Skip to main content

XSS

38836 CVEs technique

Monthly

CVE-2026-1754 MEDIUM This Month

The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1164 MEDIUM This Month

Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1844 HIGH This Week

Stored XSS in WordPress PixelYourSite PRO plugin versions up to 12.4.0.2 allows unauthenticated attackers to inject malicious scripts through the 'pysTrafficSource' and 'pys_landing_page' parameters due to insufficient input validation and output encoding. When site visitors access pages containing injected payloads, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1841 HIGH This Week

Stored XSS in the PixelYourSite WordPress plugin through versions 11.2.0 allows unauthenticated attackers to inject malicious scripts via the 'pysTrafficSource' and 'pys_landing_page' parameters due to inadequate input sanitization and output escaping. When users visit pages containing injected payloads, the scripts execute in their browsers, potentially compromising sessions and stealing sensitive data. No patch is currently available, leaving all affected installations vulnerable.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-26226 npm MEDIUM PATCH This Month

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams.

XSS
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-70095 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 6.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-70094 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter. [CVSS 6.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-70091 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter. [CVSS 6.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1578 This Week

HP App for Android is potentially vulnerable to cross-site scripting (XSS) when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

Android XSS
NVD
EPSS
0.0%
CVE-2026-1721 npm PATCH This Week

Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler.

Github XSS
NVD GitHub
EPSS
0.0%
CVE-2026-26188 PHP MEDIUM POC PATCH This Month

Stored XSS in Solspace Freeform for Craft CMS 5.x allows authenticated users with form creation privileges to inject malicious JavaScript into form labels and integration metadata, which executes in the Control Panel when administrators view the builder or integrations. Public exploit code exists for this vulnerability. The vulnerability is resolved in version 5.14.7.

XSS Freeform
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70092 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter. [CVSS 5.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2019-25324 MEDIUM POC This Month

RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script that allows attackers to inject malicious HTML code. [CVSS 6.1 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25323 MEDIUM POC This Month

Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. [CVSS 6.1 MEDIUM]

RCE XSS
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70845 MEDIUM This Month

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped. [CVSS 6.1 MEDIUM]

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26000 Maven MEDIUM PATCH This Month

Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).

XSS Xwiki
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1320 HIGH This Week

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-13002 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS).This issue affects E-Commerce Package: through 27112025. [CVSS 8.2 HIGH]

XSS E Commerce Package
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-1316 HIGH This Week

Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2276 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content.

XSS
NVD
EPSS
0.0%
CVE-2026-20645 MEDIUM This Month

Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.

Apple XSS
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-26023 MEDIUM POC PATCH This Month

Dify versions prior to 1.13.0 contain a stored cross-site scripting vulnerability in the chat frontend's echarts integration that executes malicious JavaScript payloads embedded in user or LLM-generated inputs. An attacker can exploit this to perform actions in the context of other users' browsers, potentially stealing session tokens or conducting phishing attacks. Public exploit code exists for this vulnerability, though a patch is available in version 1.13.0 and later.

XSS AI / ML Dify
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25935 Go MEDIUM PATCH This Month

Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious code into task descriptions that are rendered without sanitization in hover tooltips. An attacker can exploit this by sharing a project and creating a specially crafted task that triggers the vulnerability when other users hover over it. A patch is available in version 1.1.0 and later.

XSS Vikunja Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25759 PHP HIGH PATCH This Week

Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. A patch is available in version 6.2.3.

Laravel XSS Statamic
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2020-37153 CRITICAL POC Act Now

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin management. PoC available.

AWS XSS Command Injection Astpp
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-70297 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser. [CVSS 6.1 MEDIUM]

XSS Mealie
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25868 MEDIUM This Month

Reflected XSS in MiniGal Nano 0.3.5 and earlier allows unauthenticated remote attackers to inject malicious scripts through the dir parameter in index.php, enabling arbitrary JavaScript execution in victim browsers. The vulnerability stems from insufficient output encoding when constructing error messages with user-supplied input. No patch is currently available for affected installations.

PHP XSS Minigal Nano
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-2344 This Week

A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1

XSS
NVD
EPSS
0.1%
CVE-2019-25317 PHP MEDIUM POC PATCH This Month

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. [CVSS 6.4 MEDIUM]

XSS Kimai
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25316 MEDIUM POC This Month

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25315 MEDIUM POC This Month

WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25314 MEDIUM POC This Month

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]

WordPress XSS
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2019-25312 MEDIUM POC This Month

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. [CVSS 5.4 MEDIUM]

XSS Inoerp
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2019-25311 MEDIUM POC This Month

thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. [CVSS 6.4 MEDIUM]

XSS Thesystem
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2018-25157 PHP MEDIUM POC This Month

Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2337 This Week

A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1.

XSS
NVD
EPSS
0.1%
CVE-2025-8668 CRITICAL Act Now

Critical XSS vulnerability in E-Kalite software allows remote attackers to execute arbitrary code.

XSS
NVD VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-1885 MEDIUM This Month

Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1853 MEDIUM This Month

Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1827 MEDIUM This Month

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.

WordPress Flask XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1826 MEDIUM This Month

Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1821 MEDIUM This Month

Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1809 MEDIUM This Month

Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1804 MEDIUM This Month

Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0815 MEDIUM This Month

Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0724 MEDIUM This Month

The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15440 HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-13650 MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL:  https://zeus.microcom.es:4040/index.html?zeus6=true .

XSS Zeusweb
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13649 MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true .

XSS Zeusweb
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13648 MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html  resulting in a stored XSS.

XSS Zeusweb
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-10913 HIGH This Week

Saastech Cleaning and Internet Services Inc. TemizlikYolda is affected by cross-site scripting (xss) (CVSS 8.3).

XSS
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-1893 MEDIUM This Month

Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1231 MEDIUM This Month

Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12699 MEDIUM This Month

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. [CVSS 5.5 MEDIUM]

XSS iOS
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24045 HIGH POC PATCH This Week

Stored XSS in Docmost before version 0.25.0 allows authenticated attackers to inject malicious scripts into public share page titles that execute when victims visit shared links, compromising user sessions and data. The vulnerability stems from improper HTML escaping of page titles in meta and title tags, and public exploit code is available. Upgrade to version 0.25.0 or later to remediate.

XSS Docmost
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21529 MEDIUM PATCH This Month

Azure HDInsight contains a cross-site scripting (XSS) vulnerability in web page generation that allows authenticated attackers to conduct spoofing attacks over the network. An attacker with valid credentials and user interaction can exploit this weakness to manipulate web content and deceive users. No patch is currently available for this issue.

Azure XSS Azure Hdinsight
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-52436 HIGH This Week

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-11004 This Week

The Simplicity Device Manager Tool has a Reflected XSS (Cross-site-scripting) vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack.

XSS
NVD
EPSS
0.1%
CVE-2026-1922 MEDIUM This Month

Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1866 HIGH This Week

The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-40587 HIGH This Week

A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. [CVSS 7.6 HIGH]

XSS
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2099 MEDIUM This Month

Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.

XSS AI / ML Agentflow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2098 MEDIUM This Month

Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

XSS AI / ML Agentflow
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0996 MEDIUM This Month

Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

WordPress XSS AI / ML
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24325 MEDIUM This Month

Stored XSS in SAP BusinessObjects Enterprise results from insufficient input encoding, allowing high-privileged administrators to inject malicious JavaScript that executes in other users' browsers. This vulnerability affects confidentiality and integrity with medium severity, though no patch is currently available. Exploitation requires administrative access and user interaction to trigger the malicious payload.

SAP XSS Businessobjects Enterprise
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-0505 MEDIUM This Month

Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP applications to redirect users to malicious websites, potentially compromising user credentials or distributing malware. The vulnerability requires user interaction to exploit and has limited impact on confidentiality and integrity, with no availability impact. No patch is currently available.

XSS S4core Document Management System Erp
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25889 Go MEDIUM POC PATCH This Month

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.

XSS Filebrowser Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25496 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft CMS Number field settings (versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21) allows authenticated users with high privileges to inject malicious scripts via the Prefix or Suffix fields, which execute when the field is viewed on user profiles. Public exploit code exists for this vulnerability. Updates to versions 4.16.18 and 5.8.22 are available to remediate the issue.

XSS Craft Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25491 PHP MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft CMS versions 5.0.0-RC1 through 5.8.21 allows authenticated users with high privileges to inject malicious scripts through Entry Type names that are not sanitized when displayed in the Entry Types list. An attacker exploiting this vulnerability can execute arbitrary JavaScript in the browsers of other users viewing the affected list, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available in version 5.8.22 and later.

XSS Craft Cms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25230 MEDIUM POC This Month

FileRise versions before 3.3.0 contain an HTML injection vulnerability that allows authenticated users to manipulate the DOM and inject malicious form or link elements to redirect users or trigger unauthorized actions. Public exploit code exists for this medium-severity flaw, and no patch is currently available. The vulnerability requires user interaction and valid credentials to exploit, limiting its immediate impact but creating risk for organizations running affected FileRise instances.

XSS Filerise
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-63354 MEDIUM This Month

Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript. [CVSS 4.8 MEDIUM]

XSS Hi3120 Firmware
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-1960 This Week

Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint.

XSS
NVD
EPSS
0.0%
CVE-2026-1959 This Week

Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'descripción' parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.

XSS
NVD
EPSS
0.0%
CVE-2026-25847 HIGH This Week

In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible [CVSS 8.2 HIGH]

XSS Pycharm
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-2224 LOW POC Monitor

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7799 HIGH This Week

Zirve Information Technologies Inc. E-Taxpayer Accounting Website is affected by cross-site scripting (xss) (CVSS 8.6).

XSS
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-2222 LOW POC Monitor

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2214 LOW POC Monitor

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-1615 npm HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS Code Injection
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-2201 LOW POC Monitor

A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. [CVSS 2.4 LOW]

Java XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2200 LOW POC Monitor

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. [CVSS 2.4 LOW]

XSS Jfinalcms
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2160 LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2159 LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2156 LOW POC Monitor

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2154 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2150 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2149 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2145 LOW POC Monitor

A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. [CVSS 3.5 LOW]

XSS Nginxwebui
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1643 MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1634 MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM This Month

The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in WordPress PixelYourSite PRO plugin versions up to 12.4.0.2 allows unauthenticated attackers to inject malicious scripts through the 'pysTrafficSource' and 'pys_landing_page' parameters due to insufficient input validation and output encoding. When site visitors access pages containing injected payloads, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in the PixelYourSite WordPress plugin through versions 11.2.0 allows unauthenticated attackers to inject malicious scripts via the 'pysTrafficSource' and 'pys_landing_page' parameters due to inadequate input sanitization and output escaping. When users visit pages containing injected payloads, the scripts execute in their browsers, potentially compromising sessions and stealing sensitive data. No patch is currently available, leaving all affected installations vulnerable.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 6.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter. [CVSS 6.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter. [CVSS 6.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
EPSS 0%
This Week

HP App for Android is potentially vulnerable to cross-site scripting (XSS) when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

Android XSS
NVD
EPSS 0%
PATCH This Week

Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler.

Github XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Solspace Freeform for Craft CMS 5.x allows authenticated users with form creation privileges to inject malicious JavaScript into form labels and integration metadata, which executes in the Control Panel when administrators view the builder or integrations. Public exploit code exists for this vulnerability. The vulnerability is resolved in version 5.14.7.

XSS Freeform
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter. [CVSS 5.5 MEDIUM]

XSS Open Source Point Of Sale
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script that allows attackers to inject malicious HTML code. [CVSS 6.1 MEDIUM]

XSS
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. [CVSS 6.1 MEDIUM]

RCE XSS
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM This Month

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped. [CVSS 6.1 MEDIUM]

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).

XSS Xwiki
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS).This issue affects E-Commerce Package: through 27112025. [CVSS 8.2 HIGH]

XSS E Commerce Package
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content.

XSS
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.

Apple XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Dify versions prior to 1.13.0 contain a stored cross-site scripting vulnerability in the chat frontend's echarts integration that executes malicious JavaScript payloads embedded in user or LLM-generated inputs. An attacker can exploit this to perform actions in the context of other users' browsers, potentially stealing session tokens or conducting phishing attacks. Public exploit code exists for this vulnerability, though a patch is available in version 1.13.0 and later.

XSS AI / ML Dify
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious code into task descriptions that are rendered without sanitization in hover tooltips. An attacker can exploit this by sharing a project and creating a specially crafted task that triggers the vulnerability when other users hover over it. A patch is available in version 1.1.0 and later.

XSS Vikunja Suse
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. A patch is available in version 6.2.3.

Laravel XSS Statamic
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin management. PoC available.

AWS XSS Command Injection +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser. [CVSS 6.1 MEDIUM]

XSS Mealie
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in MiniGal Nano 0.3.5 and earlier allows unauthenticated remote attackers to inject malicious scripts through the dir parameter in index.php, enabling arbitrary JavaScript execution in victim browsers. The vulnerability stems from insufficient output encoding when constructing error messages with user-supplied input. No patch is currently available for affected installations.

PHP XSS Minigal Nano
NVD VulDB
EPSS 0%
This Week

A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1

XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. [CVSS 6.4 MEDIUM]

XSS Kimai
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]

WordPress XSS
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. [CVSS 5.4 MEDIUM]

XSS Inoerp
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. [CVSS 6.4 MEDIUM]

XSS Thesystem
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
EPSS 0%
This Week

A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1.

XSS
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Critical XSS vulnerability in E-Kalite software allows remote attackers to execute arbitrary code.

XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.

WordPress Flask XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL:  https://zeus.microcom.es:4040/index.html?zeus6=true .

XSS Zeusweb
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true .

XSS Zeusweb
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html  resulting in a stored XSS.

XSS Zeusweb
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Saastech Cleaning and Internet Services Inc. TemizlikYolda is affected by cross-site scripting (xss) (CVSS 8.3).

XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.

WordPress XSS
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. [CVSS 5.5 MEDIUM]

XSS iOS
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Stored XSS in Docmost before version 0.25.0 allows authenticated attackers to inject malicious scripts into public share page titles that execute when victims visit shared links, compromising user sessions and data. The vulnerability stems from improper HTML escaping of page titles in meta and title tags, and public exploit code is available. Upgrade to version 0.25.0 or later to remediate.

XSS Docmost
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Azure HDInsight contains a cross-site scripting (XSS) vulnerability in web page generation that allows authenticated attackers to conduct spoofing attacks over the network. An attacker with valid credentials and user interaction can exploit this weakness to manipulate web content and deceive users. No patch is currently available for this issue.

Azure XSS Azure Hdinsight
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]

Fortinet XSS Fortisandbox
NVD
EPSS 0%
This Week

The Simplicity Device Manager Tool has a Reflected XSS (Cross-site-scripting) vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack.

XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.6
HIGH This Week

A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. [CVSS 7.6 HIGH]

XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.

XSS AI / ML Agentflow
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

XSS AI / ML Agentflow
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

WordPress XSS AI / ML
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in SAP BusinessObjects Enterprise results from insufficient input encoding, allowing high-privileged administrators to inject malicious JavaScript that executes in other users' browsers. This vulnerability affects confidentiality and integrity with medium severity, though no patch is currently available. Exploitation requires administrative access and user interaction to trigger the malicious payload.

SAP XSS Businessobjects Enterprise
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP applications to redirect users to malicious websites, potentially compromising user credentials or distributing malware. The vulnerability requires user interaction to exploit and has limited impact on confidentiality and integrity, with no availability impact. No patch is currently available.

XSS S4core Document Management System +1
NVD
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.

XSS Filebrowser Suse
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft CMS Number field settings (versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21) allows authenticated users with high privileges to inject malicious scripts via the Prefix or Suffix fields, which execute when the field is viewed on user profiles. Public exploit code exists for this vulnerability. Updates to versions 4.16.18 and 5.8.22 are available to remediate the issue.

XSS Craft Cms
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft CMS versions 5.0.0-RC1 through 5.8.21 allows authenticated users with high privileges to inject malicious scripts through Entry Type names that are not sanitized when displayed in the Entry Types list. An attacker exploiting this vulnerability can execute arbitrary JavaScript in the browsers of other users viewing the affected list, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available in version 5.8.22 and later.

XSS Craft Cms
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC This Month

FileRise versions before 3.3.0 contain an HTML injection vulnerability that allows authenticated users to manipulate the DOM and inject malicious form or link elements to redirect users or trigger unauthorized actions. Public exploit code exists for this medium-severity flaw, and no patch is currently available. The vulnerability requires user interaction and valid credentials to exploit, limiting its immediate impact but creating risk for organizations running affected FileRise instances.

XSS Filerise
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript. [CVSS 4.8 MEDIUM]

XSS Hi3120 Firmware
NVD GitHub
EPSS 0%
This Week

Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint.

XSS
NVD
EPSS 0%
This Week

Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'descripción' parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.

XSS
NVD
EPSS 0% CVSS 8.2
HIGH This Week

In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible [CVSS 8.2 HIGH]

XSS Pycharm
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Zirve Information Technologies Inc. E-Taxpayer Accounting Website is affected by cross-site scripting (xss) (CVSS 8.6).

XSS
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. [CVSS 2.4 LOW]

Java XSS
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. [CVSS 2.4 LOW]

XSS Jfinalcms
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. [CVSS 3.5 LOW]

XSS Nginxwebui
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
Prev Page 42 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy