Privilege Escalation Blog Application
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-20149 MEDIUM This Month

Cisco Webex is vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation, allowing unauthenticated attackers to inject malicious scripts by tricking users into clicking crafted links. Successful exploitation could enable attackers to steal session tokens, redirect users, or perform actions on behalf of targeted victims. Although Cisco has released a fix, no patch is currently available for this MEDIUM severity vulnerability.

Cisco XSS Webex
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20102 MEDIUM This Month

Reflected XSS in Cisco Secure Firewall ASA and FTD SAML 2.0 authentication allows unauthenticated attackers to steal sensitive browser-based information by tricking users into clicking malicious links. The vulnerability stems from inadequate input validation of HTTP parameters in the SSO feature and requires user interaction to exploit. No patch is currently available.

Cisco XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20070 MEDIUM This Month

Cross-site scripting (XSS) in the VPN web services component of Cisco Secure Firewall ASA and FTD allows unauthenticated remote attackers to inject malicious scripts that execute in a user's browser when visiting a crafted link. An attacker can exploit this through improper input validation to execute arbitrary HTML or JavaScript in the context of the VPN web server. No patch is currently available for this medium-severity vulnerability.

Cisco XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20069 MEDIUM This Month

Cisco Secure Firewall ASA and FTD devices with VPN web services enabled are vulnerable to cross-site request forgery (CSRF) attacks due to insufficient HTTP request validation. An attacker can trick users into visiting a malicious website that sends crafted requests to the affected appliance, potentially allowing injection of malicious content reflected back to the victim's browser. No patch is currently available for this vulnerability.

Cisco XSS Request Smuggling
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2019-25502 MEDIUM POC This Month

Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the job_type_value parameter in the jobs endpoint. [CVSS 6.1 MEDIUM]

XSS Simplejobscript
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-40895 MEDIUM This Month

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. [CVSS 4.8 MEDIUM]

XSS Information Disclosure Open Redirect Cmc
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-40894 LOW Monitor

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. [CVSS 4.4 MEDIUM]

XSS Information Disclosure Open Redirect
NVD
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2355 MEDIUM This Month

Stored XSS in My Calendar WordPress plugin (versions up to 3.7.3) allows authenticated contributors to inject malicious scripts via the template shortcode attribute, which bypasses sanitization through improper use of stripcslashes() at render time. When users access pages containing the injected shortcode, the malicious scripts execute in their browsers. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1706 MEDIUM This Month

Reflected XSS in the All-in-One Video Gallery WordPress plugin through version 4.7.1 allows unauthenticated attackers to inject malicious scripts via the 'vi' parameter due to improper input validation. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1236 MEDIUM This Month

Envira Gallery for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-28772 MEDIUM POC This Month

Reflected XSS in IDC SFX2100 Firmware's logging interface allows remote attackers to inject malicious scripts through the submitType parameter without authentication or user interaction. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary JavaScript in users' browsers and potentially steal sensitive data or perform unauthorized actions. No patch is currently available.

XSS Sfx2100 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28771 MEDIUM POC This Month

The SFX2100 web management interface fails to sanitize the `cat` parameter in /index.cgi, enabling reflected XSS attacks that allow remote attackers to execute arbitrary JavaScript in a victim's browser without authentication. Public exploit code exists for this vulnerability, and currently no patch is available. An attacker could exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content.

XSS Sfx2100 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28770 HIGH POC This Week

XML injection in the IDC SFX2100 satellite receiver web interface allows authenticated attackers to inject arbitrary XML elements and execute reflected cross-site scripting attacks through unsanitized input in the checkifdone.cgi script. Public exploit code exists for this vulnerability, and potential for more severe attacks such as XXE exploitation has not been ruled out. No patch is currently available for affected firmware versions.

XSS XXE Sfx2100 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3242 PHP MEDIUM POC PATCH This Month

Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated administrators to inject malicious scripts through the Switch Language block, affecting any site where a rogue admin account exists. Public exploit code is available for this vulnerability. A patch is available in version 9.4.8 and later.

XSS Concrete Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-3241 PHP MEDIUM POC PATCH This Month

Stored XSS in Concrete CMS Legacy Form block below version 9.4.8 allows authenticated users with form creation permissions to inject malicious JavaScript into multiple-choice question options, which executes for all users viewing the affected form. Public exploit code exists for this vulnerability. Administrators should upgrade to version 9.4.8 or later to remediate the risk of session hijacking and data theft.

XSS Concrete Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-3240 PHP MEDIUM POC PATCH This Month

Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated users with page editing permissions to inject malicious scripts through the Legacy form Question field, targeting high-privilege accounts. Public exploit code exists for this vulnerability, which requires user interaction to execute. A patch is available in version 9.4.8 and later.

XSS Concrete Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-3244 PHP MEDIUM POC PATCH This Month

Concrete CMS versions below 9.4.8 contain a stored XSS vulnerability in the search block where unencoded page names and content are rendered in search results, allowing authenticated administrators to inject malicious JavaScript that executes for other users. Public exploit code exists for this vulnerability, which requires high privileges and user interaction to exploit. The vulnerability affects confidentiality and integrity but not availability.

XSS Concrete Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2292 MEDIUM This Month

Stored XSS in the Morkva UA Shipping WordPress plugin through version 1.7.9 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors, affecting multi-site installations and sites with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the admin interface. Exploitation requires high-privilege administrator access and no patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2289 MEDIUM This Month

Stored XSS in WordPress Taskbuilder plugin versions up to 5.0.3 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users, affecting multi-site installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's administrative interface. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1945 HIGH This Week

Stored XSS in WPBookit plugin through version 1.0.8 allows unauthenticated attackers to inject malicious scripts via user name and email fields due to improper input validation. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-26272 MEDIUM PATCH This Month

Stored XSS in Homebox prior to 0.24.0-rc.1 allows authenticated users to upload malicious HTML or SVG files containing executable JavaScript that runs in the application's security context when accessed by other users. An attacker with valid credentials can exploit improper file type validation in the attachment upload feature to execute arbitrary scripts against victims viewing the malicious files. The vulnerability has been patched in version 0.24.0-rc.1.

XSS Homebox
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-26266 CRITICAL PATCH Act Now

Stored XSS in AliasVault password manager. Patch available.

XSS Aliasvault
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-25590 MEDIUM This Month

GLPI Inventory Plugin versions prior to 1.6.6 contain a reflected cross-site scripting vulnerability in task jobs that allows authenticated attackers with high privileges to execute malicious scripts in users' browsers. An attacker can exploit this by crafting a malicious link to inject arbitrary HTML or JavaScript when a user clicks it, potentially leading to session hijacking or credential theft. No patch is currently available for affected installations.

XSS Glpi Inventory
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-24415 PHP MEDIUM POC PATCH This Month

Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.

XSS Openstamanager
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21866 MEDIUM POC PATCH This Month

Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.

XSS AI / ML Dify
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0540 npm MEDIUM PATCH This Month

DOMPurify versions 2.5.3-2.5.8 and 3.1.3-3.3.1 fail to sanitize attribute values within certain rawtext HTML elements (noscript, xmp, noembed, noframes, iframe), allowing attackers to inject malicious scripts that execute when sanitized content is rendered in these contexts. An attacker can exploit this by embedding JavaScript payloads in HTML attributes, bypassing DOMPurify's sanitization to achieve cross-site scripting. A patch is available in commit 729097f.

XSS Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-15599 npm MEDIUM PATCH This Month

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. [CVSS 6.1 MEDIUM]

XSS Dompurify Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2021-35483 MEDIUM This Month

Impact versions up to 19.11.2.10-20210118042150283 is affected by cross-site scripting (xss) (CVSS 4.1).

XSS Impact
NVD
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-3343 MEDIUM This Month

Fireware OS Web UI contains a reflected XSS vulnerability that allows attackers to execute arbitrary JavaScript in authenticated administrators' browsers through crafted links, affecting versions 12.7-12.11.7 and 2025.1-2026.1.1. An attacker can leverage this to perform administrative actions or steal session credentials from targeted management users who click malicious links. No patch is currently available.

XSS Fireware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2568 HIGH This Week

Stored cross-site scripting in WP Zendesk for Contact Form 7 and related WordPress plugins through version 1.1.5 allows unauthenticated attackers to inject malicious scripts into form submissions that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping on submitted form data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3455 npm LOW PATCH Monitor

Versions of the package mailparser versions up to 3.9.3 is affected by cross-site scripting (xss) (CVSS 6.1).

XSS Mailparser
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2583 MEDIUM This Month

Stored cross-site scripting in Blocksy WordPress theme versions up to 2.1.30 allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized metadata fields. When users access pages containing injected payloads, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-28401 npm MEDIUM PATCH This Month

NocoDB versions before 0.301.3 allow authenticated attackers to inject malicious JavaScript through rich text cell content that is rendered without sanitization, enabling stored cross-site scripting attacks. An attacker with user access can craft malicious payloads that execute in the browsers of other users viewing affected cells, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28398 npm MEDIUM PATCH This Month

Stored cross-site scripting in NocoDB versions before 0.301.3 allows authenticated users to inject malicious scripts through comments and rich text cells that execute in other users' browsers due to unsanitized HTML rendering. An attacker with login credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise other database users accessing the same NocoDB instance. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting in HSC Cybersecurity Mailinspector through version 5.3.2-3 allows remote attackers to inject malicious scripts via the error_description parameter in the URL handler component. Public exploit code exists for this vulnerability, which could enable attackers to steal session cookies or perform actions on behalf of authenticated users. Users should upgrade to version 5.4.0 or apply the available hotfix immediately.

PHP XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 1.3
LOW Monitor

Stored cross-site scripting in Frappe versions prior to 16.11.0 and 15.102.0 allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through malicious image URLs in avatar fields and website comments. The vulnerability affects any user viewing a page containing the compromised avatar, enabling session hijacking, credential theft, or malware distribution without user interaction.

XSS Frappe
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.

XSS Markus
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.

XSS Chamilo Lms
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.

XSS Lxml Html Clean Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.

XSS Lxml Html Clean Suse
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.

XSS RCE Ckeditor5
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Django XSS Wagtail
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Django XSS Wagtail
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.

XSS Gogs Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.

XSS Gogs Suse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.

XSS Koha
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

HumHub Calendar module versions prior to 1.8.11 contain a stored XSS vulnerability in Event Types that allows attackers to inject malicious scripts viewed by users accessing events created by administrative accounts. An attacker with event creation privileges can execute arbitrary JavaScript in the browsers of users viewing affected events, potentially compromising session tokens or sensitive information. No patch is currently available for affected installations.

XSS Calendar
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

QuanticaLabs MediCenter - Health Medical Clinic medicenter is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in AndonDesign UDesign versions up to 4.14.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to click a malicious link but can affect any organization using the affected UDesign versions. No patch is currently available to remediate this issue.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

The e-plugins Lawyer Directory plugin through version 1.3.2 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for affected installations.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in sizam RH Frontend Publishing Pro through version 4.3.2 enables attackers to inject malicious scripts that execute in users' browsers when they click a crafted link. The vulnerability requires user interaction but can compromise session integrity and steal sensitive data across affected sites. No patch is currently available.

XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

The ListingPro plugin for CridioStudio through version 2.9.8 contains a reflected cross-site scripting vulnerability that allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. Successful exploitation requires user interaction but can compromise confidentiality, integrity, and availability across security domains. No patch is currently available for affected installations.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

designthemes DesignThemes Portfolio designthemes-portfolio is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in RadiusTheme Metro versions 2.13 and earlier allows unauthenticated attackers to inject malicious scripts that execute in users' browsers with no interaction required beyond viewing a crafted page. Successful exploitation enables attackers to steal session tokens, perform unauthorized actions, or deface content for affected users. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.

WordPress XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

JanStudio Gecko version 1.9.8 and earlier contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated remote attackers to inject malicious scripts through improper input validation during web page generation. Successful exploitation requires user interaction and can lead to unauthorized access to sensitive information, data modification, or service disruption. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in ThemeGoods Musico through version 3.2.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user credentials. The vulnerability requires user interaction to trigger and affects all installations of the affected Musico versions, with no patch currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected XSS in Awa Plugins through version 1.4.4 enables unauthenticated attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction via a crafted link and has cross-site impact, affecting all installations of the affected plugin versions. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in ThemeGoods Architecturer versions up to 3.8.8 enables attackers to inject malicious scripts that execute in victims' browsers when they click a crafted link, potentially allowing session hijacking or credential theft. The vulnerability requires user interaction and affects all users of the vulnerable plugin versions. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in ThemeGoods Grand News version 3.4.3 and earlier enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing credential theft or session hijacking. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

ThemeGoods Starto versions 2.1.9 and earlier are vulnerable to reflected cross-site scripting (XSS) that can be exploited remotely without authentication, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can trick users into clicking a malicious link to steal session cookies, redirect to phishing sites, or perform actions on behalf of the victim. No patch is currently available for this vulnerability.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in ThemeGoods Photography plugin version 7.6.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers without authentication, potentially compromising sensitive data or session tokens. The vulnerability requires user interaction to trigger and has network-wide impact, affecting any website running the affected Photography plugin version.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Skygroup Agrofood versions 1.3.0 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks that allow unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. An attacker can exploit this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims. No patch is currently available.

XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

DeepDigital versions 1.0.2 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation during web page generation, allowing unauthenticated remote attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction (clicking a malicious link) but can affect the entire application context, enabling attackers to steal sensitive data or perform actions on behalf of victims. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

SeventhQueen BuddyApp through version 1.9.2 is vulnerable to reflected cross-site scripting (XSS) due to improper input validation during web page generation, allowing attackers to inject malicious scripts that execute in users' browsers when they click malicious links. An unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of users, or redirect them to phishing sites. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected XSS in Thebe up to version 1.3.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user interactions across different sites. The vulnerability requires user interaction through a crafted link but has no authentication requirement, making it accessible to unauthenticated attackers. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 6.5 MEDIUM]

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

OoohBoi Steroids for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious J...

XSS Privilege Escalation Blog Application
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cisco Webex is vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation, allowing unauthenticated attackers to inject malicious scripts by tricking users into clicking crafted links. Successful exploitation could enable attackers to steal session tokens, redirect users, or perform actions on behalf of targeted victims. Although Cisco has released a fix, no patch is currently available for this MEDIUM severity vulnerability.

Cisco XSS Webex
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Cisco Secure Firewall ASA and FTD SAML 2.0 authentication allows unauthenticated attackers to steal sensitive browser-based information by tricking users into clicking malicious links. The vulnerability stems from inadequate input validation of HTTP parameters in the SSO feature and requires user interaction to exploit. No patch is currently available.

Cisco XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) in the VPN web services component of Cisco Secure Firewall ASA and FTD allows unauthenticated remote attackers to inject malicious scripts that execute in a user's browser when visiting a crafted link. An attacker can exploit this through improper input validation to execute arbitrary HTML or JavaScript in the context of the VPN web server. No patch is currently available for this medium-severity vulnerability.

Cisco XSS
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cisco Secure Firewall ASA and FTD devices with VPN web services enabled are vulnerable to cross-site request forgery (CSRF) attacks due to insufficient HTTP request validation. An attacker can trick users into visiting a malicious website that sends crafted requests to the affected appliance, potentially allowing injection of malicious content reflected back to the victim's browser. No patch is currently available for this vulnerability.

Cisco XSS Request Smuggling
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the job_type_value parameter in the jobs endpoint. [CVSS 6.1 MEDIUM]

XSS Simplejobscript
NVD Exploit-DB
EPSS 0% CVSS 4.8
MEDIUM This Month

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. [CVSS 4.8 MEDIUM]

XSS Information Disclosure Open Redirect +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. [CVSS 4.4 MEDIUM]

XSS Information Disclosure Open Redirect
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in My Calendar WordPress plugin (versions up to 3.7.3) allows authenticated contributors to inject malicious scripts via the template shortcode attribute, which bypasses sanitization through improper use of stripcslashes() at render time. When users access pages containing the injected shortcode, the malicious scripts execute in their browsers. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the All-in-One Video Gallery WordPress plugin through version 4.7.1 allows unauthenticated attackers to inject malicious scripts via the 'vi' parameter due to improper input validation. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Envira Gallery for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in IDC SFX2100 Firmware's logging interface allows remote attackers to inject malicious scripts through the submitType parameter without authentication or user interaction. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary JavaScript in users' browsers and potentially steal sensitive data or perform unauthorized actions. No patch is currently available.

XSS Sfx2100 Firmware
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The SFX2100 web management interface fails to sanitize the `cat` parameter in /index.cgi, enabling reflected XSS attacks that allow remote attackers to execute arbitrary JavaScript in a victim's browser without authentication. Public exploit code exists for this vulnerability, and currently no patch is available. An attacker could exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content.

XSS Sfx2100 Firmware
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

XML injection in the IDC SFX2100 satellite receiver web interface allows authenticated attackers to inject arbitrary XML elements and execute reflected cross-site scripting attacks through unsanitized input in the checkifdone.cgi script. Public exploit code exists for this vulnerability, and potential for more severe attacks such as XXE exploitation has not been ruled out. No patch is currently available for affected firmware versions.

XSS XXE Sfx2100 Firmware
NVD
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated administrators to inject malicious scripts through the Switch Language block, affecting any site where a rogue admin account exists. Public exploit code is available for this vulnerability. A patch is available in version 9.4.8 and later.

XSS Concrete Cms
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Concrete CMS Legacy Form block below version 9.4.8 allows authenticated users with form creation permissions to inject malicious JavaScript into multiple-choice question options, which executes for all users viewing the affected form. Public exploit code exists for this vulnerability. Administrators should upgrade to version 9.4.8 or later to remediate the risk of session hijacking and data theft.

XSS Concrete Cms
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated users with page editing permissions to inject malicious scripts through the Legacy form Question field, targeting high-privilege accounts. Public exploit code exists for this vulnerability, which requires user interaction to execute. A patch is available in version 9.4.8 and later.

XSS Concrete Cms
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Concrete CMS versions below 9.4.8 contain a stored XSS vulnerability in the search block where unencoded page names and content are rendered in search results, allowing authenticated administrators to inject malicious JavaScript that executes for other users. Public exploit code exists for this vulnerability, which requires high privileges and user interaction to exploit. The vulnerability affects confidentiality and integrity but not availability.

XSS Concrete Cms
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the Morkva UA Shipping WordPress plugin through version 1.7.9 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors, affecting multi-site installations and sites with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the admin interface. Exploitation requires high-privilege administrator access and no patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Taskbuilder plugin versions up to 5.0.3 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users, affecting multi-site installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's administrative interface. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in WPBookit plugin through version 1.0.8 allows unauthenticated attackers to inject malicious scripts via user name and email fields due to improper input validation. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Homebox prior to 0.24.0-rc.1 allows authenticated users to upload malicious HTML or SVG files containing executable JavaScript that runs in the application's security context when accessed by other users. An attacker with valid credentials can exploit improper file type validation in the attachment upload feature to execute arbitrary scripts against victims viewing the malicious files. The vulnerability has been patched in version 0.24.0-rc.1.

XSS Homebox
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored XSS in AliasVault password manager. Patch available.

XSS Aliasvault
NVD GitHub
EPSS 0% CVSS 4.5
MEDIUM This Month

GLPI Inventory Plugin versions prior to 1.6.6 contain a reflected cross-site scripting vulnerability in task jobs that allows authenticated attackers with high privileges to execute malicious scripts in users' browsers. An attacker can exploit this by crafting a malicious link to inject arbitrary HTML or JavaScript when a user clicks it, potentially leading to session hijacking or credential theft. No patch is currently available for affected installations.

XSS Glpi Inventory
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.

XSS Openstamanager
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.

XSS AI / ML Dify
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DOMPurify versions 2.5.3-2.5.8 and 3.1.3-3.3.1 fail to sanitize attribute values within certain rawtext HTML elements (noscript, xmp, noembed, noframes, iframe), allowing attackers to inject malicious scripts that execute when sanitized content is rendered in these contexts. An attacker can exploit this by embedding JavaScript payloads in HTML attributes, bypassing DOMPurify's sanitization to achieve cross-site scripting. A patch is available in commit 729097f.

XSS Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. [CVSS 6.1 MEDIUM]

XSS Dompurify Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 4.1
MEDIUM This Month

Impact versions up to 19.11.2.10-20210118042150283 is affected by cross-site scripting (xss) (CVSS 4.1).

XSS Impact
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Fireware OS Web UI contains a reflected XSS vulnerability that allows attackers to execute arbitrary JavaScript in authenticated administrators' browsers through crafted links, affecting versions 12.7-12.11.7 and 2025.1-2026.1.1. An attacker can leverage this to perform administrative actions or steal session credentials from targeted management users who click malicious links. No patch is currently available.

XSS Fireware
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in WP Zendesk for Contact Form 7 and related WordPress plugins through version 1.1.5 allows unauthenticated attackers to inject malicious scripts into form submissions that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping on submitted form data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Versions of the package mailparser versions up to 3.9.3 is affected by cross-site scripting (xss) (CVSS 6.1).

XSS Mailparser
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Blocksy WordPress theme versions up to 2.1.30 allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized metadata fields. When users access pages containing injected payloads, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

NocoDB versions before 0.301.3 allow authenticated attackers to inject malicious JavaScript through rich text cell content that is rendered without sanitization, enabling stored cross-site scripting attacks. An attacker with user access can craft malicious payloads that execute in the browsers of other users viewing affected cells, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in NocoDB versions before 0.301.3 allows authenticated users to inject malicious scripts through comments and rich text cells that execute in other users' browsers due to unsanitized HTML rendering. An attacker with login credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise other database users accessing the same NocoDB instance. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
Prev Page 36 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy