Skip to main content

XSS

38838 CVEs technique

Monthly

CVE-2026-1643 MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1634 MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1613 MEDIUM This Month

Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1611 MEDIUM This Month

Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1608 MEDIUM This Month

Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1573 MEDIUM This Month

Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.

WordPress Golang XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1570 MEDIUM This Month

Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0555 MEDIUM This Month

The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15267 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13463 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12803 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12159 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-25764 LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. [CVSS 3.5 LOW]

XSS Openproject
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-25516 PyPI MEDIUM POC PATCH This Month

Cross-site scripting in NiceGUI's ui.markdown() component allows unauthenticated attackers to inject malicious HTML and JavaScript into applications that render user-controlled markdown content, as the component lacks built-in sanitization unlike other NiceGUI HTML rendering functions. Public exploit code exists for this vulnerability affecting NiceGUI versions before 3.7.0. Applications using ui.markdown() with untrusted input are vulnerable to session hijacking, credential theft, and other client-side attacks.

Python XSS Nicegui
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25581 npm MEDIUM POC PATCH This Month

Reflected cross-site scripting in SCEditor prior to version 3.2.1 allows attackers with control over configuration parameters to inject malicious scripts through unsanitized options like emoticons or charset settings. Public exploit code exists for this vulnerability, which affects any application integrating the affected SCEditor versions. A patch is available in version 3.2.1 and later.

XSS Sceditor
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2064 LOW POC Monitor

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-25642 MEDIUM PATCH This Month

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

File Upload XSS Hedgedoc
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25647 MEDIUM POC PATCH This Month

Stored XSS in Lute's Markdown rendering engine (versions 1.7.6 and earlier) allows authenticated attackers to inject malicious JavaScript into notes that executes when other users view the rendered content. SiYuan and other applications using vulnerable Lute versions are affected, with public exploit code available. A patch is available and should be applied to prevent session hijacking and credential theft.

Golang XSS Siyuan
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-24050 MEDIUM PATCH This Month

Stored cross-site scripting in Zulip Server versions 5.0 through 11.4 allows authenticated attackers to execute arbitrary JavaScript through malicious group or channel names when administrators interact with user profile management features. An attacker with the ability to create or modify groups/channels can inject payloads that execute in the context of an administrator's session, potentially compromising account security or sensitive data. A patch is available in version 11.5.

XSS Zulip Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24903 MEDIUM POC This Month

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. [CVSS 5.4 MEDIUM]

XSS AI / ML Orcastatllm Researcher
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1769 MEDIUM This Month

Stored cross-site scripting in Xerox CentreWare Web through version 7.0.6 enables attackers to inject malicious scripts that persist on the application and execute in users' browsers. An attacker with local access and user interaction can compromise confidentiality and potentially modify data within the CentreWare environment. No patch is currently available; upgrading to version 7.2.2.25 or later is recommended as a mitigation.

Windows XSS Centreware Web
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23738 LOW Monitor

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. [CVSS 3.5 LOW]

XSS Asterisk Certified Asterisk
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2019-25301 MEDIUM POC This Month

Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

PHP XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2019-25294 MEDIUM POC This Month

html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. [CVSS 6.1 MEDIUM]

PHP SNMP XSS Html5 Snmp
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1337 Maven MEDIUM POC PATCH This Month

Neo4J versions up to 2026.01 contains a vulnerability that allows attackers to XSS if the user opens the logs in a tool that treats them as HTML (CVSS 5.4).

Github XSS Neo4j
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1293 MEDIUM This Month

Authenticated contributors and above can inject malicious scripts into WordPress pages through the Yoast SEO plugin (versions up to 26.8) by exploiting inadequate sanitization of the yoast-schema block attribute. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user data or session security. No patch is currently available for this stored cross-site scripting vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1252 MEDIUM This Month

Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1279 MEDIUM This Month

The Employee Directory plugin for WordPress through version 1.2.1 contains a stored cross-site scripting vulnerability in the search_employee_directory shortcode due to inadequate input validation on the form_title parameter. Authenticated users with Contributor privileges or higher can inject malicious scripts that persist in pages and execute in browsers of any user viewing the affected content. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1909 MEDIUM This Month

Stored XSS in WaveSurfer-WP plugin through improper sanitization of the audio shortcode 'src' attribute allows authenticated users with Contributor access or higher to inject malicious scripts into WordPress pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for versions up to 2.8.3.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1888 MEDIUM This Month

Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1808 MEDIUM This Month

Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1401 MEDIUM This Month

Stored XSS in WordPress Tune Library plugin versions up to 1.6.3 allows authenticated users with Subscriber access to inject malicious scripts via CSV import due to inadequate input sanitization and output escaping. Attackers can execute arbitrary JavaScript in the context of any user viewing affected pages through the [tune-library] shortcode. No patch is currently available and exploitation requires valid WordPress credentials.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0521 MEDIUM POC This Month

Reflected XSS in TYDAC AG MAP+ 3.4.0 PDF export allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs, with public exploit code available. An attacker can deliver such links via email or social engineering to compromise user sessions and steal sensitive data. No patch is currently available.

XSS Map
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1971 LOW POC Monitor

A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. [CVSS 2.4 LOW]

XSS Br 6288Acl Firmware
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-15312 MEDIUM This Month

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance. [CVSS 6.6 MEDIUM]

XSS Tanos
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-70792 PHP MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70791 PHP MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-68723 CRITICAL Act Now

Multiple stored XSS vulnerabilities in Axigen Mail Server before 10.5.57 WebAdmin interface allow authenticated administrators to inject persistent malicious scripts that execute in other admin sessions.

TLS XSS Privilege Escalation Axigen Mail Server
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-68643 MEDIUM This Month

Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. [CVSS 5.4 MEDIUM]

XSS Axigen Mail Server
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2020-37152 MEDIUM POC This Month

PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. [CVSS 6.1 MEDIUM]

PHP XSS Phpfusion
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2020-37148 LOW POC Monitor

P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. [CVSS 3.5 LOW]

XSS
NVD Exploit-DB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-1927 MEDIUM This Month

The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.

WordPress Authentication Bypass XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1654 MEDIUM This Month

Peter's Date Countdown plugin for WordPress through version 2.0.0 contains a reflected cross-site scripting vulnerability in the PHP_SELF parameter that allows unauthenticated attackers to inject malicious scripts. Exploitation requires social engineering to trick users into clicking a malicious link, but successful attacks can compromise user sessions and steal sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1319 MEDIUM This Month

Stored cross-site scripting in Robin Image Optimizer plugin versions up to 2.0.2 allows authenticated WordPress users with Author-level or higher privileges to inject malicious scripts through the Media Library image Alternative Text field. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising site visitors. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1953 This Week

user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field is affected by cross-site scripting (xss).

PHP XSS
NVD GitHub
EPSS
0.0%
CVE-2026-1268 MEDIUM This Month

Stored cross-site scripting in the Dynamic Widget Content plugin for WordPress (versions up to 1.3.6) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the Gutenberg editor widget content field due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially compromising account security and enabling credential theft or unauthorized actions.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0867 MEDIUM This Month

Stored cross-site scripting in Essential Widgets for WordPress through version 3.0 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. A patch is not currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-25578 Go MEDIUM POC PATCH This Month

Navidrome versions before 0.60.0 contain a stored cross-site scripting vulnerability in song comment metadata that allows attackers to inject malicious scripts and steal user credentials when victims view affected music files. Public exploit code exists for this vulnerability. Administrators should upgrade to version 0.60.0 or later to remediate the risk.

XSS Navidrome Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25543 NuGet MEDIUM PATCH This Month

Htmlsanitizer versions up to 9.0.892 is affected by improper encoding or escaping of output (CVSS 6.1).

.NET XSS Htmlsanitizer
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-51451 MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).

IBM XSS Concert
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0947 PHP MEDIUM PATCH This Month

At Internet Piano Analytics versions up to 1.0.1 is affected by cross-site scripting (xss) (CVSS 4.8).

Drupal Industrial XSS At Internet Piano Analytics
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-0946 PHP MEDIUM PATCH This Month

Cross-site scripting in the AT Internet SmartTag Drupal module versions before 1.0.1 enables attackers to inject malicious scripts through improper input validation on web pages. An attacker can exploit this vulnerability remotely without authentication to steal session cookies, perform actions on behalf of users, or deface content, though user interaction is required for successful exploitation. No patch is currently available for affected Drupal installations.

Drupal XSS At Internet Smarttag
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2023-38017 MEDIUM This Month

IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.3 MEDIUM]

IBM XSS Cloud Pak System Os Image For Red Hat Linux Systems
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25054 npm MEDIUM PATCH This Month

Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.

XSS AI / ML N8n
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25051 npm MEDIUM PATCH This Month

Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.

XSS AI / ML N8n
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-20111 MEDIUM This Month

Stored XSS in Cisco Prime Infrastructure's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or sensitive data theft. The vulnerability stems from insufficient input validation on specific data fields and requires valid admin credentials to exploit. No patch is currently available.

Cisco XSS Prime Infrastructure Authentication Bypass
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-70545 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. [CVSS 6.1 MEDIUM]

XSS Ppc 2k05x Firmware
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0873 This Week

On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator.

XSS
NVD
EPSS
0.1%
CVE-2025-41085 This Week

Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized.

XSS
NVD
EPSS
0.1%
CVE-2026-0743 MEDIUM This Month

Stored XSS in WordPress WP Content Permission plugin through the 'ohmem-message' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.2 due to inadequate input sanitization and output escaping. Exploitation requires administrator-level privileges and no patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0742 MEDIUM This Month

Stored cross-site scripting in the Smart Appointment & Booking WordPress plugin through version 1.0.7 allows authenticated subscribers and higher-privileged users to inject malicious scripts into pages via the saab_save_form_data AJAX action due to inadequate input sanitization. Attackers can exploit this vulnerability to execute arbitrary JavaScript that persists and runs for any user viewing the compromised pages. No patch is currently available for this medium-severity flaw.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0681 MEDIUM This Month

Extended Random Number Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1819 HIGH This Week

Karel Electronics Industry and Trade Inc. ViPort is affected by cross-site scripting (xss) (CVSS 8.8).

XSS
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22875 MEDIUM This Month

Stored XSS in Movable Type's Export Sites feature allows authenticated attackers to inject malicious scripts that execute in the browsers of logged-in users. The vulnerability affects Movable Type 7 and 8.4 series (both EOL) and requires an attacker to first store the crafted payload through the application. No patch is currently available for this medium-severity flaw.

XSS
NVD
CVSS 3.0
5.4
EPSS
0.0%
CVE-2026-21393 MEDIUM This Month

Stored XSS in Movable Type's Edit Comment feature allows authenticated attackers to inject malicious scripts that execute in logged-in users' browsers, affecting both current and end-of-life versions including the 7 and 8.4 series. An attacker with login credentials can craft and store malicious input that triggers arbitrary script execution when other users view or interact with comments. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
CVSS 3.0
5.4
EPSS
0.0%
CVE-2026-1755 MEDIUM This Month

Stored cross-site scripting in WordPress Menu Icons by ThemeIsle plugin (versions up to 0.13.20) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the attachment image alt meta field due to improper input sanitization. The injected scripts execute in the browsers of visitors accessing the affected pages, enabling session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-36033 MEDIUM This Month

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

IBM XSS Engineering Lifecycle Management
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2020-37087 POC This Week

Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions.

XSS
NVD Exploit-DB
EPSS
0.2%
CVE-2026-25148 npm MEDIUM PATCH This Month

Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.

XSS Qwik
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2020-37072 HIGH POC This Week

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. [CVSS 7.2 HIGH]

XSS Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-25616 MEDIUM POC This Month

Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. [CVSS 4.7 MEDIUM]

XSS Blesta
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-25522 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts through unsanitized Shipping Zone name and description fields, which execute in administrators' browsers. Public exploit code exists for this vulnerability. Updates to versions 4.10.1 and 5.5.2 are available to remediate the issue.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25490 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts via the Address Line 1 field in Inventory Locations, which execute in administrators' browsers when the field is viewed in the admin panel. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25489 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts via unsanitized Tax Zone name and description fields, executing arbitrary JavaScript in administrators' browsers. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25488 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts through unsanitized Tax Category fields, which execute when other admins view the affected pages. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25487 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts via unsanitized Tax Rates name fields, enabling arbitrary JavaScript execution in other administrators' browsers. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25486 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce versions 5.0.0 through 5.5.1 permits authenticated attackers with administrative privileges to inject malicious scripts through the Shipping Methods Name field, which executes in other administrators' browsers when they access the Store Management interface. Public exploit code exists for this vulnerability. The flaw stems from insufficient input sanitization and is remediated in version 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25485 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce shipping category fields allows authenticated attackers with high privileges to inject malicious scripts that execute in administrators' browsers, affecting versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The vulnerability stems from insufficient sanitization of the Name and Description fields in the Store Management section before display in the admin panel. Public exploit code exists, and patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25484 PHP MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated users with product type management permissions to inject malicious scripts via unsanitized product type names that execute when administrators view user permissions settings. Public exploit code exists for this vulnerability. Upgrades to versions 4.10.1 or 5.5.2 resolve the issue.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25483 PHP MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1) allows authenticated attackers with database backup permissions to inject malicious scripts that execute in the context of other users' browsers. Public exploit code exists for this vulnerability, enabling attackers to exfiltrate sensitive data including user credentials, customer PII, order history, and 2FA recovery codes. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25482 PHP MEDIUM POC PATCH This Month

Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored DOM-based XSS vulnerability in the Recent Orders dashboard widget where unescaped Order Status Names allow arbitrary script execution when administrators access the dashboard. An attacker with the ability to modify order statuses can inject malicious JavaScript that executes in the context of any admin user, potentially leading to account compromise or unauthorized actions. Public exploit code exists for this vulnerability; patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24426 MEDIUM This Month

The Tenda AC7 firmware web management interface fails to properly sanitize user input, enabling reflected cross-site scripting (XSS) attacks that can inject malicious scripts into a victim's browser. An unauthenticated attacker can exploit this vulnerability to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No patch is currently available for affected firmware versions V03.03.03.01_cn and earlier.

XSS Ac7 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24674 MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.7 MEDIUM]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-24672 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.3 HIGH]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-24671 MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 6.1 MEDIUM]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24665 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 8.7 HIGH]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-71179 MEDIUM POC This Month

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. [CVSS 6.1 MEDIUM]

XSS Academy Lms
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70849 Go MEDIUM POC PATCH This Month

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. [CVSS 6.1 MEDIUM]

XSS Podinfo Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69848 MEDIUM This Month

NetBox is an open-source infrastructure resource modeling and IP address management platform. [CVSS 5.4 MEDIUM]

XSS Netbox
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-65924 MEDIUM This Month

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]

XSS Erpnext
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.

WordPress Golang XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 3.5
LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. [CVSS 3.5 LOW]

XSS Openproject
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site scripting in NiceGUI's ui.markdown() component allows unauthenticated attackers to inject malicious HTML and JavaScript into applications that render user-controlled markdown content, as the component lacks built-in sanitization unlike other NiceGUI HTML rendering functions. Public exploit code exists for this vulnerability affecting NiceGUI versions before 3.7.0. Applications using ui.markdown() with untrusted input are vulnerable to session hijacking, credential theft, and other client-side attacks.

Python XSS Nicegui
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Reflected cross-site scripting in SCEditor prior to version 3.2.1 allows attackers with control over configuration parameters to inject malicious scripts through unsanitized options like emoticons or charset settings. Public exploit code exists for this vulnerability, which affects any application integrating the affected SCEditor versions. A patch is available in version 3.2.1 and later.

XSS Sceditor
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

File Upload XSS Hedgedoc
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

Stored XSS in Lute's Markdown rendering engine (versions 1.7.6 and earlier) allows authenticated attackers to inject malicious JavaScript into notes that executes when other users view the rendered content. SiYuan and other applications using vulnerable Lute versions are affected, with public exploit code available. A patch is available and should be applied to prevent session hijacking and credential theft.

Golang XSS Siyuan
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Zulip Server versions 5.0 through 11.4 allows authenticated attackers to execute arbitrary JavaScript through malicious group or channel names when administrators interact with user profile management features. An attacker with the ability to create or modify groups/channels can inject payloads that execute in the context of an administrator's session, potentially compromising account security or sensitive data. A patch is available in version 11.5.

XSS Zulip Server
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

OrcaStatLLM Researcher is an LLM Based Research Paper Generator. [CVSS 5.4 MEDIUM]

XSS AI / ML Orcastatllm Researcher
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored cross-site scripting in Xerox CentreWare Web through version 7.0.6 enables attackers to inject malicious scripts that persist on the application and execute in users' browsers. An attacker with local access and user interaction can compromise confidentiality and potentially modify data within the CentreWare environment. No patch is currently available; upgrading to version 7.2.2.25 or later is recommended as a mitigation.

Windows XSS Centreware Web
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. [CVSS 3.5 LOW]

XSS Asterisk Certified Asterisk
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

PHP XSS
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. [CVSS 6.1 MEDIUM]

PHP SNMP XSS +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Neo4J versions up to 2026.01 contains a vulnerability that allows attackers to XSS if the user opens the logs in a tool that treats them as HTML (CVSS 5.4).

Github XSS Neo4j
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated contributors and above can inject malicious scripts into WordPress pages through the Yoast SEO plugin (versions up to 26.8) by exploiting inadequate sanitization of the yoast-schema block attribute. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user data or session security. No patch is currently available for this stored cross-site scripting vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Employee Directory plugin for WordPress through version 1.2.1 contains a stored cross-site scripting vulnerability in the search_employee_directory shortcode due to inadequate input validation on the form_title parameter. Authenticated users with Contributor privileges or higher can inject malicious scripts that persist in pages and execute in browsers of any user viewing the affected content. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WaveSurfer-WP plugin through improper sanitization of the audio shortcode 'src' attribute allows authenticated users with Contributor access or higher to inject malicious scripts into WordPress pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for versions up to 2.8.3.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Tune Library plugin versions up to 1.6.3 allows authenticated users with Subscriber access to inject malicious scripts via CSV import due to inadequate input sanitization and output escaping. Attackers can execute arbitrary JavaScript in the context of any user viewing affected pages through the [tune-library] shortcode. No patch is currently available and exploitation requires valid WordPress credentials.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in TYDAC AG MAP+ 3.4.0 PDF export allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs, with public exploit code available. An attacker can deliver such links via email or social engineering to compromise user sessions and steal sensitive data. No patch is currently available.

XSS Map
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. [CVSS 2.4 LOW]

XSS Br 6288Acl Firmware
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

Tanium addressed an improper output sanitization vulnerability in Tanium Appliance. [CVSS 6.6 MEDIUM]

XSS Tanos
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. [CVSS 6.1 MEDIUM]

XSS Microweber
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Multiple stored XSS vulnerabilities in Axigen Mail Server before 10.5.57 WebAdmin interface allow authenticated administrators to inject persistent malicious scripts that execute in other admin sessions.

TLS XSS Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. [CVSS 5.4 MEDIUM]

XSS Axigen Mail Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. [CVSS 6.1 MEDIUM]

PHP XSS Phpfusion
NVD Exploit-DB
EPSS 0% CVSS 3.5
LOW POC Monitor

P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. [CVSS 3.5 LOW]

XSS
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.

WordPress Authentication Bypass XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Peter's Date Countdown plugin for WordPress through version 2.0.0 contains a reflected cross-site scripting vulnerability in the PHP_SELF parameter that allows unauthenticated attackers to inject malicious scripts. Exploitation requires social engineering to trick users into clicking a malicious link, but successful attacks can compromise user sessions and steal sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Robin Image Optimizer plugin versions up to 2.0.2 allows authenticated WordPress users with Author-level or higher privileges to inject malicious scripts through the Media Library image Alternative Text field. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising site visitors. No patch is currently available.

WordPress XSS
NVD
EPSS 0%
This Week

user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field is affected by cross-site scripting (xss).

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Dynamic Widget Content plugin for WordPress (versions up to 1.3.6) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the Gutenberg editor widget content field due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially compromising account security and enabling credential theft or unauthorized actions.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Essential Widgets for WordPress through version 3.0 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. A patch is not currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Navidrome versions before 0.60.0 contain a stored cross-site scripting vulnerability in song comment metadata that allows attackers to inject malicious scripts and steal user credentials when victims view affected music files. Public exploit code exists for this vulnerability. Administrators should upgrade to version 0.60.0 or later to remediate the risk.

XSS Navidrome Suse
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Htmlsanitizer versions up to 9.0.892 is affected by improper encoding or escaping of output (CVSS 6.1).

.NET XSS Htmlsanitizer
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).

IBM XSS Concert
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

At Internet Piano Analytics versions up to 1.0.1 is affected by cross-site scripting (xss) (CVSS 4.8).

Drupal Industrial XSS +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in the AT Internet SmartTag Drupal module versions before 1.0.1 enables attackers to inject malicious scripts through improper input validation on web pages. An attacker can exploit this vulnerability remotely without authentication to steal session cookies, perform actions on behalf of users, or deface content, though user interaction is required for successful exploitation. No patch is currently available for affected Drupal installations.

Drupal XSS At Internet Smarttag
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.3 MEDIUM]

IBM XSS Cloud Pak System +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.

XSS AI / ML N8n
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.

XSS AI / ML N8n
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Cisco Prime Infrastructure's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or sensitive data theft. The vulnerability stems from insufficient input validation on specific data fields and requires valid admin credentials to exploit. No patch is currently available.

Cisco XSS Prime Infrastructure +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. [CVSS 6.1 MEDIUM]

XSS Ppc 2k05x Firmware
NVD GitHub
EPSS 0%
This Week

On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator.

XSS
NVD
EPSS 0%
This Week

Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized.

XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress WP Content Permission plugin through the 'ohmem-message' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.2 due to inadequate input sanitization and output escaping. Exploitation requires administrator-level privileges and no patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Smart Appointment & Booking WordPress plugin through version 1.0.7 allows authenticated subscribers and higher-privileged users to inject malicious scripts into pages via the saab_save_form_data AJAX action due to inadequate input sanitization. Attackers can exploit this vulnerability to execute arbitrary JavaScript that persists and runs for any user viewing the compromised pages. No patch is currently available for this medium-severity flaw.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Extended Random Number Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Karel Electronics Industry and Trade Inc. ViPort is affected by cross-site scripting (xss) (CVSS 8.8).

XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Movable Type's Export Sites feature allows authenticated attackers to inject malicious scripts that execute in the browsers of logged-in users. The vulnerability affects Movable Type 7 and 8.4 series (both EOL) and requires an attacker to first store the crafted payload through the application. No patch is currently available for this medium-severity flaw.

XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Movable Type's Edit Comment feature allows authenticated attackers to inject malicious scripts that execute in logged-in users' browsers, affecting both current and end-of-life versions including the 7 and 8.4 series. An attacker with login credentials can craft and store malicious input that triggers arbitrary script execution when other users view or interact with comments. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WordPress Menu Icons by ThemeIsle plugin (versions up to 0.13.20) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the attachment image alt meta field due to improper input sanitization. The injected scripts execute in the browsers of visitors accessing the affected pages, enabling session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

IBM XSS Engineering Lifecycle Management
NVD
EPSS 0%
POC This Week

Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions.

XSS
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.

XSS Qwik
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. [CVSS 7.2 HIGH]

XSS Victor Cms
NVD GitHub Exploit-DB
EPSS 0% CVSS 4.7
MEDIUM POC This Month

Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. [CVSS 4.7 MEDIUM]

XSS Blesta
NVD
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts through unsanitized Shipping Zone name and description fields, which execute in administrators' browsers. Public exploit code exists for this vulnerability. Updates to versions 4.10.1 and 5.5.2 are available to remediate the issue.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts via the Address Line 1 field in Inventory Locations, which execute in administrators' browsers when the field is viewed in the admin panel. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts via unsanitized Tax Zone name and description fields, executing arbitrary JavaScript in administrators' browsers. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts through unsanitized Tax Category fields, which execute when other admins view the affected pages. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts via unsanitized Tax Rates name fields, enabling arbitrary JavaScript execution in other administrators' browsers. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce versions 5.0.0 through 5.5.1 permits authenticated attackers with administrative privileges to inject malicious scripts through the Shipping Methods Name field, which executes in other administrators' browsers when they access the Store Management interface. Public exploit code exists for this vulnerability. The flaw stems from insufficient input sanitization and is remediated in version 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce shipping category fields allows authenticated attackers with high privileges to inject malicious scripts that execute in administrators' browsers, affecting versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The vulnerability stems from insufficient sanitization of the Name and Description fields in the Store Management section before display in the admin panel. Public exploit code exists, and patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated users with product type management permissions to inject malicious scripts via unsanitized product type names that execute when administrators view user permissions settings. Public exploit code exists for this vulnerability. Upgrades to versions 4.10.1 or 5.5.2 resolve the issue.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1) allows authenticated attackers with database backup permissions to inject malicious scripts that execute in the context of other users' browsers. Public exploit code exists for this vulnerability, enabling attackers to exfiltrate sensitive data including user credentials, customer PII, order history, and 2FA recovery codes. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored DOM-based XSS vulnerability in the Recent Orders dashboard widget where unescaped Order Status Names allow arbitrary script execution when administrators access the dashboard. An attacker with the ability to modify order statuses can inject malicious JavaScript that executes in the context of any admin user, potentially leading to account compromise or unauthorized actions. Public exploit code exists for this vulnerability; patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

The Tenda AC7 firmware web management interface fails to properly sanitize user input, enabling reflected cross-site scripting (XSS) attacks that can inject malicious scripts into a victim's browser. An unauthenticated attacker can exploit this vulnerability to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No patch is currently available for affected firmware versions V03.03.03.01_cn and earlier.

XSS Ac7 Firmware
NVD
EPSS 0% CVSS 4.7
MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.7 MEDIUM]

XSS Open Eclass Platform
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.3 HIGH]

XSS Open Eclass Platform
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 6.1 MEDIUM]

XSS Open Eclass Platform
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 8.7 HIGH]

XSS Open Eclass Platform
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. [CVSS 6.1 MEDIUM]

XSS Academy Lms
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. [CVSS 6.1 MEDIUM]

XSS Podinfo Suse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

NetBox is an open-source infrastructure resource modeling and IP address management platform. [CVSS 5.4 MEDIUM]

XSS Netbox
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM This Month

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]

XSS Erpnext
NVD GitHub
Prev Page 43 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy