Skip to main content

XSS

38815 CVEs technique

Monthly

CVE-2025-64637 MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57620 MEDIUM This Month

Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. No public exploit code or CISA KEV listing is identified at time of analysis, but Patchstack has disclosed the vulnerability publicly.

XSS Exclusive Addons Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-6658 MEDIUM This Month

Cross-site scripting in jupyter/nbconvert versions 7.17.0 and earlier allows any user with notebook write access to inject and execute arbitrary JavaScript in the browsers of users who view HTML-exported notebooks. The flaw stems from the `data_mermaid` rendering block in `share/templates/lab/base.html.j2`, which outputs `text/vnd.mermaid` cell content directly into HTML without escaping, enabling tag breakout from the enclosing `<pre>` element. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the stored-XSS pattern means any user who views a maliciously crafted HTML export is at risk.

XSS Jupyter Jupyter Suse
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2026-8661 MEDIUM PATCH This Month

Server-side JavaScript execution and outbound HTTP request capabilities in Rapid7 InsightConnect Markdown Plugin versions 3.1.4 and earlier allow remote attackers to execute arbitrary scripts and make unauthorized HTTP requests through malicious content embedded in Markdown input to the markdown_to_pdf action. The PDF rendering engine lacks sufficient restrictions on script execution and network access. Patched version 4.0.0 is available from the vendor.

XSS SSRF Insightconnect Markdown Plugin
NVD GitHub
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-50745 MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-50740 MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-50742 MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-13083 MEDIUM This Month

Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. No public exploit or CISA KEV listing has been identified at time of analysis, but the C:H confidentiality impact indicates potential for session token or credential harvesting from report consumers.

XSS Pen Drive
NVD
CVSS 3.1
6.9
EPSS
0.2%
CVE-2026-50765 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)

XSS N A
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-50767 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)

XSS N A
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-50766 MEDIUM This Month

Stored cross-site scripting in Koha Library Management System's OPAC item detail page enables persistent script injection via the item public notes field (items.itemnotes), affecting all versions through 25.11. An authenticated attacker holding the edit_items permission can plant malicious JavaScript that executes in the browsers of any patron or staff member who subsequently views the affected item's detail page in the OPAC. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (12th percentile), suggesting limited threat actor interest currently.

XSS N A
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2020-37256 PHP MEDIUM PATCH This Month

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE Grav
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-9086 HIGH PATCH This Week

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permission (or access to client registration endpoints) register a malicious client whose redirect URI uses a case-insensitive `javascript:` or `data:` scheme, bypassing URI validation. When a victim later clicks a crafted link - for example during the logout flow or within the Admin Console - the script executes in the Keycloak origin, enabling session/token theft and effective code execution in that trusted context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it carries a CVSS 7.3 (PR:L, UI:R).

XSS RCE Red Hat Build Of Keycloak
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2026-54025 MEDIUM PATCH This Month

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.

XSS Librechat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-48940 LOW Monitor

Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation as none with partial technical impact.

XSS K2 Extension For Joomla
NVD
CVSS 3.1
3.4
EPSS
0.2%
CVE-2026-48942 MEDIUM This Month

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

XSS K2 Extension For Joomla
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57532 HIGH PATCH This Week

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.

XSS Pretix
NVD VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-57533 LOW PATCH Monitor

HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pretix
NVD
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-57535 LOW PATCH Monitor

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.

XSS SSRF Pretix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13225 MEDIUM PATCH This Month

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.

XSS Pretix
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57534 LOW PATCH Monitor

HTML injection in the pretix-pages plugin for Pretix event ticketing software permits a high-privileged authenticated user to embed malicious HTML tags into plugin-rendered page content, which subsequently executes in the browsers of site visitors who view those pages. All tracked versions under cpe:2.3:a:pretix:pretix-pages are affected, with a vendor-released fix published 2026-06-25 in Pretix release 2026.5.2. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pretix Pages
NVD
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13314 LOW PATCH Monitor

HTML injection in the pretix-digital Pretix ticketing plugin (CWE-80) allows high-privileged operators to embed malicious script-bearing HTML into event content that subsequently executes in the browsers of end users viewing rendered ticket or event pages. All versions of the plugin are indicated as affected per the CPE wildcard, with a vendor fix shipped in the 2026.5.2 release. No public exploit has been identified at time of analysis, the vulnerability is absent from the CISA KEV catalog, and the low CVSS 4.0 score of 2.0 reflects the high privilege and specific preconditions required for exploitation.

XSS Pretix Digital
NVD
CVSS 4.0
2.0
EPSS
0.3%
CVE-2026-56071 HIGH This Week

Cross-site scripting in the Forminator WordPress plugin (versions 1.53.1 and earlier, by WPMU DEV) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C, score 7.1) confirms no authentication is required but that user interaction triggers the payload, and the changed scope means the injected script runs in a security context beyond the vulnerable component. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Forminator
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56051 HIGH This Week

Reflected cross-site scripting in the TablePress WordPress plugin (versions 3.3.1 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, including the WordPress admin session context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's WordPress vulnerability program.

XSS Tablepress
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56042 HIGH This Week

Stored/reflected Cross-Site Scripting in the Advanced Order Export For WooCommerce WordPress plugin (by AlgolPlus) affects all versions up to and including 4.0.9, letting a remote attacker inject script that executes in the browser of a victim who views attacker-controlled order/export data. The flaw carries a CVSS 7.1 rating driven by a scope change (attacker script runs outside the vulnerable component's security context) and requires victim interaction; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

WordPress XSS Advanced Order Export For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56014 HIGH This Week

Stored or reflected cross-site scripting in the Averta Master Slider WordPress plugin (versions 3.11.2 and earlier) lets unauthenticated remote attackers inject script that executes in a victim's browser, but only after the victim interacts with attacker-supplied content (UI:R). The CVSS:3.1 vector's scope change (S:C) reflects that injected code runs in the browser's trust context rather than the plugin's, enabling session theft or actions on behalf of the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

XSS Master Slider
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56006 HIGH This Week

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.

XSS H5P
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56005 HIGH This Week

Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by Patchstack) lets a low-privileged Subscriber-level user inject script that executes in another user's browser, with a CVSS-rated scope change (S:C) meaning the payload can affect resources beyond the plugin's own security context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; direct impact is limited (C:L/I:L/A:L) but the cross-context scope and low attack complexity make it relevant for sites that allow open registration.

XSS Wp Activity Log
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-5305 HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder Email Encoder Premium
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-10712 MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE (18.10 through 18.11.5, 19.0 through 19.0.2, and 19.1.0) lets an unauthenticated attacker run arbitrary JavaScript in a victim's authenticated browser session by abusing improper path validation, but only under specific conditions and after a logged-in user interacts with attacker-controlled content. The CVSS 8.0 rating (scope-changed, high confidentiality and integrity impact) reflects that successful exploitation effectively hijacks the victim's GitLab session. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, though a HackerOne report exists and GitLab shipped fixes in 18.11.6, 19.0.3, and 19.1.1.

XSS Gitlab
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-10086 MEDIUM PATCH NEWS This Month

Stored cross-site scripting in GitLab Enterprise Edition (all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1) lets an authenticated user holding only developer-role permissions inject unsanitized input that executes as JavaScript in a victim's browser session. Because the script runs with scope change in the context of another (potentially higher-privileged) user, an attacker can hijack sessions, exfiltrate data, or act on the victim's behalf. The flaw was reported privately via HackerOne and patched by GitLab; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-10833 MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.

WordPress XSS Gutenberg Essential Blocks Page Builder For Gutenberg Blocks Patterns
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9780 HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7569 HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-55570 CRITICAL PATCH Act Now

Stored cross-site scripting leading to OS command execution in SiYuan, an open-source personal knowledge management system, affects all desktop client versions prior to 3.7.0. Untrusted marketplace package metadata (name, version, author, description) is serialized via JSON.stringify() into a single-quoted data-obj HTML attribute without escaping single quotes or angle brackets, so a package name containing a single quote breaks out of the attribute and injects arbitrary HTML; because the Electron BrowserWindow runs with nodeIntegration:true and contextIsolation:false, the DOM XSS escalates to arbitrary command execution on the host. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-x88j-wgpr-h22x) notes this is the same root cause and impact as a prior advisory, reached through a sibling sink the earlier patch missed.

Command Injection XSS Siyuan
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%
CVE-2026-54759 HIGH PATCH This Week

Arbitrary command execution in the SiYuan Electron desktop client (versions prior to 3.7.0) allows a remote attacker to run OS commands on a victim's machine when they merely view a malicious Bazaar marketplace package's README. The root cause is that Lute's HTML sanitizer fails to strip <iframe> elements, which combine with the Electron client's permissive security settings (e.g. node integration / relaxed sandboxing) to escalate stored XSS into full code execution; notably no package installation is required, only viewing the package details. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 (High) reflects high confidentiality, integrity, and availability impact.

XSS Siyuan
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-50551 Go CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in SiYuan's Attribute View (database) asset cell renderer escalates to remote code execution on the Electron desktop client for all versions prior to 3.7.0. An attacker who can persist crafted content into a database asset cell has malicious JavaScript executed in the privileged Electron context, breaking out to the host operating system; the issue carries a 9.9 CVSS and is fixed in 3.7.0. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS RCE Siyuan
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-54158 Go CRITICAL POC PATCH GHSA Act Now

Stored cross-site scripting in SiYuan's attribute-view (database) cell renderer, affecting all versions prior to 3.7.0, lets a low-privileged attacker with write access to a synced workspace plant a persistent payload that runs arbitrary JavaScript when a victim opens the block-attribute panel. The genAVValueHTML function interpolates cell content raw in its text, url, phone, and mAsset branches and the Go kernel never escapes the value on input, so the malicious row survives sync byte-for-byte and fires on every device that renders it; on the Electron desktop client (nodeIntegration:true) the XSS escalates to host remote code execution via require('child_process'). CVSS is rated 9.9; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Siyuan
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-54070 Go HIGH POC PATCH GHSA This Week

Stored cross-site scripting in SiYuan personal knowledge management system before 3.7.0 allows a third-party Bazaar package author to execute JavaScript in an Administrator's authenticated workspace origin. The lute sanitizer used by renderPackageREADME relies on a stale event-handler blocklist that omits modern DOM event attributes (onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, ontransitionend), and the rendered README HTML is injected via innerHTML with no client-side DOMPurify and no CSP/X-Frame-Options/X-Content-Type-Options headers. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but successful exploitation yields full control of the victim's workspace.

XSS Siyuan
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54069 Go CRITICAL POC PATCH GHSA Act Now

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited.

XSS Google Siyuan
NVD GitHub
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-47733 MEDIUM PATCH This Month

Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. No public exploit has been identified at time of analysis; exploitation is constrained to legacy browsers and requires victim interaction, reflected in the official CVSS score of 4.4 Medium.

XSS
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-54067 Go CRITICAL POC PATCH GHSA Act Now

Stored cross-site scripting in SiYuan personal knowledge management before 3.7.0 lets an attacker with write access to a synced workspace plant a CSS snippet whose '</style>' sequence breaks out of the surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML, running arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so the injected handler can reach require('child_process') and escalate the XSS to full host remote code execution. The payload syncs through the workspace repository and fires automatically on every device that pulls, and it bypasses the user's enabledJS=off setting; no public exploit or CISA KEV listing is identified at time of analysis.

XSS Siyuan
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-49220 MEDIUM PATCH This Month

Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Jellyfin
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-53948 MEDIUM PATCH This Month

Stored cross-site scripting in Ghost CMS (versions 6.19.4 through 6.21.0) is enabled by the Admin API file upload endpoint accepting and preserving attacker-supplied Content-Type headers without server-side validation. When Ghost is configured with S3 or GCS storage backends that serve uploaded files from the same origin as the site, an authenticated attacker can upload a file with a crafted Content-Type (e.g., text/html) that causes browsers to execute it as HTML or JavaScript, enabling stored XSS against visitors and staff. No public exploit code has been identified at time of analysis, and the vulnerability is fixed in Ghost 6.21.1.

Node.js XSS File Upload Ghost
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-53950 HIGH PATCH This Week

Cross-site scripting (JavaScript injection) in Ghost's ActivityPub client (@tryghost/activitypub) prior to version 3.1.0 allows a malicious federated server to embed attacker-controlled script in shared posts that executes in the browser of a victim Ghost user who views the content. The flaw stems from improper sanitization of post content received over ActivityPub federation, enabling session theft or actions performed in the victim's authenticated context. There is no public exploit identified at the time of analysis, and the issue is not listed in CISA KEV.

XSS Ghost
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-50712 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50711 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50710 MEDIUM This Month

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50709 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50708 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50705 MEDIUM This Month

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50704 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50703 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50701 MEDIUM This Month

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-50700 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50699 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50698 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-11878 HIGH This Week

Cross-site scripting in OpenText Access Manager 5.1 through 5.1.2 lets a remote unauthenticated attacker inject script that executes in the browser of a targeted user of this enterprise SSO/access-management platform (CWE-79). Per the vendor-supplied CVSS 4.0 vector the flaw carries high vulnerable-system confidentiality impact (VC:H) but high attack complexity and a specific attack requirement (AC:H/AT:P), yielding a base score of 8.2. No public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Access Manager
NVD VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-56761 npm MEDIUM PATCH This Month

HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.

XSS Hono
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56358 npm MEDIUM PATCH This Month

Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.

XSS N8n
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-13140 LOW Monitor

Stored XSS in the AWS API key store component of Thinkst Applied Research Canarytokens allows a low-privileged attacker who knows a token's random identifier to inject persistent malicious scripts that execute in a victim's browser when they view the affected token page. Exploitation is constrained by high attack complexity (AC:H), a prerequisite attack requirement (knowledge of a random identifier), low-privilege authentication, and active user interaction - reflected in an extremely low CVSS 4.0 base score of 1.1. No active exploitation is confirmed; however, the CVSS 4.0 vector includes E:P, indicating proof-of-concept exploit code exists.

XSS Docker Canarytokens
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.2%
CVE-2026-10531 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. A publicly available proof-of-concept exploit exists per WPScan, and a vendor-released patch is available in version 2.0.4.

WordPress XSS Ai Share Summarize
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-8622 MEDIUM This Month

Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS WordPress Image Sizes On Demand
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-9620 MEDIUM This Month

Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.

XSS WordPress Wp Latest Posts
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8865 MEDIUM This Month

Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the `avalon23_qr` shortcode's `title` and `fixed_link` attributes, which are concatenated unsanitized into single-quoted HTML attributes by `AVALON23_HELPER::draw_html_item()`. The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Avalon23 Products Filter For Woocommerce
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8896 MEDIUM This Month

Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.

XSS WordPress Mir Blocks And Shortcodes
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9643 HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP XSS WordPress Wp Meta Seo
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-8628 MEDIUM This Month

Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.

PHP XSS WordPress Entredroppers
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-10092 HIGH NEWS This Week

Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS WordPress Cincopa Video And Media Plug In
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-10091 HIGH NEWS This Week

Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

XSS WordPress Email Javascript Cloak
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-3652 HIGH This Week

Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the `value` parameter of the `arf_save_incomplete_form_data` AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. Successful exploitation typically leads to admin account takeover and full WordPress site compromise.

XSS WordPress Arforms
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11614 MEDIUM This Month

Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.

XSS WordPress Xpro Addons 140 Widgets For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-56785 HIGH PATCH This Week

Stored cross-site scripting in FlatPress (commits prior to 10be83c) allows unauthenticated remote attackers to inject persistent HTML and JavaScript via the name, URL, and email fields of comment and contact forms. The payloads execute in any viewer's browser - including administrators reviewing comments in the admin panel - and weak URL scheme validation additionally permits javascript: and data: URI injection. No public exploit identified at time of analysis, but the patch and a third-party advisory disclose the affected sinks in detail.

XSS Flatpress
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-12163 MEDIUM PATCH This Month

Stored cross-site scripting in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0.1 allows a highly privileged authenticated user to inject persistent script content into node or database configuration fields within the Asset View UI component. When another user subsequently views the affected Asset View page, the stored payload executes in their browser context rather than being safely escaped, enabling session hijacking, credential theft, or unauthorized UI manipulation against that victim. No public exploit code has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at time of analysis.

XSS Fortra File Integrity Monitoring Fim
NVD VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-55099 CRITICAL Act Now

Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Denial Of Service RCE
NVD
CVE-2026-55247 CRITICAL Act Now

Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.

XSS Denial Of Service RCE
NVD
CVE-2026-55248 CRITICAL Act Now

Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Denial Of Service RCE
NVD
CVE-2026-54503 CRITICAL Act Now

Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.

XSS Denial Of Service RCE
NVD
CVE-2026-53662 CRITICAL Act Now

Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. No public exploit identified at time of analysis, but the upstream fix commit and a detailed GHSA advisory describe the flaw clearly enough to derive a working PoC.

XSS Immich
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-52816 Go MEDIUM PATCH GHSA This Month

Stored XSS in Gogs's Jupyter notebook (.ipynb) preview allows any registered user to inject arbitrary JavaScript via `data:text/html` URIs that survive the bluemonday sanitization pipeline, affecting all versions prior to 0.14.3. The `POST /-/api/sanitize_ipynb` endpoint uses `p.AllowURLSchemes("data")` without MIME-type gating, unlike the safer `IsSafeDataURI` validator used elsewhere in the codebase, and carries no authentication middleware - making it reachable by any account holder. A proof-of-concept is publicly documented in GHSA-3w28-36p9-w929; no CISA KEV listing or EPSS data is available at time of analysis.

XSS
NVD GitHub
CVSS 4.0
5.4
EPSS
0.7%
CVE-2026-35163 PyPI MEDIUM PATCH GHSA This Month

Stored XSS in OctoPrint's Suppressed Command Notifications feature enables injection of arbitrary HTML and JavaScript into browser popups triggered by specially crafted G-code print files. Versions up to and including 1.11.7 and pre-release builds 2.0.0rc1 and 2.0.0rc2 are affected. An attacker who successfully delivers a malicious G-code file to a victim can execute scripts in the victim's authenticated browser session, enabling exfiltration of sensitive OctoPrint configuration (including API keys and credentials for privileged users), unauthorized actions within the instance, or disruption of active print jobs. No public exploit has been identified at time of analysis, and the vulnerability was responsibly disclosed.

XSS
NVD GitHub
CVE-2026-52807 Go MEDIUM PATCH GHSA This Month

Stored DOM-based XSS in Gogs versions prior to 0.14.3 allows any repository user with write access to inject JavaScript via a crafted milestone name, which executes in another user's browser when they open the New Issue page and interact with the milestone dropdown. The flaw is an incomplete fix for the earlier GHSA-vgjm-2cpf-4g7c, which patched view_content.tmpl but missed the identical sink in new_form.tmpl. A working PoC is published in the GitHub advisory, but no public exploit identified at time of analysis in CISA KEV or EPSS-tracked sources.

XSS Docker
NVD GitHub
CVSS 4.0
4.8
EPSS
0.5%
CVE-2026-44956 NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44961 NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44960 NONE Awaiting Data

Stored XSS in Revive Adserver allows arbitrary JavaScript execution in an administrator's browser by embedding payloads in usernames that are later rendered unsanitized in the audit log details view. The attack persists in the platform's audit trail and fires when any admin reviews the affected log entries - a routine administrative activity, not a rare or unusual trigger. No public exploit has been identified at time of analysis, but the vendor has confirmed a fix by adding proper HTML output escaping to the audit log details rendering path.

XSS Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-34915 MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP Adserver
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2026-11772 MEDIUM Monitor

Reflected XSS in DRIMO CMS search functionality allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL containing a malicious payload in the `q` parameter. All versions are affected via the CPE wildcard (cpe:2.3:a:drimo:drimo_cms:*), and the product has been declared End of Life - no security patch will be issued. The sole vendor-acknowledged mitigation, confirmed by CERT-PL, is deletion of the `info.php` file; no public exploit code or KEV listing has been identified at time of analysis.

XSS PHP Drimo Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-4610 MEDIUM This Month

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.

XSS WordPress Profilegrid User Profiles Groups And Communities
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-10857 MEDIUM PATCH This Month

Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into following a crafted URL. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable exploitation requiring no authentication, with a scope change indicating script execution in the browser context outside the originating document. Reported by TR-CERT; no public exploit code or CISA KEV listing identified at time of analysis.

XSS E Commerce
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-56263 PyPI MEDIUM PATCH This Month

Stored XSS in Crawl4AI's monitor dashboard (versions before 0.8.7) enables an unauthenticated remote attacker to inject persistent malicious markup by submitting a crafted crawl URL or triggering a crafted error message; the payload executes in any operator's browser that subsequently views the dashboard. This flaw is one of six vulnerabilities disclosed together in GHSA-365w-hqf6-vxfg, and its impact is materially amplified in unpatched deployments by a co-disclosed authentication bypass (CWE-306) that left all monitor endpoints, including the dashboard, accessible without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Crawl4ai
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. No public exploit code or CISA KEV listing is identified at time of analysis, but Patchstack has disclosed the vulnerability publicly.

XSS Exclusive Addons Elementor
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting in jupyter/nbconvert versions 7.17.0 and earlier allows any user with notebook write access to inject and execute arbitrary JavaScript in the browsers of users who view HTML-exported notebooks. The flaw stems from the `data_mermaid` rendering block in `share/templates/lab/base.html.j2`, which outputs `text/vnd.mermaid` cell content directly into HTML without escaping, enabling tag breakout from the enclosing `<pre>` element. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the stored-XSS pattern means any user who views a maliciously crafted HTML export is at risk.

XSS Jupyter Jupyter Suse
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Server-side JavaScript execution and outbound HTTP request capabilities in Rapid7 InsightConnect Markdown Plugin versions 3.1.4 and earlier allow remote attackers to execute arbitrary scripts and make unauthorized HTTP requests through malicious content embedded in Markdown input to the markdown_to_pdf action. The PDF rendering engine lacks sufficient restrictions on script execution and network access. Patched version 4.0.0 is available from the vendor.

XSS SSRF Insightconnect Markdown Plugin
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. No public exploit or CISA KEV listing has been identified at time of analysis, but the C:H confidentiality impact indicates potential for session token or credential harvesting from report consumers.

XSS Pen Drive
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)

XSS N A
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)

XSS N A
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Koha Library Management System's OPAC item detail page enables persistent script injection via the item public notes field (items.itemnotes), affecting all versions through 25.11. An authenticated attacker holding the edit_items permission can plant malicious JavaScript that executes in the browsers of any patron or staff member who subsequently views the affected item's detail page in the OPAC. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (12th percentile), suggesting limited threat actor interest currently.

XSS N A
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE Grav
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permission (or access to client registration endpoints) register a malicious client whose redirect URI uses a case-insensitive `javascript:` or `data:` scheme, bypassing URI validation. When a victim later clicks a crafted link - for example during the logout flow or within the Admin Console - the script executes in the Keycloak origin, enabling session/token theft and effective code execution in that trusted context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it carries a CVSS 7.3 (PR:L, UI:R).

XSS RCE Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.

XSS Librechat
NVD GitHub
EPSS 0% CVSS 3.4
LOW Monitor

Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation as none with partial technical impact.

XSS K2 Extension For Joomla
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

XSS K2 Extension For Joomla
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.

XSS Pretix
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pretix
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.

XSS SSRF Pretix
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.

XSS Pretix
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection in the pretix-pages plugin for Pretix event ticketing software permits a high-privileged authenticated user to embed malicious HTML tags into plugin-rendered page content, which subsequently executes in the browsers of site visitors who view those pages. All tracked versions under cpe:2.3:a:pretix:pretix-pages are affected, with a vendor-released fix published 2026-06-25 in Pretix release 2026.5.2. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pretix Pages
NVD
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in the pretix-digital Pretix ticketing plugin (CWE-80) allows high-privileged operators to embed malicious script-bearing HTML into event content that subsequently executes in the browsers of end users viewing rendered ticket or event pages. All versions of the plugin are indicated as affected per the CPE wildcard, with a vendor fix shipped in the 2026.5.2 release. No public exploit has been identified at time of analysis, the vulnerability is absent from the CISA KEV catalog, and the low CVSS 4.0 score of 2.0 reflects the high privilege and specific preconditions required for exploitation.

XSS Pretix Digital
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Forminator WordPress plugin (versions 1.53.1 and earlier, by WPMU DEV) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C, score 7.1) confirms no authentication is required but that user interaction triggers the payload, and the changed scope means the injected script runs in a security context beyond the vulnerable component. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Forminator
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the TablePress WordPress plugin (versions 3.3.1 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, including the WordPress admin session context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's WordPress vulnerability program.

XSS Tablepress
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Advanced Order Export For WooCommerce WordPress plugin (by AlgolPlus) affects all versions up to and including 4.0.9, letting a remote attacker inject script that executes in the browser of a victim who views attacker-controlled order/export data. The flaw carries a CVSS 7.1 rating driven by a scope change (attacker script runs outside the vulnerable component's security context) and requires victim interaction; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

WordPress XSS Advanced Order Export For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored or reflected cross-site scripting in the Averta Master Slider WordPress plugin (versions 3.11.2 and earlier) lets unauthenticated remote attackers inject script that executes in a victim's browser, but only after the victim interacts with attacker-supplied content (UI:R). The CVSS:3.1 vector's scope change (S:C) reflects that injected code runs in the browser's trust context rather than the plugin's, enabling session theft or actions on behalf of the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

XSS Master Slider
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.

XSS H5P
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by Patchstack) lets a low-privileged Subscriber-level user inject script that executes in another user's browser, with a CVSS-rated scope change (S:C) meaning the payload can affect resources beyond the plugin's own security context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; direct impact is limited (C:L/I:L/A:L) but the cross-context scope and low attack complexity make it relevant for sites that allow open registration.

XSS Wp Activity Log
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder +1
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE (18.10 through 18.11.5, 19.0 through 19.0.2, and 19.1.0) lets an unauthenticated attacker run arbitrary JavaScript in a victim's authenticated browser session by abusing improper path validation, but only under specific conditions and after a logged-in user interacts with attacker-controlled content. The CVSS 8.0 rating (scope-changed, high confidentiality and integrity impact) reflects that successful exploitation effectively hijacks the victim's GitLab session. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, though a HackerOne report exists and GitLab shipped fixes in 18.11.6, 19.0.3, and 19.1.1.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in GitLab Enterprise Edition (all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1) lets an authenticated user holding only developer-role permissions inject unsanitized input that executes as JavaScript in a victim's browser session. Because the script runs with scope change in the context of another (potentially higher-privileged) user, an attacker can hijack sessions, exfiltrate data, or act on the victim's behalf. The flaw was reported privately via HackerOne and patched by GitLab; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.

WordPress XSS Gutenberg Essential Blocks Page Builder For Gutenberg Blocks Patterns
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE +1
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Stored cross-site scripting leading to OS command execution in SiYuan, an open-source personal knowledge management system, affects all desktop client versions prior to 3.7.0. Untrusted marketplace package metadata (name, version, author, description) is serialized via JSON.stringify() into a single-quoted data-obj HTML attribute without escaping single quotes or angle brackets, so a package name containing a single quote breaks out of the attribute and injects arbitrary HTML; because the Electron BrowserWindow runs with nodeIntegration:true and contextIsolation:false, the DOM XSS escalates to arbitrary command execution on the host. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-x88j-wgpr-h22x) notes this is the same root cause and impact as a prior advisory, reached through a sibling sink the earlier patch missed.

Command Injection XSS Siyuan
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary command execution in the SiYuan Electron desktop client (versions prior to 3.7.0) allows a remote attacker to run OS commands on a victim's machine when they merely view a malicious Bazaar marketplace package's README. The root cause is that Lute's HTML sanitizer fails to strip <iframe> elements, which combine with the Electron client's permissive security settings (e.g. node integration / relaxed sandboxing) to escalate stored XSS into full code execution; notably no package installation is required, only viewing the package details. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 (High) reflects high confidentiality, integrity, and availability impact.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Stored cross-site scripting in SiYuan's Attribute View (database) asset cell renderer escalates to remote code execution on the Electron desktop client for all versions prior to 3.7.0. An attacker who can persist crafted content into a database asset cell has malicious JavaScript executed in the privileged Electron context, breaking out to the host operating system; the issue carries a 9.9 CVSS and is fixed in 3.7.0. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS RCE Siyuan
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Stored cross-site scripting in SiYuan's attribute-view (database) cell renderer, affecting all versions prior to 3.7.0, lets a low-privileged attacker with write access to a synced workspace plant a persistent payload that runs arbitrary JavaScript when a victim opens the block-attribute panel. The genAVValueHTML function interpolates cell content raw in its text, url, phone, and mAsset branches and the Go kernel never escapes the value on input, so the malicious row survives sync byte-for-byte and fires on every device that renders it; on the Electron desktop client (nodeIntegration:true) the XSS escalates to host remote code execution via require('child_process'). CVSS is rated 9.9; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Stored cross-site scripting in SiYuan personal knowledge management system before 3.7.0 allows a third-party Bazaar package author to execute JavaScript in an Administrator's authenticated workspace origin. The lute sanitizer used by renderPackageREADME relies on a stale event-handler blocklist that omits modern DOM event attributes (onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, ontransitionend), and the rendered README HTML is injected via innerHTML with no client-side DOMPurify and no CSP/X-Frame-Options/X-Content-Type-Options headers. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but successful exploitation yields full control of the victim's workspace.

XSS Siyuan
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL POC PATCH Act Now

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited.

XSS Google Siyuan
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. No public exploit has been identified at time of analysis; exploitation is constrained to legacy browsers and requires victim interaction, reflected in the official CVSS score of 4.4 Medium.

XSS
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Stored cross-site scripting in SiYuan personal knowledge management before 3.7.0 lets an attacker with write access to a synced workspace plant a CSS snippet whose '</style>' sequence breaks out of the surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML, running arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so the injected handler can reach require('child_process') and escalate the XSS to full host remote code execution. The payload syncs through the workspace repository and fires automatically on every device that pulls, and it bypasses the user's enabledJS=off setting; no public exploit or CISA KEV listing is identified at time of analysis.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Jellyfin
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Ghost CMS (versions 6.19.4 through 6.21.0) is enabled by the Admin API file upload endpoint accepting and preserving attacker-supplied Content-Type headers without server-side validation. When Ghost is configured with S3 or GCS storage backends that serve uploaded files from the same origin as the site, an authenticated attacker can upload a file with a crafted Content-Type (e.g., text/html) that causes browsers to execute it as HTML or JavaScript, enabling stored XSS against visitors and staff. No public exploit code has been identified at time of analysis, and the vulnerability is fixed in Ghost 6.21.1.

Node.js XSS File Upload +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site scripting (JavaScript injection) in Ghost's ActivityPub client (@tryghost/activitypub) prior to version 3.1.0 allows a malicious federated server to embed attacker-controlled script in shared posts that executes in the browser of a victim Ghost user who views the content. The flaw stems from improper sanitization of post content received over ActivityPub federation, enabling session theft or actions performed in the victim's authenticated context. There is no public exploit identified at the time of analysis, and the issue is not listed in CISA KEV.

XSS Ghost
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Cross-site scripting in OpenText Access Manager 5.1 through 5.1.2 lets a remote unauthenticated attacker inject script that executes in the browser of a targeted user of this enterprise SSO/access-management platform (CWE-79). Per the vendor-supplied CVSS 4.0 vector the flaw carries high vulnerable-system confidentiality impact (VC:H) but high attack complexity and a specific attack requirement (AC:H/AT:P), yielding a base score of 8.2. No public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Access Manager
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.

XSS Hono
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.

XSS N8n
NVD GitHub
EPSS 0% CVSS 1.1
LOW Monitor

Stored XSS in the AWS API key store component of Thinkst Applied Research Canarytokens allows a low-privileged attacker who knows a token's random identifier to inject persistent malicious scripts that execute in a victim's browser when they view the affected token page. Exploitation is constrained by high attack complexity (AC:H), a prerequisite attack requirement (knowledge of a random identifier), low-privilege authentication, and active user interaction - reflected in an extremely low CVSS 4.0 base score of 1.1. No active exploitation is confirmed; however, the CVSS 4.0 vector includes E:P, indicating proof-of-concept exploit code exists.

XSS Docker Canarytokens
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. A publicly available proof-of-concept exploit exists per WPScan, and a vendor-released patch is available in version 2.0.4.

WordPress XSS Ai Share Summarize
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS WordPress Image Sizes On Demand
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.

XSS WordPress Wp Latest Posts
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the `avalon23_qr` shortcode's `title` and `fixed_link` attributes, which are concatenated unsanitized into single-quoted HTML attributes by `AVALON23_HELPER::draw_html_item()`. The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Avalon23 Products Filter For Woocommerce
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.

XSS WordPress Mir Blocks And Shortcodes
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP XSS WordPress +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS WordPress Cincopa Video And Media Plug In
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

XSS WordPress Email Javascript Cloak
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the `value` parameter of the `arf_save_incomplete_form_data` AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. Successful exploitation typically leads to admin account takeover and full WordPress site compromise.

XSS WordPress Arforms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.

XSS WordPress Xpro Addons 140 Widgets For Elementor
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Stored cross-site scripting in FlatPress (commits prior to 10be83c) allows unauthenticated remote attackers to inject persistent HTML and JavaScript via the name, URL, and email fields of comment and contact forms. The payloads execute in any viewer's browser - including administrators reviewing comments in the admin panel - and weak URL scheme validation additionally permits javascript: and data: URI injection. No public exploit identified at time of analysis, but the patch and a third-party advisory disclose the affected sinks in detail.

XSS Flatpress
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0.1 allows a highly privileged authenticated user to inject persistent script content into node or database configuration fields within the Asset View UI component. When another user subsequently views the affected Asset View page, the stored payload executes in their browser context rather than being safely escaped, enabling session hijacking, credential theft, or unauthorized UI manipulation against that victim. No public exploit code has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at time of analysis.

XSS Fortra File Integrity Monitoring Fim
NVD VulDB
CRITICAL Act Now

Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Denial Of Service RCE
NVD
CRITICAL Act Now

Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.

XSS Denial Of Service RCE
NVD
CRITICAL Act Now

Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Denial Of Service RCE
NVD
CRITICAL Act Now

Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.

XSS Denial Of Service RCE
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. No public exploit identified at time of analysis, but the upstream fix commit and a detailed GHSA advisory describe the flaw clearly enough to derive a working PoC.

XSS Immich
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Gogs's Jupyter notebook (.ipynb) preview allows any registered user to inject arbitrary JavaScript via `data:text/html` URIs that survive the bluemonday sanitization pipeline, affecting all versions prior to 0.14.3. The `POST /-/api/sanitize_ipynb` endpoint uses `p.AllowURLSchemes("data")` without MIME-type gating, unlike the safer `IsSafeDataURI` validator used elsewhere in the codebase, and carries no authentication middleware - making it reachable by any account holder. A proof-of-concept is publicly documented in GHSA-3w28-36p9-w929; no CISA KEV listing or EPSS data is available at time of analysis.

XSS
NVD GitHub
MEDIUM PATCH This Month

Stored XSS in OctoPrint's Suppressed Command Notifications feature enables injection of arbitrary HTML and JavaScript into browser popups triggered by specially crafted G-code print files. Versions up to and including 1.11.7 and pre-release builds 2.0.0rc1 and 2.0.0rc2 are affected. An attacker who successfully delivers a malicious G-code file to a victim can execute scripts in the victim's authenticated browser session, enabling exfiltration of sensitive OctoPrint configuration (including API keys and credentials for privileged users), unauthorized actions within the instance, or disruption of active print jobs. No public exploit has been identified at time of analysis, and the vulnerability was responsibly disclosed.

XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored DOM-based XSS in Gogs versions prior to 0.14.3 allows any repository user with write access to inject JavaScript via a crafted milestone name, which executes in another user's browser when they open the New Issue page and interact with the milestone dropdown. The flaw is an incomplete fix for the earlier GHSA-vgjm-2cpf-4g7c, which patched view_content.tmpl but missed the identical sink in new_form.tmpl. A working PoC is published in the GitHub advisory, but no public exploit identified at time of analysis in CISA KEV or EPSS-tracked sources.

XSS Docker
NVD GitHub
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS 0%
NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows arbitrary JavaScript execution in an administrator's browser by embedding payloads in usernames that are later rendered unsanitized in the audit log details view. The attack persists in the platform's audit trail and fires when any admin reviews the affected log entries - a routine administrative activity, not a rare or unusual trigger. No public exploit has been identified at time of analysis, but the vendor has confirmed a fix by adding proper HTML output escaping to the audit log details rendering path.

XSS Adserver
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP +1
NVD
EPSS 0% CVSS 5.1
MEDIUM Monitor

Reflected XSS in DRIMO CMS search functionality allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL containing a malicious payload in the `q` parameter. All versions are affected via the CPE wildcard (cpe:2.3:a:drimo:drimo_cms:*), and the product has been declared End of Life - no security patch will be issued. The sole vendor-acknowledged mitigation, confirmed by CERT-PL, is deletion of the `info.php` file; no public exploit code or KEV listing has been identified at time of analysis.

XSS PHP Drimo Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.

XSS WordPress Profilegrid User Profiles Groups And Communities
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into following a crafted URL. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable exploitation requiring no authentication, with a scope change indicating script execution in the browser context outside the originating document. Reported by TR-CERT; no public exploit code or CISA KEV listing identified at time of analysis.

XSS E Commerce
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored XSS in Crawl4AI's monitor dashboard (versions before 0.8.7) enables an unauthenticated remote attacker to inject persistent malicious markup by submitting a crafted crawl URL or triggering a crafted error message; the payload executes in any operator's browser that subsequently views the dashboard. This flaw is one of six vulnerabilities disclosed together in GHSA-365w-hqf6-vxfg, and its impact is materially amplified in unpatched deployments by a co-disclosed authentication bypass (CWE-306) that left all monitor endpoints, including the dashboard, accessible without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Crawl4ai
NVD GitHub
Prev Page 7 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy