Skip to main content

XSS

38811 CVEs technique

Monthly

CVE-2026-58654 MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP RCE File Upload
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56359 npm MEDIUM PATCH This Month

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.

XSS N8n
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56283 MEDIUM PATCH This Month

HTML injection in Capgo's organization settings endpoint allows an authenticated attacker to embed malicious HTML into the organization name field, redirecting other users to attacker-controlled phishing sites. Affected versions are all Capgo releases prior to 12.128.2. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack path is low-complexity for any user with organization settings write access.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-41122 HIGH PATCH This Week

Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches) lets a remote attacker persist malicious script in the appliance management interface that executes in other users' browser sessions. Because the flaw is reachable without authentication and the injected payload runs in the victim's authenticated context, an attacker can achieve information disclosure, session/token theft, and client-side request forgery against operators of the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Dell has published advisory DSA-2026-278.

XSS Dell Information Disclosure Data Domain Operating System
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-6740 MEDIUM This Month

Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress XSS Nexter Blocks Gutenberg Blocks Page Builder Ai Website Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6820 HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. This issue is not in CISA KEV and no public exploit has been identified at time of analysis.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-6459 MEDIUM This Month

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low on sites that permit contributor or author registration.

WordPress XSS Essential Addons For Elementor Popular Elementor Templates Widgets
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8315 MEDIUM This Month

Stored cross-site scripting in Mediküm Web (by Webbeyaz Web Design) enables authenticated low-privilege attackers to persist malicious scripts that execute in the browsers of other users who view the affected pages. All versions through 08072026 are affected per the CVE scope, with the CVSS scope-change metric (S:C) confirming cross-boundary execution into victim browser sessions. Critically, the vendor has confirmed the product is no longer supported, meaning no patch will be issued - organizations still running this software have no vendor remediation path. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Medik M Web
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-8310 MEDIUM This Month

Reflected XSS in Mediküm Web, a Turkish healthcare web application by Webbeyaz Web Design, enables unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers by tricking them into visiting a crafted URL. All versions through 08072026 are affected with no patch available or forthcoming, as the vendor has confirmed the product is end-of-life and unsupported. No public exploit code or active exploitation has been identified at time of analysis, but the permanent unpatched status makes decommissioning the only definitive remediation.

XSS Medik M Web
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6371 MEDIUM This Month

Stored cross-site scripting in Limatek System Inc.'s LimRAD NAC through version 08072026 allows an adjacent-network, low-privileged attacker to inject persistent malicious scripts that execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms that injected script execution crosses into the victim's browser security context, enabling potential session hijacking or credential theft targeting higher-privileged users such as administrators. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor did not respond to TR-CERT's disclosure, leaving no patch available and remediation options limited to compensating controls.

XSS Limrad Nac
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-6742 MEDIUM This Month

Stored Cross-Site Scripting in the Advanced iFrame WordPress plugin (versions through 2026.1) allows authenticated contributors to permanently inject malicious scripts into WordPress pages via the unsanitized 'additional' parameter. Any site visitor loading an affected page will execute the attacker's payload in their browser, enabling session hijacking, credential theft, or defacement. No public exploit has been identified at time of analysis, and a fix has been committed to the WordPress plugin repository per Wordfence reporting.

WordPress XSS Advanced Iframe
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-14785 MEDIUM This Month

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

WordPress XSS Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6818 HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed in version 1.8.9, whose patched source is referenced in the advisory.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-10570 MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12041 MEDIUM This Month

Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Chatra Live Chat Chatbot Cart Saver
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-11798 MEDIUM This Month

Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 6.1 (Medium) rating reflects the mandatory user-interaction requirement that constrains opportunistic mass exploitation.

WordPress XSS Social Share Social Login And Social Comments Plugin Super Socializer
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-55592 LOW POC PATCH Monitor

Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. Successful exploitation enables reading same-origin browser data, DOM manipulation, and issuing authenticated requests on behalf of the victim. No public exploit identified at time of analysis.

XSS Dashy
NVD GitHub VulDB
CVSS 3.1
3.9
EPSS
0.3%
CVE-2026-55647 MEDIUM PATCH This Month

Stored XSS in DataEase dashboard text components allows any authenticated user with edit access to inject HTML containing executable event handlers that fire silently in the browser of every subsequent dashboard viewer, including unauthenticated shared-link recipients. All versions prior to 2.10.24 are affected due to the use of Vue's v-html directive to render stored component content without server-side sanitization. No public exploit or active exploitation has been confirmed at time of analysis; a vendor-released patch is available in version 2.10.24.

XSS Dataease
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-53512 npm CRITICAL PATCH GHSA Act Now

Confidential-client impersonation in better-auth below 1.6.11 lets an attacker who holds any leaked refresh_token and the public client_id mint fresh access tokens and rotated refresh tokens indefinitely. The deprecated oidcProvider() and mcp() plugins expose an OAuth 2.0 token endpoint whose refresh_token grant authenticates solely on the bound refresh-token row plus a matching client_id, never verifying the registered client_secret - a regression, since the same plugins' authorization_code grant does enforce the secret. No public exploit identified at time of analysis; the flaw was reported by @subhanUmer and fixed by the maintainers, with no CISA KEV listing or EPSS score supplied in the input.

Authentication Bypass XSS Canonical
NVD GitHub
CVSS 4.0
9.1
EPSS
0.3%
CVE-2026-48952 MEDIUM This Month

Cross-site scripting in Joomla! CMS's com_installer component exposes the administrator backend to script injection via the update list view, stemming from missing output escaping (CWE-79). The CVSS 4.0 vector (PR:H/UI:P/E:U) confirms exploitation is constrained to sessions where a high-privilege administrator views the maliciously influenced update list, substantially limiting the attack surface. No public exploit code or active exploitation has been identified at time of analysis.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48950 MEDIUM This Month

Cross-site scripting in Joomla! CMS com_templates file management view allows a high-privileged attacker to inject unescaped malicious script that executes in the browser of any administrator who subsequently views the affected template file listing. Affected versions span Joomla! 4.0.0 through 5.4.6 and 6.0.0 through 6.1.1. No public exploit identified at time of analysis and the CVSS 4.0 supplemental metric E:U confirms no known active exploitation, but the wide install base and admin-targeting nature of the payload make this relevant to Joomla site operators.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48951 MEDIUM This Month

Cross-site scripting in Joomla! CMS modalreturn layout components enables a high-privileged attacker to inject and execute arbitrary JavaScript in a victim administrator's browser session. The root cause is insufficient output escaping in multiple component layouts that handle modal return values. No public exploit code has been identified and CISA KEV does not list this vulnerability; the CVSS 4.0 exploitation likelihood metric (E:U) further indicates no observed active exploitation at time of analysis.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48953 MEDIUM This Month

Cross-site scripting in Joomla! CMS's generic image output layout enables a high-privileged attacker to inject malicious script payloads that execute in the browsers of other authenticated users who view the affected content. The root cause is absent HTML output escaping in the image rendering component (CWE-79), allowing injected JavaScript to break out of the intended data context. No public exploit has been identified at time of analysis, and exploitation requires a pre-existing high-privileged Joomla account plus passive victim interaction, substantially limiting real-world exposure despite high impact scores on confidentiality and integrity.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48949 MEDIUM This Month

Cross-site scripting in Joomla! CMS multi-factor authentication management views allows a high-privileged attacker to inject persistent malicious scripts that execute in the browser of any administrator who subsequently views the MFA management interface. Affected versions span two major release lines: 4.2.0-5.4.6 and 6.0.0-6.1.1, representing a broad surface across both legacy and current deployments. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation yields high confidentiality and integrity impact against the victim administrator's browser session.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48954 MEDIUM This Month

Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. No public exploit code has been identified at time of analysis (CVSS E:U), and the vulnerability is not listed in the CISA KEV catalog.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2025-12799 MEDIUM PATCH This Month

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12948 MEDIUM CISA This Month

Stored cross-site scripting in the web management interfaces of Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA serial device servers allows a remote, authenticated administrator to persist malicious script payloads in system configuration fields. The injected script executes in the browser of any user who subsequently views the affected configuration pages, enabling session hijacking, credential theft, or UI redress attacks against those users. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 4.8 reflects the high-privilege prerequisite that meaningfully constrains real-world risk.

XSS Digi Portserver Ts Digi One Sp Digi One Sp Ia Digi One Ia
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-8309 MEDIUM This Month

Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Access Control System Gks
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-8306 MEDIUM This Month

Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-7380 MEDIUM This Month

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11328 MEDIUM This Month

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

WordPress XSS Exclusive Addons For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-36163 MEDIUM This Month

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.

N A XSS
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-36162 MEDIUM This Month

Stored cross-site scripting in LiquidFiles v4.2.7 allows authenticated attackers to inject persistent malicious JavaScript or HTML via the Name parameter of the Upload File Shares API, executing in victims' browsers when they interact with the affected share. The scope-changed CVSS vector (S:C) confirms the payload executes outside the attacker's privilege context, enabling session hijacking, credential theft, or UI redress against other users. A security researcher published a write-up specifically documenting CSP bypass techniques to exploit this flaw, indicating the attack is non-trivial but achievable. No public exploit identified at time of analysis, and EPSS sits at 0.16% (5th percentile), suggesting low automated exploitation pressure.

XSS N A
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-53641 MEDIUM This Month

Stored XSS in FOSSBilling 0.6.0-0.7.2 allows an authenticated admin to inject persistent JavaScript payloads into email HTML content that execute in client browsers when victims view their email history. The root cause is use of the `|raw` Twig filter to embed `content_html` directly into a JavaScript template literal, bypassing all output escaping. No active exploitation or public proof-of-concept has been identified at time of analysis; EPSS data was not provided in source intelligence.

XSS Fossbilling
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-55630 PyPI LOW GHSA Monitor

Stored cross-site scripting in Kiwi TCMS versions prior to 16.1 allows authenticated users to inject arbitrary JavaScript into the `TestCase.extra_link` and `TestPlan.extra_link` fields, which are rendered verbatim to all subsequent viewers. Official Docker-based deployments are substantially protected by a `Content-Security-Policy` header that blocks inline script execution, but customized deployments that alter default middleware or security settings remain fully exploitable. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

XSS Docker
NVD GitHub
CVE-2026-59710 MEDIUM PATCH This Month

Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.

XSS Showdown
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-55437 Go MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Coder's AgentLogLine dashboard component allows any workspace owner to inject arbitrary HTML into agent log output, which renders as live markup in the browser session of any user - including administrators - who views the workspace page. The vulnerability stems from the ansi-to-html library being invoked without escapeXML: true, with output passed directly to React's dangerouslySetInnerHTML without server-side sanitization. While Coder's Content Security Policy blocks inline script execution, the attack surface still includes meta refresh redirects, CSS-based data exfiltration, UI redressing, and external image beacons; no public exploit is identified at time of analysis, and patched versions are available across all supported release lines.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-59711 MEDIUM This Month

Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.

XSS Showdown
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-58402 Go MEDIUM PATCH This Month

Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.

XSS Hugo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-12154 MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google Reviews Widgets For Google Tripadvisor Yelp Recommendations
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-53831 HIGH PATCH This Week

Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Drawio For Owncloud Owncloud 10
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-8591 MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager Wso2 Api Control Plane Wso2 Traffic Manager +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14791 LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-54432 MEDIUM PATCH This Month

CVE-2026-54432 is a vulnerability reported by Ubuntu with no description, CVSS score, CWE classification, or technical detail available in the provided intelligence data. The affected product is inferred as Ubuntu Linux based solely on the vendor reporter tag. No impact, attack vector, or exploitability information can be determined from the current data set.

XSS
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-38979 MEDIUM This Month

Clickjacking in Ajenti's browser-facing login and administrative UI through v2.2.13 exposes authenticated administrators to UI redress attacks. The root cause is in ajenti-core/aj/http.py, where the core HTTP response pipeline finalizes responses via WSGI without injecting X-Frame-Options or a Content-Security-Policy frame-ancestors directive, allowing the Ajenti UI to be embedded in attacker-controlled iframes. No active exploitation has been identified - EPSS sits at 0.14% (4th percentile), SSVC exploitation is rated none, and no CISA KEV listing exists - placing this firmly in the low-urgency queue despite its medium CVSS score.

XSS N A
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-54433 HIGH PATCH This Week

Cross-site scripting in Roundcube Webmail allows remote attackers to inject arbitrary script into a victim's authenticated mail session, with the CVSS scope-change flag indicating the payload can affect resources beyond the vulnerable component (e.g. the surrounding webmail DOM/session). The flaw was fixed in releases 1.6.17 and 1.7.2 announced on 2026-07-05 and was reported through Ubuntu's security tracker; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is rated CVSS 7.2 driven largely by the scope change, though confidentiality and integrity impact are each only Low and availability is unaffected.

XSS Webmail
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-14752 LOW Monitor

Cross-site scripting in stumasy's dictionary notes feature allows a low-privileged, remote attacker to inject malicious JavaScript via the unsanitized `reference` argument of the `add_definition` function. The vulnerability affects the PHP web application at commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be and earlier, with exploit code publicly disclosed via VulDB submission 849495. Real-world impact is constrained by the requirement for prior authentication and victim interaction, but no vendor patch exists and the project maintainer has not responded to the responsible disclosure.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-14704 LOW POC Monitor

Cross-site scripting in stephen-kruger bluebox up to version 4.5.12 allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers by manipulating the 'code' argument in an unspecified function. The attack requires user interaction (CVSS 4.0 UI:P), meaning a victim must be induced to click a crafted link or visit a malicious page. A public exploit exists via a GitHub issue report, though no CISA KEV listing confirms active widespread exploitation. The CVSS 4.0 score of 2.1 reflects the constrained integrity-only impact and passive user-interaction requirement.

XSS Bluebox
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14656 LOW POC Monitor

Cross-site scripting in code-projects Assessment Management 1.0 allows remote unauthenticated attackers to inject malicious scripts via the unsanitized `ID` parameter in `/admin/remove-user.php`. A public proof-of-concept exploit is available on GitHub (E:P in the CVSS 4.0 supplemental metrics), lowering the bar for exploitation. The vulnerability is not listed in the CISA KEV catalog, so confirmed widespread active exploitation has not been established, though the admin-facing endpoint makes session hijacking of privileged users a realistic outcome.

XSS PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-14655 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Assessment Management 1.0 allows a remote attacker with administrative credentials to inject malicious scripts via the User parameter in admin/view-users.php, executing arbitrary JavaScript in the browser context of users who view the affected admin page. The CVSS 4.0 vector (PR:H, UI:P) confirms exploitation is gated behind high-privilege authentication and requires a victim to load the tampered page. A public proof-of-concept exploit exists on GitHub, though no active exploitation or CISA KEV listing has been identified at time of analysis.

XSS PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.3%
CVE-2026-14633 LOW Monitor

Stored cross-site scripting in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to inject malicious scripts via the title or description arguments of the hidden REST API endpoint /index.php/api/product/set, executing arbitrary JavaScript in the browsers of users who subsequently view the affected product data. A public exploit has been disclosed (CVSS 4.0 E:P), though the low CVSS 4.0 score of 2.1 and the user-interaction requirement constrain practical impact. No active exploitation is confirmed by CISA KEV, and a patch commit is available in the project repository.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14634 LOW POC PATCH Monitor

Reflected/stored cross-site scripting in the Subscribed Emails Admin Page of kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows an unauthenticated remote attacker to inject arbitrary JavaScript by crafting a malicious HTTP User-Agent header, which is rendered unencoded via the checkForPostRequests function in application/core/MY_Controller.php. When an administrator subsequently views the subscription management panel, the payload executes in their browser session. A public exploit exists (CVSS E:P); this is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

XSS PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-58524 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled content. The flaw stems from improper input neutralization during web page generation (CWE-79), allowing injected scripts to execute within the browser's context and manipulate rendered content. No public exploit code or active exploitation has been identified at time of analysis, and Microsoft has released a patch addressing the issue.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-58298 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets a remote attacker trick a victim into rendering attacker-controlled script that spoofs UI or content over the network. Because the CVSS scope is changed (S:C) and user interaction is required (UI:R), a lured user visiting or interacting with a malicious page can be deceived into trusting forged content, undermining browser security-context integrity. Reported by Microsoft with a vendor patch available; EPSS is low (0.28%, 20th percentile) and no public exploit identified at time of analysis.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-57977 HIGH PATCH This Week

Spoofing in Microsoft Edge (Chromium-based) arises from a cross-site scripting (CWE-79) flaw that lets a network-based, unauthenticated attacker inject script into a generated web page, producing a convincing spoofed browser context after the victim interacts with malicious content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R, C:L/I:H) reflects a high-integrity spoofing impact gated only by user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-4322 MEDIUM This Month

Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. Critically, the vendor Raera has confirmed the product is end-of-life and unsupported, meaning no patch will ever be released and all deployed instances are permanently vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Destekz
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-4804 MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9756 MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9148 HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-8351 MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8892 MEDIUM This Month

Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.

WordPress XSS Cm Business Directory Optimise And Showcase Local Business
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9626 MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13040 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF Nex Forms Ultimate Forms Plugin For Wordpress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-8489 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12731 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12734 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-54477 MEDIUM PATCH CISA This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-13377 MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's SIP Proxy module enables a high-privileged attacker to plant persistent malicious JavaScript that executes in the browsers of other privileged users who access affected management interface pages. Covering Fireware OS versions 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this CVE is explicitly disclosed as an additional, previously unmitigated attack path for CVE-2025-6947 - meaning organizations that applied the prior patch may incorrectly believe their exposure is closed. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13376 MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's spamBlocker module enables a high-privileged attacker to persist malicious JavaScript that executes in the browsers of other authenticated users viewing the affected management interface. This vulnerability is explicitly identified as an additional, unmitigated attack path bypassing the remediation applied for CVE-2025-1071, indicating the original fix was incomplete. The CVSS 4.0 vector scores this at 4.8 (Medium), with no confirmed active exploitation and no public exploit identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13375 MEDIUM This Month

Stored cross-site scripting in WatchGuard Fireware OS's Autotask Technology Integration module allows a high-privileged attacker to inject persistent malicious scripts that execute in the browsers of other users who view the affected management interface pages. Affecting Fireware OS versions 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this flaw is explicitly described as an additional unmitigated attack path alongside the related CVE-2025-13938, suggesting prior remediation efforts were incomplete. No public exploit code or confirmed active exploitation has been identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13374 MEDIUM This Month

Stored cross-site scripting in WatchGuard Fireware OS via the ConnectWise Technology Integration module allows a highly privileged attacker to inject persistent malicious scripts into the web management interface, which then execute in the browsers of other authenticated users who view the affected pages. This vulnerability is explicitly described as an additional, previously unmitigated attack path for CVE-2025-13937, indicating that the prior remediation was incomplete and a bypass exists. No public exploit code or CISA KEV listing has been identified at time of analysis, but the relationship to an earlier CVE suggests at least some organizational knowledge of the attack surface.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13373 MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows a high-privileged attacker to persist malicious scripts within the management interface, which then execute in the browsers of other authenticated users who visit the affected pages. Critically, this CVE is identified as an additional unmitigated attack path for CVE-2025-13936, indicating an incomplete remediation of a prior related XSS flaw in the same integration module. Affected versions span the 12.4, 12.5, and 2025.x/2026.x release trains; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-49360 PyPI HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read/write in Recce OSS server (DataRecce, PyPI package 'recce') affects DuckDB-backed deployments exposed to untrusted networks, where the query run API executes attacker-supplied SQL without authentication. By abusing DuckDB filesystem primitives an attacker can read and write files accessible to the server process, enabling local file disclosure, tampering with dbt/Recce artifacts, and injection of stored XSS into browser-served static files. No public exploit identified at time of analysis; the issue is fixed in Recce v1.50.0.

XSS
NVD GitHub
CVE-2026-59102 LOW POC PATCH Monitor

Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. No public exploit identified at time of analysis as actively exploited in the wild, but a public proof-of-concept exists at the VulnCheck-referenced GitHub repository. The CVSS 4.0 score of 2.1 reflects the non-default configuration prerequisite and passive user interaction required, but the impact on subsequent systems (other users' browser sessions) is real.

XSS Forgejo
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-58579 MEDIUM POC PATCH This Month

Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node names rendered in a confirmation modal. An authenticated workspace member injects a payload into a DSL node name via the agent update endpoint; when a different workspace member opens the dataflow result and clicks 'Rerun from current step,' the payload executes in their browser, enabling session token theft and account takeover across the workspace trust boundary. No CISA KEV listing exists, but a public proof-of-concept is available and a vendor patch has been released as v0.26.3.

XSS Ragflow
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-71385 MEDIUM PATCH This Month

Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.

XSS Netdata
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-49245 Go LOW PATCH GHSA Monitor

Stored XSS in SFTPGo's WebClient allows an attacker who can place files in a share or home directory to serve an HTML payload as live text/html within SFTPGo's own web origin by exploiting the inline query parameter on file download endpoints, which suppressed the Content-Disposition: attachment header. Affected versions prior to v2.7.3 expose both the browsable-share and authenticated-user file download paths. No public exploit is identified at time of analysis; exploitation requires file placement access plus social engineering to deliver a crafted URL the WebClient never generates natively.

XSS
NVD GitHub
CVSS 3.1
3.7
CVE-2026-50290 npm MEDIUM PATCH GHSA This Month

CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp/**/ression()). Critically, the XSS payload only executes in legacy browsers (IE6-IE10), which substantially limits real-world impact. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS
NVD GitHub
CVE-2026-52854 PHP HIGH POC PATCH GHSA This Week

{{#display_map}} parser function when the leaflet service is used. Overlay names are passed unescaped into Leaflet, which renders them as raw HTML, so a crafted overlay value executes in the browser of every user who views the page. A working proof-of-concept is published in the advisory, though there is no public exploit identified beyond it and no evidence of active exploitation.

XSS
NVD GitHub
CVSS 3.1
8.6
CVE-2026-8699 HIGH PATCH This Week

Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.

Authentication Bypass XSS Information Disclosure
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-4772 MEDIUM This Month

Stored XSS in TR7 Cyber Defense Inc.'s WAF-ASP web application firewall permits authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users - including administrators - who later view the affected page. Versions from v1.0.324.900 up to but not including v1.4.0.117 are confirmed affected. No public exploit code or CISA KEV listing exists at time of analysis; exploitation nonetheless requires only low-privilege credentials and a single victim page-view.

XSS Waf Asp
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-4770 MEDIUM This Month

DOM-Based cross-site scripting in TR7 Cyber Defense Inc.'s WAF-ASP product allows an authenticated low-privilege attacker to inject malicious JavaScript that executes in the browser of any user who interacts with a crafted page within the WAF's web interface. Affected versions span v1.0.42.239 through versions prior to v1.4.0.117. No public exploit or active exploitation has been identified at time of analysis; the irony is notable in that this is a security control product with an XSS vulnerability in its own management interface.

XSS Waf Asp
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-57678 HIGH This Week

Reflected cross-site scripting in ThemePunch Slider Revolution (versions 7.0.0 through 7.0.16), a widely deployed premium WordPress slider/visual-builder plugin, lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is marked Changed with low impact across confidentiality, integrity, and availability, successful exploitation can lead to session hijacking, defacement, or actions performed in the victim's authenticated context. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the reflected nature and no-authentication requirement make it a practical phishing-driven threat.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-14449 MEDIUM This Month

Reflected XSS in u5CMS through v12.8.8 allows unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers via the unsanitized 'thanks' parameter exposed across multiple form components. When a victim user is socially engineered into visiting a crafted URL, injected scripts execute in the application's browser context, with the CVSS 4.0 vector indicating high subsequent-system impact (SC:H/SI:H/SA:H) - consistent with session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis; fix is available in v12.8.9.

XSS
NVD GitHub
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-57764 MEDIUM This Month

Stored Cross-Site Scripting in the Surbma Yoast SEO Breadcrumb Shortcode WordPress plugin (versions <= 1.2) allows contributor-level authenticated users to inject malicious JavaScript via the breadcrumb shortcode, which executes in the browser context of any victim who views the affected content - most critically a site administrator. The scope change (S:C) in the CVSS vector confirms the script escapes the plugin's own context and can hijack privileged sessions or perform unauthorized admin actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

XSS Surbma Yoast Seo Breadcrumb Shortcode
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57763 MEDIUM This Month

Cross-site scripting in the Structured Content WordPress plugin (versions <= 1.7.0) allows a Contributor-level authenticated user to inject malicious JavaScript that executes in the browser of higher-privileged users who subsequently view the crafted content. The CVSS scope change (S:C) confirms the payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized administrative actions within a WordPress installation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Structured Content
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57762 MEDIUM This Month

Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. No public exploit code or active exploitation confirmed at time of analysis, but the scope change introduces a realistic privilege escalation path from author to administrator via session hijacking.

XSS Simple Urls
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-57755 MEDIUM This Month

Stored or reflected Cross-Site Scripting in the Mosaic Gallery - Advanced Gallery WordPress plugin (versions <= 1.2.0) is exploitable by authenticated users holding a Contributor role. A Contributor-level attacker can inject malicious JavaScript into gallery content, which executes in the browsers of higher-privileged users - such as editors or administrators - who subsequently view the affected page, enabling session hijacking or unauthorized administrative action. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Mosaic Gallery 8211 Advanced Gallery
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57754 MEDIUM This Month

Stored Cross-Site Scripting in Livemesh Addons for WPBakery Page Builder versions 3.9.4 and earlier allows authenticated Contributors to inject persistent malicious scripts into WordPress pages. When a higher-privileged user such as an Editor or Administrator views the affected content, the injected script executes in their browser session - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin panel. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-privilege entry point and Changed scope elevate real-world risk for multi-author WordPress installations.

XSS Livemesh Addons For Wpbakery Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57686 HIGH This Week

Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.

XSS Wowaddons
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP +2
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.

XSS N8n
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

HTML injection in Capgo's organization settings endpoint allows an authenticated attacker to embed malicious HTML into the organization name field, redirecting other users to attacker-controlled phishing sites. Affected versions are all Capgo releases prior to 12.128.2. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack path is low-complexity for any user with organization settings write access.

XSS
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches) lets a remote attacker persist malicious script in the appliance management interface that executes in other users' browser sessions. Because the flaw is reachable without authentication and the injected payload runs in the victim's authenticated context, an attacker can achieve information disclosure, session/token theft, and client-side request forgery against operators of the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Dell has published advisory DSA-2026-278.

XSS Dell Information Disclosure +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress XSS Nexter Blocks Gutenberg Blocks Page Builder Ai Website Builder
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. This issue is not in CISA KEV and no public exploit has been identified at time of analysis.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low on sites that permit contributor or author registration.

WordPress XSS Essential Addons For Elementor Popular Elementor Templates Widgets
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Mediküm Web (by Webbeyaz Web Design) enables authenticated low-privilege attackers to persist malicious scripts that execute in the browsers of other users who view the affected pages. All versions through 08072026 are affected per the CVE scope, with the CVSS scope-change metric (S:C) confirming cross-boundary execution into victim browser sessions. Critically, the vendor has confirmed the product is no longer supported, meaning no patch will be issued - organizations still running this software have no vendor remediation path. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Medik M Web
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Mediküm Web, a Turkish healthcare web application by Webbeyaz Web Design, enables unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers by tricking them into visiting a crafted URL. All versions through 08072026 are affected with no patch available or forthcoming, as the vendor has confirmed the product is end-of-life and unsupported. No public exploit code or active exploitation has been identified at time of analysis, but the permanent unpatched status makes decommissioning the only definitive remediation.

XSS Medik M Web
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in Limatek System Inc.'s LimRAD NAC through version 08072026 allows an adjacent-network, low-privileged attacker to inject persistent malicious scripts that execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms that injected script execution crosses into the victim's browser security context, enabling potential session hijacking or credential theft targeting higher-privileged users such as administrators. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor did not respond to TR-CERT's disclosure, leaving no patch available and remediation options limited to compensating controls.

XSS Limrad Nac
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Advanced iFrame WordPress plugin (versions through 2026.1) allows authenticated contributors to permanently inject malicious scripts into WordPress pages via the unsanitized 'additional' parameter. Any site visitor loading an affected page will execute the attacker's payload in their browser, enabling session hijacking, credential theft, or defacement. No public exploit has been identified at time of analysis, and a fix has been committed to the WordPress plugin repository per Wordfence reporting.

WordPress XSS Advanced Iframe
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

WordPress XSS Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed in version 1.8.9, whose patched source is referenced in the advisory.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Chatra Live Chat Chatbot Cart Saver
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 6.1 (Medium) rating reflects the mandatory user-interaction requirement that constrains opportunistic mass exploitation.

WordPress XSS Social Share Social Login And Social Comments Plugin Super Socializer
NVD VulDB
EPSS 0% CVSS 3.9
LOW POC PATCH Monitor

Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. Successful exploitation enables reading same-origin browser data, DOM manipulation, and issuing authenticated requests on behalf of the victim. No public exploit identified at time of analysis.

XSS Dashy
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in DataEase dashboard text components allows any authenticated user with edit access to inject HTML containing executable event handlers that fire silently in the browser of every subsequent dashboard viewer, including unauthenticated shared-link recipients. All versions prior to 2.10.24 are affected due to the use of Vue's v-html directive to render stored component content without server-side sanitization. No public exploit or active exploitation has been confirmed at time of analysis; a vendor-released patch is available in version 2.10.24.

XSS Dataease
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Confidential-client impersonation in better-auth below 1.6.11 lets an attacker who holds any leaked refresh_token and the public client_id mint fresh access tokens and rotated refresh tokens indefinitely. The deprecated oidcProvider() and mcp() plugins expose an OAuth 2.0 token endpoint whose refresh_token grant authenticates solely on the bound refresh-token row plus a matching client_id, never verifying the registered client_secret - a regression, since the same plugins' authorization_code grant does enforce the secret. No public exploit identified at time of analysis; the flaw was reported by @subhanUmer and fixed by the maintainers, with no CISA KEV listing or EPSS score supplied in the input.

Authentication Bypass XSS Canonical
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS's com_installer component exposes the administrator backend to script injection via the update list view, stemming from missing output escaping (CWE-79). The CVSS 4.0 vector (PR:H/UI:P/E:U) confirms exploitation is constrained to sessions where a high-privilege administrator views the maliciously influenced update list, substantially limiting the attack surface. No public exploit code or active exploitation has been identified at time of analysis.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS com_templates file management view allows a high-privileged attacker to inject unescaped malicious script that executes in the browser of any administrator who subsequently views the affected template file listing. Affected versions span Joomla! 4.0.0 through 5.4.6 and 6.0.0 through 6.1.1. No public exploit identified at time of analysis and the CVSS 4.0 supplemental metric E:U confirms no known active exploitation, but the wide install base and admin-targeting nature of the payload make this relevant to Joomla site operators.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS modalreturn layout components enables a high-privileged attacker to inject and execute arbitrary JavaScript in a victim administrator's browser session. The root cause is insufficient output escaping in multiple component layouts that handle modal return values. No public exploit code has been identified and CISA KEV does not list this vulnerability; the CVSS 4.0 exploitation likelihood metric (E:U) further indicates no observed active exploitation at time of analysis.

XSS Joomla Cms
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS's generic image output layout enables a high-privileged attacker to inject malicious script payloads that execute in the browsers of other authenticated users who view the affected content. The root cause is absent HTML output escaping in the image rendering component (CWE-79), allowing injected JavaScript to break out of the intended data context. No public exploit has been identified at time of analysis, and exploitation requires a pre-existing high-privileged Joomla account plus passive victim interaction, substantially limiting real-world exposure despite high impact scores on confidentiality and integrity.

XSS Joomla Cms
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Cross-site scripting in Joomla! CMS multi-factor authentication management views allows a high-privileged attacker to inject persistent malicious scripts that execute in the browser of any administrator who subsequently views the MFA management interface. Affected versions span two major release lines: 4.2.0-5.4.6 and 6.0.0-6.1.1, representing a broad surface across both legacy and current deployments. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation yields high confidentiality and integrity impact against the victim administrator's browser session.

XSS Joomla Cms
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. No public exploit code has been identified at time of analysis (CVSS E:U), and the vulnerability is not listed in the CISA KEV catalog.

XSS Joomla Cms
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform 8 +3
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in the web management interfaces of Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA serial device servers allows a remote, authenticated administrator to persist malicious script payloads in system configuration fields. The injected script executes in the browser of any user who subsequently views the affected configuration pages, enabling session hijacking, credential theft, or UI redress attacks against those users. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 4.8 reflects the high-privilege prerequisite that meaningfully constrains real-world risk.

XSS Digi Portserver Ts Digi One Sp +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Access Control System Gks
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Access Control System Gks
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.

XSS Access Control System Gks
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

WordPress XSS Exclusive Addons For Elementor
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.

N A XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in LiquidFiles v4.2.7 allows authenticated attackers to inject persistent malicious JavaScript or HTML via the Name parameter of the Upload File Shares API, executing in victims' browsers when they interact with the affected share. The scope-changed CVSS vector (S:C) confirms the payload executes outside the attacker's privilege context, enabling session hijacking, credential theft, or UI redress against other users. A security researcher published a write-up specifically documenting CSP bypass techniques to exploit this flaw, indicating the attack is non-trivial but achievable. No public exploit identified at time of analysis, and EPSS sits at 0.16% (5th percentile), suggesting low automated exploitation pressure.

XSS N A
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in FOSSBilling 0.6.0-0.7.2 allows an authenticated admin to inject persistent JavaScript payloads into email HTML content that execute in client browsers when victims view their email history. The root cause is use of the `|raw` Twig filter to embed `content_html` directly into a JavaScript template literal, bypassing all output escaping. No active exploitation or public proof-of-concept has been identified at time of analysis; EPSS data was not provided in source intelligence.

XSS Fossbilling
NVD GitHub VulDB
LOW Monitor

Stored cross-site scripting in Kiwi TCMS versions prior to 16.1 allows authenticated users to inject arbitrary JavaScript into the `TestCase.extra_link` and `TestPlan.extra_link` fields, which are rendered verbatim to all subsequent viewers. Official Docker-based deployments are substantially protected by a `Content-Security-Policy` header that blocks inline script execution, but customized deployments that alter default middleware or security settings remain fully exploitable. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

XSS Docker
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.

XSS Showdown
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Coder's AgentLogLine dashboard component allows any workspace owner to inject arbitrary HTML into agent log output, which renders as live markup in the browser session of any user - including administrators - who views the workspace page. The vulnerability stems from the ansi-to-html library being invoked without escapeXML: true, with output passed directly to React's dangerouslySetInnerHTML without server-side sanitization. While Coder's Content Security Policy blocks inline script execution, the attack surface still includes meta refresh redirects, CSS-based data exfiltration, UI redressing, and external image beacons; no public exploit is identified at time of analysis, and patched versions are available across all supported release lines.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.

XSS Showdown
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.

XSS Hugo
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Drawio For Owncloud Owncloud 10
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager +6
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

CVE-2026-54432 is a vulnerability reported by Ubuntu with no description, CVSS score, CWE classification, or technical detail available in the provided intelligence data. The affected product is inferred as Ubuntu Linux based solely on the vendor reporter tag. No impact, attack vector, or exploitability information can be determined from the current data set.

XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Clickjacking in Ajenti's browser-facing login and administrative UI through v2.2.13 exposes authenticated administrators to UI redress attacks. The root cause is in ajenti-core/aj/http.py, where the core HTTP response pipeline finalizes responses via WSGI without injecting X-Frame-Options or a Content-Security-Policy frame-ancestors directive, allowing the Ajenti UI to be embedded in attacker-controlled iframes. No active exploitation has been identified - EPSS sits at 0.14% (4th percentile), SSVC exploitation is rated none, and no CISA KEV listing exists - placing this firmly in the low-urgency queue despite its medium CVSS score.

XSS N A
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-site scripting in Roundcube Webmail allows remote attackers to inject arbitrary script into a victim's authenticated mail session, with the CVSS scope-change flag indicating the payload can affect resources beyond the vulnerable component (e.g. the surrounding webmail DOM/session). The flaw was fixed in releases 1.6.17 and 1.7.2 announced on 2026-07-05 and was reported through Ubuntu's security tracker; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is rated CVSS 7.2 driven largely by the scope change, though confidentiality and integrity impact are each only Low and availability is unaffected.

XSS Webmail
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Cross-site scripting in stumasy's dictionary notes feature allows a low-privileged, remote attacker to inject malicious JavaScript via the unsanitized `reference` argument of the `add_definition` function. The vulnerability affects the PHP web application at commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be and earlier, with exploit code publicly disclosed via VulDB submission 849495. Real-world impact is constrained by the requirement for prior authentication and victim interaction, but no vendor patch exists and the project maintainer has not responded to the responsible disclosure.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in stephen-kruger bluebox up to version 4.5.12 allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers by manipulating the 'code' argument in an unspecified function. The attack requires user interaction (CVSS 4.0 UI:P), meaning a victim must be induced to click a crafted link or visit a malicious page. A public exploit exists via a GitHub issue report, though no CISA KEV listing confirms active widespread exploitation. The CVSS 4.0 score of 2.1 reflects the constrained integrity-only impact and passive user-interaction requirement.

XSS Bluebox
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in code-projects Assessment Management 1.0 allows remote unauthenticated attackers to inject malicious scripts via the unsanitized `ID` parameter in `/admin/remove-user.php`. A public proof-of-concept exploit is available on GitHub (E:P in the CVSS 4.0 supplemental metrics), lowering the bar for exploitation. The vulnerability is not listed in the CISA KEV catalog, so confirmed widespread active exploitation has not been established, though the admin-facing endpoint makes session hijacking of privileged users a realistic outcome.

XSS PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Cross-site scripting (XSS) in code-projects Assessment Management 1.0 allows a remote attacker with administrative credentials to inject malicious scripts via the User parameter in admin/view-users.php, executing arbitrary JavaScript in the browser context of users who view the affected admin page. The CVSS 4.0 vector (PR:H, UI:P) confirms exploitation is gated behind high-privilege authentication and requires a victim to load the tampered page. A public proof-of-concept exploit exists on GitHub, though no active exploitation or CISA KEV listing has been identified at time of analysis.

XSS PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to inject malicious scripts via the title or description arguments of the hidden REST API endpoint /index.php/api/product/set, executing arbitrary JavaScript in the browsers of users who subsequently view the affected product data. A public exploit has been disclosed (CVSS 4.0 E:P), though the low CVSS 4.0 score of 2.1 and the user-interaction requirement constrain practical impact. No active exploitation is confirmed by CISA KEV, and a patch commit is available in the project repository.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Reflected/stored cross-site scripting in the Subscribed Emails Admin Page of kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows an unauthenticated remote attacker to inject arbitrary JavaScript by crafting a malicious HTTP User-Agent header, which is rendered unencoded via the checkForPostRequests function in application/core/MY_Controller.php. When an administrator subsequently views the subscription management panel, the payload executes in their browser session. A public exploit exists (CVSS E:P); this is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

XSS PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled content. The flaw stems from improper input neutralization during web page generation (CWE-79), allowing injected scripts to execute within the browser's context and manipulate rendered content. No public exploit code or active exploitation has been identified at time of analysis, and Microsoft has released a patch addressing the issue.

XSS Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets a remote attacker trick a victim into rendering attacker-controlled script that spoofs UI or content over the network. Because the CVSS scope is changed (S:C) and user interaction is required (UI:R), a lured user visiting or interacting with a malicious page can be deceived into trusting forged content, undermining browser security-context integrity. Reported by Microsoft with a vendor patch available; EPSS is low (0.28%, 20th percentile) and no public exploit identified at time of analysis.

XSS Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Spoofing in Microsoft Edge (Chromium-based) arises from a cross-site scripting (CWE-79) flaw that lets a network-based, unauthenticated attacker inject script into a generated web page, producing a convincing spoofed browser context after the victim interacts with malicious content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R, C:L/I:H) reflects a high-integrity spoofing impact gated only by user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.

XSS Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. Critically, the vendor Raera has confirmed the product is end-of-life and unsupported, meaning no patch will ever be released and all deployed instances are permanently vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Destekz
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.

WordPress XSS Cm Business Directory Optimise And Showcase Local Business
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's SIP Proxy module enables a high-privileged attacker to plant persistent malicious JavaScript that executes in the browsers of other privileged users who access affected management interface pages. Covering Fireware OS versions 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this CVE is explicitly disclosed as an additional, previously unmitigated attack path for CVE-2025-6947 - meaning organizations that applied the prior patch may incorrectly believe their exposure is closed. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

XSS Watchguard Fireware Os
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's spamBlocker module enables a high-privileged attacker to persist malicious JavaScript that executes in the browsers of other authenticated users viewing the affected management interface. This vulnerability is explicitly identified as an additional, unmitigated attack path bypassing the remediation applied for CVE-2025-1071, indicating the original fix was incomplete. The CVSS 4.0 vector scores this at 4.8 (Medium), with no confirmed active exploitation and no public exploit identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in WatchGuard Fireware OS's Autotask Technology Integration module allows a high-privileged attacker to inject persistent malicious scripts that execute in the browsers of other users who view the affected management interface pages. Affecting Fireware OS versions 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this flaw is explicitly described as an additional unmitigated attack path alongside the related CVE-2025-13938, suggesting prior remediation efforts were incomplete. No public exploit code or confirmed active exploitation has been identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in WatchGuard Fireware OS via the ConnectWise Technology Integration module allows a highly privileged attacker to inject persistent malicious scripts into the web management interface, which then execute in the browsers of other authenticated users who view the affected pages. This vulnerability is explicitly described as an additional, previously unmitigated attack path for CVE-2025-13937, indicating that the prior remediation was incomplete and a bypass exists. No public exploit code or CISA KEV listing has been identified at time of analysis, but the relationship to an earlier CVE suggests at least some organizational knowledge of the attack surface.

XSS Watchguard Fireware Os
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows a high-privileged attacker to persist malicious scripts within the management interface, which then execute in the browsers of other authenticated users who visit the affected pages. Critically, this CVE is identified as an additional unmitigated attack path for CVE-2025-13936, indicating an incomplete remediation of a prior related XSS flaw in the same integration module. Affected versions span the 12.4, 12.5, and 2025.x/2026.x release trains; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
HIGH PATCH This Week

Unauthenticated arbitrary file read/write in Recce OSS server (DataRecce, PyPI package 'recce') affects DuckDB-backed deployments exposed to untrusted networks, where the query run API executes attacker-supplied SQL without authentication. By abusing DuckDB filesystem primitives an attacker can read and write files accessible to the server process, enabling local file disclosure, tampering with dbt/Recce artifacts, and injection of stored XSS into browser-served static files. No public exploit identified at time of analysis; the issue is fixed in Recce v1.50.0.

XSS
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. No public exploit identified at time of analysis as actively exploited in the wild, but a public proof-of-concept exists at the VulnCheck-referenced GitHub repository. The CVSS 4.0 score of 2.1 reflects the non-default configuration prerequisite and passive user interaction required, but the impact on subsequent systems (other users' browser sessions) is real.

XSS Forgejo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node names rendered in a confirmation modal. An authenticated workspace member injects a payload into a DSL node name via the agent update endpoint; when a different workspace member opens the dataflow result and clicks 'Rerun from current step,' the payload executes in their browser, enabling session token theft and account takeover across the workspace trust boundary. No CISA KEV listing exists, but a public proof-of-concept is available and a vendor patch has been released as v0.26.3.

XSS Ragflow
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.

XSS Netdata
NVD GitHub VulDB
CVSS 3.7
LOW PATCH Monitor

Stored XSS in SFTPGo's WebClient allows an attacker who can place files in a share or home directory to serve an HTML payload as live text/html within SFTPGo's own web origin by exploiting the inline query parameter on file download endpoints, which suppressed the Content-Disposition: attachment header. Affected versions prior to v2.7.3 expose both the browsable-share and authenticated-user file download paths. No public exploit is identified at time of analysis; exploitation requires file placement access plus social engineering to deliver a crafted URL the WebClient never generates natively.

XSS
NVD GitHub
MEDIUM PATCH This Month

CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp/**/ression()). Critically, the XSS payload only executes in legacy browsers (IE6-IE10), which substantially limits real-world impact. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS
NVD GitHub
CVSS 8.6
HIGH POC PATCH This Week

{{#display_map}} parser function when the leaflet service is used. Overlay names are passed unescaped into Leaflet, which renders them as raw HTML, so a crafted overlay value executes in the browser of every user who views the page. A working proof-of-concept is published in the advisory, though there is no public exploit identified beyond it and no evidence of active exploitation.

XSS
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.

Authentication Bypass XSS Information Disclosure
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in TR7 Cyber Defense Inc.'s WAF-ASP web application firewall permits authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users - including administrators - who later view the affected page. Versions from v1.0.324.900 up to but not including v1.4.0.117 are confirmed affected. No public exploit code or CISA KEV listing exists at time of analysis; exploitation nonetheless requires only low-privilege credentials and a single victim page-view.

XSS Waf Asp
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

DOM-Based cross-site scripting in TR7 Cyber Defense Inc.'s WAF-ASP product allows an authenticated low-privilege attacker to inject malicious JavaScript that executes in the browser of any user who interacts with a crafted page within the WAF's web interface. Affected versions span v1.0.42.239 through versions prior to v1.4.0.117. No public exploit or active exploitation has been identified at time of analysis; the irony is notable in that this is a security control product with an XSS vulnerability in its own management interface.

XSS Waf Asp
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in ThemePunch Slider Revolution (versions 7.0.0 through 7.0.16), a widely deployed premium WordPress slider/visual-builder plugin, lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is marked Changed with low impact across confidentiality, integrity, and availability, successful exploitation can lead to session hijacking, defacement, or actions performed in the victim's authenticated context. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the reflected nature and no-authentication requirement make it a practical phishing-driven threat.

XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Reflected XSS in u5CMS through v12.8.8 allows unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers via the unsanitized 'thanks' parameter exposed across multiple form components. When a victim user is socially engineered into visiting a crafted URL, injected scripts execute in the application's browser context, with the CVSS 4.0 vector indicating high subsequent-system impact (SC:H/SI:H/SA:H) - consistent with session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis; fix is available in v12.8.9.

XSS
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Surbma Yoast SEO Breadcrumb Shortcode WordPress plugin (versions <= 1.2) allows contributor-level authenticated users to inject malicious JavaScript via the breadcrumb shortcode, which executes in the browser context of any victim who views the affected content - most critically a site administrator. The scope change (S:C) in the CVSS vector confirms the script escapes the plugin's own context and can hijack privileged sessions or perform unauthorized admin actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

XSS Surbma Yoast Seo Breadcrumb Shortcode
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Structured Content WordPress plugin (versions <= 1.7.0) allows a Contributor-level authenticated user to inject malicious JavaScript that executes in the browser of higher-privileged users who subsequently view the crafted content. The CVSS scope change (S:C) confirms the payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized administrative actions within a WordPress installation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Structured Content
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. No public exploit code or active exploitation confirmed at time of analysis, but the scope change introduces a realistic privilege escalation path from author to administrator via session hijacking.

XSS Simple Urls
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored or reflected Cross-Site Scripting in the Mosaic Gallery - Advanced Gallery WordPress plugin (versions <= 1.2.0) is exploitable by authenticated users holding a Contributor role. A Contributor-level attacker can inject malicious JavaScript into gallery content, which executes in the browsers of higher-privileged users - such as editors or administrators - who subsequently view the affected page, enabling session hijacking or unauthorized administrative action. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Mosaic Gallery 8211 Advanced Gallery
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in Livemesh Addons for WPBakery Page Builder versions 3.9.4 and earlier allows authenticated Contributors to inject persistent malicious scripts into WordPress pages. When a higher-privileged user such as an Editor or Administrator views the affected content, the injected script executes in their browser session - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin panel. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-privilege entry point and Changed scope elevate real-world risk for multi-author WordPress installations.

XSS Livemesh Addons For Wpbakery Page Builder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.

XSS Wowaddons
NVD
Prev Page 4 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy