XSS
Monthly
NocoDB versions prior to 0.301.3 are vulnerable to stored cross-site scripting (XSS) through improperly sanitized comment rendering via v-html, allowing authenticated users to inject malicious scripts that execute in other users' browsers. An attacker with login access could craft malicious comments to steal session tokens, perform unauthorized actions, or deface the application interface for other users. A patch is available in version 0.301.3 and later.
NocoDB versions prior to 0.301.3 allow authenticated Editor-role users to inject arbitrary HTML into Rich Text cells by bypassing client-side validation and sending malicious payloads directly through the API. This stored XSS vulnerability affects any NocoDB instance where untrusted users have Editor access, potentially enabling malicious script execution in the browsers of users viewing affected cells. No patch is currently available for this vulnerability.
Stored XSS in NocoDB versions before 0.301.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers through malicious formulas in virtual cells. The vulnerability exploits unsanitized rendering of URI patterns in formula results, enabling attackers to steal session tokens, manipulate data, or perform actions on behalf of victims. No patch is currently available for affected deployments.
Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. [CVSS 4.8 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. [CVSS 8.8 HIGH]
A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. [CVSS 8.3 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. [CVSS 4.8 MEDIUM]
University Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).
A vulnerability was detected in PHPGurukul Student Record Management System 1.0. This issue affects some unknown processing of the file /edit-subject.php. [CVSS 2.4 LOW]
A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. [CVSS 2.4 LOW]
wpForo Forum 2.4.14 fails to properly sanitize forum description fields, enabling authenticated administrators to store malicious JavaScript that executes in the browsers of all users viewing forum listings. On multisite installations or when admin credentials are compromised, attackers can leverage this stored XSS to conduct persistent attacks against forum users. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated administrators to inject malicious scripts into forum slugs that execute in all visitors' browsers due to improper JSON encoding. An attacker with high-level privileges can craft a forum URL containing unescaped characters to break out of JavaScript context and achieve arbitrary script execution. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated users to inject malicious code through SVG profile avatars, which executes when other users view the attacker's profile. An authenticated attacker can leverage this to steal session tokens, redirect victims, or perform actions on their behalf with no user interaction required. No patch is currently available for this vulnerability.
Microchip TimePictra versions 11.0 through 11.3 SP2 contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through query parameters. Successful exploitation requires user interaction and can result in session hijacking, credential theft, or unauthorized information disclosure. No patch is currently available.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with.
Cross-site scripting (XSS) in PMD's legacy vbhtml and yahtml report formats allows arbitrary JavaScript execution when HTML reports are opened in a browser, triggered by analyzing malicious source code containing crafted string literals. Public exploit code exists for this vulnerability affecting PMD versions prior to 7.22.0. The impact is limited since these legacy formats are rarely used and the default html format is properly escaped.
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. No patch is currently available for this vulnerability.
Stored cross-site scripting in ClipBucket v5 prior to version 5.5.3 #59 allows authenticated users to inject malicious scripts that execute when viewed by administrators, enabling session hijacking or credential theft. Public exploit code exists for this vulnerability, which affects the open-source video sharing platform and has been patched in the latest release.
Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site scripting (xss) (CVSS 6.1).
CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation of postMessage events, allowing attackers to inject malicious scripts through crafted subdomains. Public exploit code exists for this vulnerability, which affects all users of the affected SDK versions. An attacker can execute arbitrary JavaScript in the context of a victim's browser session to steal sensitive data or perform unauthorized actions.
CleverTap Web SDK through version 1.15.2 contains a cross-site scripting vulnerability in its postMessage handler that fails to properly validate message origins, allowing attackers to inject malicious scripts by exploiting subdomain bypass techniques. Public exploit code exists for this vulnerability, and affected applications can be compromised through user interaction. A patch is available to address the insufficient origin validation in the nativeDisplay.js component.
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. [CVSS 6.3 MEDIUM]
PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.
Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.
Omega Psir contains a reflected cross-site scripting (XSS) vulnerability in the lang parameter that allows attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. The vulnerability affects unauthenticated users who click on attacker-controlled links, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this MEDIUM severity flaw.
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.
Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.
Cross-site scripting (XSS) in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Email parameter in the /register.php Sign Up Page. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The lack of an available patch leaves affected systems vulnerable to session hijacking and credential theft.
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Stored XSS in Initiative project management platform versions before 0.32.4 allows authenticated users with upload permissions to execute arbitrary JavaScript by uploading malicious HTML files that are served without sandboxing under the application's origin. An attacker can exploit this to steal authentication tokens, session cookies, and other sensitive data from other users, or trick them into executing malicious scripts by sharing direct file links. Public exploit code exists and no patch is currently available.
Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]
A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.
A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.
Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.
A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025. [CVSS 7.6 HIGH]
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]
The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.
Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.
Pcvue's web server fails to set proper HTTP security headers in its responses, enabling cross-site scripting (XSS) attacks against users who interact with the application. An unauthenticated attacker can exploit this through a user interaction to execute malicious scripts, potentially compromising confidentiality and integrity. No patch is currently available.
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.
Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Cross-site scripting in Angular's internationalization (i18n) pipeline allows attacker-controlled JavaScript to execute in the application origin when a poisoned translation file is merged into an app. The flaw affects Angular versions before 21.2.0, 21.1.16, 20.3.17, and 19.2.19, where HTML inside ICU (International Components for Unicode) messages from translated content was not sanitized before rendering. Exploitation is not open to arbitrary users - it requires first compromising a translation file (xliff, xtb, etc.), so this is effectively a supply-chain/third-party-translation risk; EPSS is very low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.
Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Stored XSS in Rucio's WebUI Custom RSE Attribute field allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes for any user viewing affected pages, potentially leading to session hijacking or unauthorized actions. Public exploit code exists for this vulnerability, which affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1. No patch is currently available for all affected versions.
Stored XSS in Rucio's WebUI Identity Name field allows authenticated attackers to inject malicious scripts that execute in users' browsers, enabling session hijacking or unauthorized actions. The vulnerability affects versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. Administrators should upgrade immediately as no patch availability timeline has been announced for unpatched versions.
Stored XSS in Rucio's WebUI RSE metadata allows authenticated attackers to inject malicious scripts that execute in users' browsers when viewing affected pages, potentially leading to session hijacking or unauthorized actions. The vulnerability affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. A security update is available in the patched versions listed above.
Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. Patches are available in the affected version branches.
Session hijacking in Rucio's WebUI error page allows unauthenticated attackers to steal user login tokens via reflected cross-site scripting in specially crafted URLs, affecting versions prior to 35.8.3, 38.5.4, and 39.3.1. Public exploit code exists for this vulnerability. Users should upgrade to patched versions immediately as no workarounds are available.
Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.
Stored XSS in OpenEMR prior to version 8.0.0 allows authenticated users with "Forms administration" role to inject malicious JavaScript into patient encounter forms, which executes when other users with the same role view the affected data. Public exploit code exists for this vulnerability. The issue is resolved in version 8.0.0.
web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
Reflected XSS in SPIP jeux plugin before version 4.1.1 allows unauthenticated remote attackers to inject malicious scripts through unencoded request parameters in the pre_propre pipeline. An attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim's browser with access to the page's context. A patch is available for affected installations.
Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other users' browsers by injecting malicious payloads into entity fields like contact points. The vulnerability exploits improperly escaped Blade template directives, enabling attackers to compromise administrator accounts and perform actions with their privileges. A patch is available in version 2026.02.22.
Stored cross-site scripting in Karakeep 0.30.0 allows remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious HTML through the Reddit metascraper plugin, which bypasses sanitization that is applied to other content sources. The vulnerability exists because the Reddit plugin's HTML output is rendered directly via dangerouslySetInnerHTML without DOMPurify filtering, and public exploit code is available. Version 0.31.0 contains the patch.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Stored XSS in TypiCMS prior to version 16.1.7 allows authenticated users to upload malicious SVG files that execute JavaScript in administrators' browsers, compromising their sessions through unsanitized file content. Public exploit code exists for this vulnerability affecting Laravel-based TypiCMS installations. The flaw stems from insufficient validation of SVG file contents despite MIME type checks being present.
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Cross-site scripting (XSS) in OpenEMR prior to version 8.0.0 allows unauthenticated attackers to inject malicious scripts through the translation database, as the `xl()` function returns unescaped strings that are used directly in the application without proper context-specific escaping. An attacker with database access could exploit this to execute arbitrary JavaScript in users' browsers and compromise sensitive patient data or application functionality. The vulnerability is resolved in OpenEMR 8.0.0 and later versions.
OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.7 HIGH]
NocoDB versions prior to 0.301.3 are vulnerable to stored cross-site scripting (XSS) through improperly sanitized comment rendering via v-html, allowing authenticated users to inject malicious scripts that execute in other users' browsers. An attacker with login access could craft malicious comments to steal session tokens, perform unauthorized actions, or deface the application interface for other users. A patch is available in version 0.301.3 and later.
NocoDB versions prior to 0.301.3 allow authenticated Editor-role users to inject arbitrary HTML into Rich Text cells by bypassing client-side validation and sending malicious payloads directly through the API. This stored XSS vulnerability affects any NocoDB instance where untrusted users have Editor access, potentially enabling malicious script execution in the browsers of users viewing affected cells. No patch is currently available for this vulnerability.
Stored XSS in NocoDB versions before 0.301.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers through malicious formulas in virtual cells. The vulnerability exploits unsanitized rendering of URI patterns in formula results, enabling attackers to steal session tokens, manipulate data, or perform actions on behalf of victims. No patch is currently available for affected deployments.
Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. [CVSS 4.8 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. [CVSS 8.8 HIGH]
A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. [CVSS 8.3 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. [CVSS 4.8 MEDIUM]
University Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).
A vulnerability was detected in PHPGurukul Student Record Management System 1.0. This issue affects some unknown processing of the file /edit-subject.php. [CVSS 2.4 LOW]
A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. [CVSS 2.4 LOW]
wpForo Forum 2.4.14 fails to properly sanitize forum description fields, enabling authenticated administrators to store malicious JavaScript that executes in the browsers of all users viewing forum listings. On multisite installations or when admin credentials are compromised, attackers can leverage this stored XSS to conduct persistent attacks against forum users. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated administrators to inject malicious scripts into forum slugs that execute in all visitors' browsers due to improper JSON encoding. An attacker with high-level privileges can craft a forum URL containing unescaped characters to break out of JavaScript context and achieve arbitrary script execution. No patch is currently available for this vulnerability.
Stored XSS in wpForo Forum 2.4.14 allows authenticated users to inject malicious code through SVG profile avatars, which executes when other users view the attacker's profile. An authenticated attacker can leverage this to steal session tokens, redirect victims, or perform actions on their behalf with no user interaction required. No patch is currently available for this vulnerability.
Microchip TimePictra versions 11.0 through 11.3 SP2 contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through query parameters. Successful exploitation requires user interaction and can result in session hijacking, credential theft, or unauthorized information disclosure. No patch is currently available.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with.
Cross-site scripting (XSS) in PMD's legacy vbhtml and yahtml report formats allows arbitrary JavaScript execution when HTML reports are opened in a browser, triggered by analyzing malicious source code containing crafted string literals. Public exploit code exists for this vulnerability affecting PMD versions prior to 7.22.0. The impact is limited since these legacy formats are rarely used and the default html format is properly escaped.
Kiteworks Email Protection Gateway prior to version 9.2.0 contains a stored cross-site scripting vulnerability in its configuration interface that allows authenticated administrators to inject malicious scripts executed against other users. An admin with high privileges can exploit this to compromise user sessions and data through the affected UI. No patch is currently available for this vulnerability.
Stored cross-site scripting in ClipBucket v5 prior to version 5.5.3 #59 allows authenticated users to inject malicious scripts that execute when viewed by administrators, enabling session hijacking or credential theft. Public exploit code exists for this vulnerability, which affects the open-source video sharing platform and has been patched in the latest release.
Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site scripting (xss) (CVSS 6.1).
CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation of postMessage events, allowing attackers to inject malicious scripts through crafted subdomains. Public exploit code exists for this vulnerability, which affects all users of the affected SDK versions. An attacker can execute arbitrary JavaScript in the context of a victim's browser session to steal sensitive data or perform unauthorized actions.
CleverTap Web SDK through version 1.15.2 contains a cross-site scripting vulnerability in its postMessage handler that fails to properly validate message origins, allowing attackers to inject malicious scripts by exploiting subdomain bypass techniques. Public exploit code exists for this vulnerability, and affected applications can be compromised through user interaction. A patch is available to address the insufficient origin validation in the nativeDisplay.js component.
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. [CVSS 6.3 MEDIUM]
PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.
Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.
Omega Psir contains a reflected cross-site scripting (XSS) vulnerability in the lang parameter that allows attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. The vulnerability affects unauthenticated users who click on attacker-controlled links, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this MEDIUM severity flaw.
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.
Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.
Cross-site scripting (XSS) in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Email parameter in the /register.php Sign Up Page. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The lack of an available patch leaves affected systems vulnerable to session hijacking and credential theft.
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Stored XSS in Initiative project management platform versions before 0.32.4 allows authenticated users with upload permissions to execute arbitrary JavaScript by uploading malicious HTML files that are served without sandboxing under the application's origin. An attacker can exploit this to steal authentication tokens, session cookies, and other sensitive data from other users, or trick them into executing malicious scripts by sharing direct file links. Public exploit code exists and no patch is currently available.
Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]
A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.
A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.
Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.
A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025. [CVSS 7.6 HIGH]
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]
The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.
Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.
Pcvue's web server fails to set proper HTTP security headers in its responses, enabling cross-site scripting (XSS) attacks against users who interact with the application. An unauthenticated attacker can exploit this through a user interaction to execute malicious scripts, potentially compromising confidentiality and integrity. No patch is currently available.
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.
Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Cross-site scripting in Angular's internationalization (i18n) pipeline allows attacker-controlled JavaScript to execute in the application origin when a poisoned translation file is merged into an app. The flaw affects Angular versions before 21.2.0, 21.1.16, 20.3.17, and 19.2.19, where HTML inside ICU (International Components for Unicode) messages from translated content was not sanitized before rendering. Exploitation is not open to arbitrary users - it requires first compromising a translation file (xliff, xtb, etc.), so this is effectively a supply-chain/third-party-translation risk; EPSS is very low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.
Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Stored XSS in Rucio's WebUI Custom RSE Attribute field allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes for any user viewing affected pages, potentially leading to session hijacking or unauthorized actions. Public exploit code exists for this vulnerability, which affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1. No patch is currently available for all affected versions.
Stored XSS in Rucio's WebUI Identity Name field allows authenticated attackers to inject malicious scripts that execute in users' browsers, enabling session hijacking or unauthorized actions. The vulnerability affects versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. Administrators should upgrade immediately as no patch availability timeline has been announced for unpatched versions.
Stored XSS in Rucio's WebUI RSE metadata allows authenticated attackers to inject malicious scripts that execute in users' browsers when viewing affected pages, potentially leading to session hijacking or unauthorized actions. The vulnerability affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. A security update is available in the patched versions listed above.
Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. Patches are available in the affected version branches.
Session hijacking in Rucio's WebUI error page allows unauthenticated attackers to steal user login tokens via reflected cross-site scripting in specially crafted URLs, affecting versions prior to 35.8.3, 38.5.4, and 39.3.1. Public exploit code exists for this vulnerability. Users should upgrade to patched versions immediately as no workarounds are available.
Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.
Stored XSS in OpenEMR prior to version 8.0.0 allows authenticated users with "Forms administration" role to inject malicious JavaScript into patient encounter forms, which executes when other users with the same role view the affected data. Public exploit code exists for this vulnerability. The issue is resolved in version 8.0.0.
web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
Reflected XSS in SPIP jeux plugin before version 4.1.1 allows unauthenticated remote attackers to inject malicious scripts through unencoded request parameters in the pre_propre pipeline. An attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim's browser with access to the page's context. A patch is available for affected installations.
Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other users' browsers by injecting malicious payloads into entity fields like contact points. The vulnerability exploits improperly escaped Blade template directives, enabling attackers to compromise administrator accounts and perform actions with their privileges. A patch is available in version 2026.02.22.
Stored cross-site scripting in Karakeep 0.30.0 allows remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious HTML through the Reddit metascraper plugin, which bypasses sanitization that is applied to other content sources. The vulnerability exists because the Reddit plugin's HTML output is rendered directly via dangerouslySetInnerHTML without DOMPurify filtering, and public exploit code is available. Version 0.31.0 contains the patch.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Stored XSS in TypiCMS prior to version 16.1.7 allows authenticated users to upload malicious SVG files that execute JavaScript in administrators' browsers, compromising their sessions through unsanitized file content. Public exploit code exists for this vulnerability affecting Laravel-based TypiCMS installations. The flaw stems from insufficient validation of SVG file contents despite MIME type checks being present.
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Cross-site scripting (XSS) in OpenEMR prior to version 8.0.0 allows unauthenticated attackers to inject malicious scripts through the translation database, as the `xl()` function returns unescaped strings that are used directly in the application without proper context-specific escaping. An attacker with database access could exploit this to execute arbitrary JavaScript in users' browsers and compromise sensitive patient data or application functionality. The vulnerability is resolved in OpenEMR 8.0.0 and later versions.
OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.7 HIGH]