Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2025-67491 MEDIUM POC PATCH This Month

OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. [CVSS 5.4 MEDIUM]

XSS Openemr
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-26351 MEDIUM This Month

Stored XSS in GetSimpleCMS Community Edition 3.3.16 allows authenticated administrators to inject malicious JavaScript through the component slug field, which persists in XML storage and executes when other users access the Components page. An attacker with admin privileges can exploit this to hijack sessions, perform unauthorized administrative actions, and persistently compromise the CMS interface for all authenticated users. The vulnerability affects PHP-based GetSimpleCMS installations and currently has no available patch.

PHP XSS Getsimple Cms
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-46320 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]

RCE XSS Filemaker Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-23858 MEDIUM PATCH This Month

Dell Wyse Management Suite versions before 5.5 contain a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts into web pages. An attacker with low privileges and user interaction can exploit this to execute arbitrary JavaScript in the context of other users' sessions. A patch is available to remediate this vulnerability.

XSS Wyse Management Suite
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27517 MEDIUM This Month

Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.

RCE XSS 10g08 0800gsm Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3070 LOW POC Monitor

Reflected XSS in SourceCodester Modern Image Gallery App 1.0 allows unauthenticated remote attackers to inject malicious scripts through the filename parameter in upload.php. Public exploit code exists for this vulnerability, though it requires user interaction to succeed. No patch is currently available.

PHP XSS File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3054 LOW PATCH Monitor

Cross-site scripting (XSS) via the hint parameter in Alinto SOGo 5.12.3/5.12.4 allows unauthenticated remote attackers to inject malicious scripts through a user-interactive attack vector. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. The impact is limited to integrity compromise with no confidentiality or availability impact.

XSS Sogo
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27126 PHP MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allows high-privileged administrators to inject malicious scripts into HTML-type table columns that execute in other users' browsers. Exploitation requires admin-level access and the `allowAdminChanges` setting enabled in production, limiting the risk to environments with already-compromised administrative accounts. Patches are available in versions 4.16.19 and 5.8.23.

XSS Craft Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-3050 LOW POC PATCH Monitor

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. [CVSS 3.5 LOW]

XSS Horilla
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-25802 Go HIGH POC PATCH This Week

New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.

XSS AI / ML New Api Suse
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-3043 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /admin/navbar.php. Public exploit code exists for this vulnerability, enabling attackers to steal session tokens or perform actions on behalf of administrators. No patch is currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3041 LOW Monitor

A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and ...

XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3028 LOW POC Monitor

Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.

Java XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27742 MEDIUM POC This Month

Stored XSS in Bludit 3.16.2 allows authenticated users to inject malicious JavaScript into post content that executes when viewed by other users, enabling session hijacking and credential theft. The vulnerability exists because the application relies solely on client-side input validation while failing to sanitize or encode content server-side. Public exploit code is available, though no patch has been released yet.

XSS Bludit
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3027 LOW POC Monitor

Reflected cross-site scripting in Jeewms up to version 3.7 exists in the UEditor component's getContent.jsp file through unsanitized input in the myEditor parameter, allowing remote attackers to inject malicious scripts. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification.

XSS Jeewms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-25648 HIGH POC This Week

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.

File Upload RCE XSS Traccar
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-26464 MEDIUM POC This Month

Society Management System Portal versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).

PHP XSS Society Management System Portal
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27512 MEDIUM This Month

Tenda F3 Wireless Router firmware V12.01.01.55_multi is vulnerable to reflected cross-site scripting (XSS) in its administrative interface due to missing MIME-sniffing protections and insufficient input validation. An unauthenticated attacker can inject malicious scripts that execute in the context of the admin interface when a user visits a crafted link, potentially leading to administrative account compromise. No patch is currently available for this vulnerability.

XSS F3 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27511 MEDIUM POC This Month

Tenda F3 Wireless Router firmware V12.01.01.55_multi lacks clickjacking protections in its web administrative interface, enabling attackers to embed configuration pages in iframes and manipulate authenticated administrators into making unauthorized changes. Public exploit code exists for this vulnerability, affecting administrators who access the router's management interface. While the impact is limited to configuration tampering rather than direct compromise, the lack of available patches leaves affected devices vulnerable.

XSS F3 Firmware
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-40986 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in PideTuCita. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the endpoint 'cookies/indes.php/<XSS>'.

PHP XSS
NVD
EPSS
0.0%
CVE-2025-40701 This Week

Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim.

XSS
NVD
EPSS
0.0%
CVE-2026-2972 LOW POC Monitor

A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. [CVSS 2.4 LOW]

Java XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2971 LOW POC Monitor

Smart SSO up to version 2.1.1 contains a reflected cross-site scripting vulnerability in the login page's redirectUri parameter that allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early disclosure notification.

XSS Smart Sso
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2965 LOW Monitor

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. [CVSS 2.4 LOW]

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2947 LOW POC Monitor

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. [CVSS 3.5 LOW]

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2946 LOW POC Monitor

A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. [CVSS 3.5 LOW]

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2943 LOW Monitor

Cross-site scripting in SapneshNaik Student Management System allows remote attackers to inject malicious scripts through the Error parameter in index.php, with public exploit code available. The vulnerability requires user interaction to trigger and has a low CVSS score of 4.3, but no patch is currently available from the unresponsive vendor.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2939 LOW POC Monitor

A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. [CVSS 2.4 LOW]

XSS Student Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2934 LOW POC Monitor

A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2933 LOW POC Monitor

A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D_adManage.php of the component Extended Management Module. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2932 LOW POC Monitor

A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2897 PHP LOW POC Monitor

A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. [CVSS 2.4 LOW]

XSS Funadmin
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-27469 PyPI MEDIUM PATCH This Month

Stored cross-site scripting in Isso's comment server allows unauthenticated attackers to inject malicious JavaScript through improperly escaped website and comment fields, enabling session hijacking or credential theft when victims interact with affected comments. The vulnerability stems from insufficient HTML escaping that leaves quotes unescaped in href attributes and comment edit endpoints, permitting arbitrary event handler injection. No patch is currently available for Python deployments.

Python XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27458 MEDIUM POC PATCH This Month

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanitized list descriptions in the Atom feed endpoint, which executes in browsers via native SVG elements without requiring an RSS reader. An attacker can exploit this to perform actions on behalf of victims visiting the feed URL, with public exploit code already available. A patch is available to remediate this cross-site scripting vulnerability affecting the self-hosted link archiving application.

XSS Linkace
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27210 npm MEDIUM PATCH This Month

Pannellum 2.5.0 through 2.5.6 allows arbitrary JavaScript execution through improperly sanitized hotspot configuration attributes in JSON files, enabling stored XSS attacks against users viewing panorama viewers with malicious configurations. An attacker can craft a malicious config file that executes code automatically upon page load without user interaction, potentially allowing page defacement or credential theft. A patch is available to address this vulnerability.

XSS Pannellum
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27196 PHP HIGH PATCH This Week

Versions 5.73.8 and below in addition to 6.0.0-alpha.1 versions up to 6.3.1 is affected by cross-site scripting (xss) (CVSS 8.1).

XSS Statamic
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27169 HIGH This Week

Stored cross-site scripting in OpenSift versions 1.1.2-alpha and below allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious content into study materials, quizzes, or flashcards that render without proper HTML sanitization. An attacker with the ability to create or modify stored content could perform unauthorized actions within authenticated user sessions. No patch is currently available for this vulnerability.

XSS AI / ML Opensift
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-27147 MEDIUM POC This Month

GetSimple CMS allows authenticated users to upload SVG files containing malicious JavaScript through the administrative interface, which executes in browsers when the files are accessed due to insufficient sanitization. Public exploit code exists for this stored XSS vulnerability, and no patch is currently available, leaving all GetSimple CMS versions at risk.

XSS Getsimple Cms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27122 npm MEDIUM PATCH This Month

HTML injection in Svelte's server-side rendering occurs when the `<svelte:element>` tag parameter fails to sanitize user-supplied tag names, allowing attackers to inject malicious HTML into rendered output. This affects Svelte versions prior to 5.51.5 and requires user interaction to exploit, with client-side rendering remaining unaffected. An authenticated attacker can achieve limited information disclosure or modify page content for affected users.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27121 npm MEDIUM PATCH This Month

Server-side rendering in Svelte versions before 5.51.5 fails to sanitize event handler properties when spreading untrusted data as HTML attributes, enabling stored or reflected XSS attacks. An attacker can inject malicious event handlers into rendered pages if an application spreads user-controlled or external data as element attributes, causing arbitrary JavaScript execution in victim browsers. No patch is currently available.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27119 npm MEDIUM PATCH This Month

Improper HTML escaping in Svelte versions 5.39.3 through 5.51.4 allows HTML injection attacks through unescaped option element content during server-side rendering, enabling attackers to inject malicious HTML into SSR output. Client-side rendering is unaffected, and the vulnerability is limited to applications using vulnerable Svelte versions on the server. This medium-severity flaw requires upgrading to version 5.51.5 or later, as no patch is currently available for affected versions.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2019-25454 MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25453 MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25449 MEDIUM POC This Month

OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. [CVSS 6.1 MEDIUM]

XSS Orientdb
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25448 MEDIUM POC This Month

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. [CVSS 6.4 MEDIUM]

XSS Orientdb
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25447 MEDIUM POC This Month

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]

XSS CSRF Orientdb
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27120 MEDIUM POC PATCH This Month

Leafkit versions up to 1.4.1 contains a vulnerability that allows attackers to XSS if there is a leaf variable in the attribute that is user controlled (CVSS 6.1).

XSS Leafkit
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27020 This Week

Photobooth prior to 1.0.1 has a cross-site scripting (XSS) vulnerability in user input fields. Malicious users could inject scripts through unvalidated form inputs.

XSS
NVD GitHub
EPSS
0.1%
CVE-2026-25896 npm CRITICAL POC PATCH Act Now

ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.

XSS Fast Xml Parser
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-2472 PyPI HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Google XSS
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-62326 MEDIUM This Month

HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit. [CVSS 6.1 MEDIUM]

XSS Digital Experience
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25445 MEDIUM POC This Month

Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. [CVSS 6.1 MEDIUM]

PHP XSS Fiverr Clone Script
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27506 MEDIUM This Month

SVXportal 2.5 and earlier allows authenticated users to inject malicious scripts into user profile fields (firstname, lastname, email, image_url) that execute in administrators' browsers when viewing user management pages. An attacker with a valid account can exploit this stored XSS vulnerability to perform administrative actions or steal session credentials by targeting users with higher privileges. No patch is currently available for this vulnerability.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27505 MEDIUM This Month

SVXportal version 2.5 and earlier allow unauthenticated attackers to perform stored cross-site scripting attacks through the user registration form, where unencoded user inputs are persisted and executed in administrator browsers. An attacker can inject malicious JavaScript via registration fields like firstname, lastname, or email that will trigger when administrators access the users management interface. No patch is currently available for this vulnerability.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27504 MEDIUM This Month

SVXportal 2.5 and earlier allows authenticated attackers to inject arbitrary scripts through an unsanitized stationid parameter in radiomobile_front.php, which executes in an administrator's browser context when they visit a crafted URL. This reflected XSS vulnerability enables attackers to hijack admin sessions or execute unauthorized actions with administrative privileges. No patch is currently available.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27503 MEDIUM This Month

Reflected XSS in SVXportal 2.5 and earlier allows attackers to inject malicious JavaScript through the search parameter in admin/log.php, which executes in administrators' browsers when they visit a crafted URL. An authenticated attacker could exploit this to steal admin sessions, forge administrative actions, or perform other browser-based attacks with elevated privileges. No patch is currently available.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27502 MEDIUM This Month

Reflected XSS in SVXportal 2.5 and earlier allows unauthenticated attackers to inject malicious JavaScript through an unsanitized search parameter in log.php, enabling session hijacking or unauthorized actions when victims click a crafted link. The vulnerability requires user interaction but has no authentication requirement and affects all users of the vulnerable versions.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-26724 HIGH POC This Week

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 7.6).

XSS Global Facilities Management Software
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-26723 HIGH POC This Week

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 8.2).

XSS Global Facilities Management Software
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-15583 LOW POC Monitor

A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27072 HIGH This Week

PixelYourSite plugin versions up to 11.2.0.1 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into web pages without authentication. An attacker can exploit this to execute arbitrary JavaScript in the browsers of site visitors, potentially stealing session data or performing unauthorized actions on behalf of users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24955 HIGH This Week

Reflected cross-site scripting in fox-themes Whizz Plugins version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to trigger and can affect all visitors to a compromised site due to its cross-site impact. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24949 HIGH This Week

DOM-based cross-site scripting in ThemeGoods PhotoMe through version 5.7.1 enables attackers to inject malicious scripts that execute in users' browsers without authentication. An attacker can exploit this vulnerability to steal sensitive data, hijack user sessions, or perform unauthorized actions on behalf of affected users. No patch is currently available, and exploitation requires user interaction to trigger the payload.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24948 HIGH This Week

Reflected XSS in fox-themes Reflector plugin versions up to 1.2.2 enables attackers to inject malicious scripts into web pages viewed by victims, potentially allowing theft of session cookies, credentials, or sensitive data through user interaction. The vulnerability requires no authentication and can spread across security boundaries, affecting all users who click malicious links. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24943 HIGH This Week

Reflected cross-site scripting in ThemeGoods Grand Conference up to version 5.3.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially stealing session data or performing actions on their behalf. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22357 HIGH This Week

Reflected cross-site scripting in Link Whisper Free through version 0.9.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. Exploitation requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of victims. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22352 HIGH This Week

PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69392 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69391 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69390 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder allows Reflected XSS.This issue affects Business Template Blocks for WPBakery (Visual Composer) Page Builder: from n/a through <= 1.3.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69389 HIGH This Week

Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69386 HIGH This Week

realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69384 HIGH This Week

wpdiscover Timeline Event History timeline-event-history is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69368 HIGH This Week

GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69367 HIGH This Week

GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69330 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69326 HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69324 HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69323 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69302 HIGH This Week

designthemes DesignThemes Core Features designthemes-core-features is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69296 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69011 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a through <= 2.29. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68880 HIGH This Week

peterwsterling Simple Archive Generator simple-archive-generator is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68863 HIGH This Week

Zack Katz iContact for Gravity Forms gravity-forms-icontact is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68856 HIGH This Week

keeswolters Mopinion Feedback Form mopinion-feedback-form is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68854 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in harman79 ID Arrays id-arrays allows DOM-Based XSS.This issue affects ID Arrays: from n/a through <= 2.1.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68852 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.9. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68848 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68847 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68846 HIGH This Week

Paris Holley Asynchronous Javascript asynchronous-javascript is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. [CVSS 5.4 MEDIUM]

XSS Openemr
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in GetSimpleCMS Community Edition 3.3.16 allows authenticated administrators to inject malicious JavaScript through the component slug field, which persists in XML storage and executes when other users access the Components page. An attacker with admin privileges can exploit this to hijack sessions, perform unauthorized administrative actions, and persistently compromise the CMS interface for all authenticated users. The vulnerability affects PHP-based GetSimpleCMS installations and currently has no available patch.

PHP XSS Getsimple Cms
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]

RCE XSS Filemaker Server
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Dell Wyse Management Suite versions before 5.5 contain a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts into web pages. An attacker with low privileges and user interaction can exploit this to execute arbitrary JavaScript in the context of other users' sessions. A patch is available to remediate this vulnerability.

XSS Wyse Management Suite
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.

RCE XSS 10g08 0800gsm Firmware
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected XSS in SourceCodester Modern Image Gallery App 1.0 allows unauthenticated remote attackers to inject malicious scripts through the filename parameter in upload.php. Public exploit code exists for this vulnerability, though it requires user interaction to succeed. No patch is currently available.

PHP XSS File Upload
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Cross-site scripting (XSS) via the hint parameter in Alinto SOGo 5.12.3/5.12.4 allows unauthenticated remote attackers to inject malicious scripts through a user-interactive attack vector. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. The impact is limited to integrity compromise with no confidentiality or availability impact.

XSS Sogo
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allows high-privileged administrators to inject malicious scripts into HTML-type table columns that execute in other users' browsers. Exploitation requires admin-level access and the `allowAdminChanges` setting enabled in production, limiting the risk to environments with already-compromised administrative accounts. Patches are available in versions 4.16.19 and 5.8.23.

XSS Craft Cms
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC PATCH Monitor

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. [CVSS 3.5 LOW]

XSS Horilla
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.

XSS AI / ML New Api +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /admin/navbar.php. Public exploit code exists for this vulnerability, enabling attackers to steal session tokens or perform actions on behalf of administrators. No patch is currently available.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and ...

XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.

Java XSS
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Stored XSS in Bludit 3.16.2 allows authenticated users to inject malicious JavaScript into post content that executes when viewed by other users, enabling session hijacking and credential theft. The vulnerability exists because the application relies solely on client-side input validation while failing to sanitize or encode content server-side. Public exploit code is available, though no patch has been released yet.

XSS Bludit
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in Jeewms up to version 3.7 exists in the UEditor component's getContent.jsp file through unsanitized input in the myEditor parameter, allowing remote attackers to inject malicious scripts. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification.

XSS Jeewms
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.

File Upload RCE XSS +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Society Management System Portal versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 6.1).

PHP XSS Society Management System Portal
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Tenda F3 Wireless Router firmware V12.01.01.55_multi is vulnerable to reflected cross-site scripting (XSS) in its administrative interface due to missing MIME-sniffing protections and insufficient input validation. An unauthenticated attacker can inject malicious scripts that execute in the context of the admin interface when a user visits a crafted link, potentially leading to administrative account compromise. No patch is currently available for this vulnerability.

XSS F3 Firmware
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Tenda F3 Wireless Router firmware V12.01.01.55_multi lacks clickjacking protections in its web administrative interface, enabling attackers to embed configuration pages in iframes and manipulate authenticated administrators into making unauthorized changes. Public exploit code exists for this vulnerability, affecting administrators who access the router's management interface. While the impact is limited to configuration tampering rather than direct compromise, the lack of available patches leaves affected devices vulnerable.

XSS F3 Firmware
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting (XSS) vulnerability in PideTuCita. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the endpoint 'cookies/indes.php/<XSS>'.

PHP XSS
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim.

XSS
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. [CVSS 2.4 LOW]

Java XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Smart SSO up to version 2.1.1 contains a reflected cross-site scripting vulnerability in the login page's redirectUri parameter that allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early disclosure notification.

XSS Smart Sso
NVD VulDB
EPSS 0% CVSS 1.9
LOW Monitor

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. [CVSS 2.4 LOW]

XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. [CVSS 3.5 LOW]

Java XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. [CVSS 3.5 LOW]

Java XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in SapneshNaik Student Management System allows remote attackers to inject malicious scripts through the Error parameter in index.php, with public exploit code available. The vulnerability requires user interaction to trigger and has a low CVSS score of 4.3, but no patch is currently available from the unresponsive vendor.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. [CVSS 2.4 LOW]

XSS Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D_adManage.php of the component Extended Management Module. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. [CVSS 2.4 LOW]

XSS Funadmin
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in Isso's comment server allows unauthenticated attackers to inject malicious JavaScript through improperly escaped website and comment fields, enabling session hijacking or credential theft when victims interact with affected comments. The vulnerability stems from insufficient HTML escaping that leaves quotes unescaped in href attributes and comment edit endpoints, permitting arbitrary event handler injection. No patch is currently available for Python deployments.

Python XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanitized list descriptions in the Atom feed endpoint, which executes in browsers via native SVG elements without requiring an RSS reader. An attacker can exploit this to perform actions on behalf of victims visiting the feed URL, with public exploit code already available. A patch is available to remediate this cross-site scripting vulnerability affecting the self-hosted link archiving application.

XSS Linkace
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Pannellum 2.5.0 through 2.5.6 allows arbitrary JavaScript execution through improperly sanitized hotspot configuration attributes in JSON files, enabling stored XSS attacks against users viewing panorama viewers with malicious configurations. An attacker can craft a malicious config file that executes code automatically upon page load without user interaction, potentially allowing page defacement or credential theft. A patch is available to address this vulnerability.

XSS Pannellum
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Versions 5.73.8 and below in addition to 6.0.0-alpha.1 versions up to 6.3.1 is affected by cross-site scripting (xss) (CVSS 8.1).

XSS Statamic
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH This Week

Stored cross-site scripting in OpenSift versions 1.1.2-alpha and below allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious content into study materials, quizzes, or flashcards that render without proper HTML sanitization. An attacker with the ability to create or modify stored content could perform unauthorized actions within authenticated user sessions. No patch is currently available for this vulnerability.

XSS AI / ML Opensift
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

GetSimple CMS allows authenticated users to upload SVG files containing malicious JavaScript through the administrative interface, which executes in browsers when the files are accessed due to insufficient sanitization. Public exploit code exists for this stored XSS vulnerability, and no patch is currently available, leaving all GetSimple CMS versions at risk.

XSS Getsimple Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

HTML injection in Svelte's server-side rendering occurs when the `<svelte:element>` tag parameter fails to sanitize user-supplied tag names, allowing attackers to inject malicious HTML into rendered output. This affects Svelte versions prior to 5.51.5 and requires user interaction to exploit, with client-side rendering remaining unaffected. An authenticated attacker can achieve limited information disclosure or modify page content for affected users.

XSS Svelte Red Hat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-side rendering in Svelte versions before 5.51.5 fails to sanitize event handler properties when spreading untrusted data as HTML attributes, enabling stored or reflected XSS attacks. An attacker can inject malicious event handlers into rendered pages if an application spreads user-controlled or external data as element attributes, causing arbitrary JavaScript execution in victim browsers. No patch is currently available.

XSS Svelte Red Hat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Improper HTML escaping in Svelte versions 5.39.3 through 5.51.4 allows HTML injection attacks through unescaped option element content during server-side rendering, enabling attackers to inject malicious HTML into SSR output. Client-side rendering is unaffected, and the vulnerability is limited to applications using vulnerable Svelte versions on the server. This medium-severity flaw requires upgrading to version 5.51.5 or later, as no patch is currently available for affected versions.

XSS Svelte Red Hat
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. [CVSS 6.1 MEDIUM]

XSS Orientdb
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. [CVSS 6.4 MEDIUM]

XSS Orientdb
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]

XSS CSRF Orientdb
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Leafkit versions up to 1.4.1 contains a vulnerability that allows attackers to XSS if there is a leaf variable in the attribute that is user controlled (CVSS 6.1).

XSS Leafkit
NVD GitHub
EPSS 0%
This Week

Photobooth prior to 1.0.1 has a cross-site scripting (XSS) vulnerability in user input fields. Malicious users could inject scripts through unvalidated form inputs.

XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.

XSS Fast Xml Parser
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Google XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit. [CVSS 6.1 MEDIUM]

XSS Digital Experience
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. [CVSS 6.1 MEDIUM]

PHP XSS Fiverr Clone Script
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM This Month

SVXportal 2.5 and earlier allows authenticated users to inject malicious scripts into user profile fields (firstname, lastname, email, image_url) that execute in administrators' browsers when viewing user management pages. An attacker with a valid account can exploit this stored XSS vulnerability to perform administrative actions or steal session credentials by targeting users with higher privileges. No patch is currently available for this vulnerability.

PHP XSS Svxportal
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

SVXportal version 2.5 and earlier allow unauthenticated attackers to perform stored cross-site scripting attacks through the user registration form, where unencoded user inputs are persisted and executed in administrator browsers. An attacker can inject malicious JavaScript via registration fields like firstname, lastname, or email that will trigger when administrators access the users management interface. No patch is currently available for this vulnerability.

PHP XSS Svxportal
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

SVXportal 2.5 and earlier allows authenticated attackers to inject arbitrary scripts through an unsanitized stationid parameter in radiomobile_front.php, which executes in an administrator's browser context when they visit a crafted URL. This reflected XSS vulnerability enables attackers to hijack admin sessions or execute unauthorized actions with administrative privileges. No patch is currently available.

PHP XSS Svxportal
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in SVXportal 2.5 and earlier allows attackers to inject malicious JavaScript through the search parameter in admin/log.php, which executes in administrators' browsers when they visit a crafted URL. An authenticated attacker could exploit this to steal admin sessions, forge administrative actions, or perform other browser-based attacks with elevated privileges. No patch is currently available.

PHP XSS Svxportal
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in SVXportal 2.5 and earlier allows unauthenticated attackers to inject malicious JavaScript through an unsanitized search parameter in log.php, enabling session hijacking or unauthorized actions when victims click a crafted link. The vulnerability requires user interaction but has no authentication requirement and affects all users of the vulnerable versions.

PHP XSS Svxportal
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH POC This Week

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 7.6).

XSS Global Facilities Management Software
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 8.2).

XSS Global Facilities Management Software
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

PixelYourSite plugin versions up to 11.2.0.1 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into web pages without authentication. An attacker can exploit this to execute arbitrary JavaScript in the browsers of site visitors, potentially stealing session data or performing unauthorized actions on behalf of users. No patch is currently available for this vulnerability.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in fox-themes Whizz Plugins version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to trigger and can affect all visitors to a compromised site due to its cross-site impact. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in ThemeGoods PhotoMe through version 5.7.1 enables attackers to inject malicious scripts that execute in users' browsers without authentication. An attacker can exploit this vulnerability to steal sensitive data, hijack user sessions, or perform unauthorized actions on behalf of affected users. No patch is currently available, and exploitation requires user interaction to trigger the payload.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected XSS in fox-themes Reflector plugin versions up to 1.2.2 enables attackers to inject malicious scripts into web pages viewed by victims, potentially allowing theft of session cookies, credentials, or sensitive data through user interaction. The vulnerability requires no authentication and can spread across security boundaries, affecting all users who click malicious links. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in ThemeGoods Grand Conference up to version 5.3.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially stealing session data or performing actions on their behalf. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in Link Whisper Free through version 0.9.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. Exploitation requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of victims. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder allows Reflected XSS.This issue affects Business Template Blocks for WPBakery (Visual Composer) Page Builder: from n/a through <= 1.3.2. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

wpdiscover Timeline Event History timeline-event-history is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]

WordPress Industrial XSS +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

designthemes DesignThemes Core Features designthemes-core-features is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a through <= 2.29. [CVSS 6.5 MEDIUM]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

peterwsterling Simple Archive Generator simple-archive-generator is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Zack Katz iContact for Gravity Forms gravity-forms-icontact is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

keeswolters Mopinion Feedback Form mopinion-feedback-form is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in harman79 ID Arrays id-arrays allows DOM-Based XSS.This issue affects ID Arrays: from n/a through <= 2.1.2. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.9. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72. [CVSS 7.1 HIGH]

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Paris Holley Asynchronous Javascript asynchronous-javascript is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
Prev Page 38 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy