Skip to main content

XSS

38816 CVEs technique

Monthly

CVE-2026-56263 PyPI MEDIUM PATCH This Month

Stored XSS in Crawl4AI's monitor dashboard (versions before 0.8.7) enables an unauthenticated remote attacker to inject persistent malicious markup by submitting a crafted crawl URL or triggering a crafted error message; the payload executes in any operator's browser that subsequently views the dashboard. This flaw is one of six vulnerabilities disclosed together in GHSA-365w-hqf6-vxfg, and its impact is materially amplified in unpatched deployments by a co-disclosed authentication bypass (CWE-306) that left all monitor endpoints, including the dashboard, accessible without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Crawl4ai
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-4983 MEDIUM PATCH This Month

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL. On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.

XSS Eclipse Open Vsx
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-8378 MEDIUM POC This Month

Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.

XSS WordPress Frontend File Manager Plugin
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-8172 HIGH POC This Week

Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows unauthenticated remote attackers to execute arbitrary JavaScript in a visitor's browser when the victim follows a crafted link or submits a cross-site forged form that triggers a validation error. Publicly available exploit details have been published by WPScan, though the issue is not listed in CISA KEV and no EPSS data is provided in the input.

XSS WordPress Simple Basic Contact Form
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52798 Go HIGH PATCH GHSA This Week

Stored cross-site scripting in Gogs (self-hosted Git service) versions through 0.14.2 allows a low-privileged repository user to inject JavaScript via a crafted Jupyter notebook (.ipynb) Markdown cell containing a javascript: scheme link, which executes in the Gogs origin when a victim clicks the rendered link. Although server-side sanitization is performed via /-/api/sanitize_ipynb, the client subsequently re-renders Markdown cells with marked() and regenerates the dangerous links, and the file preview page is served without a Content Security Policy. Publicly available exploit code exists (full PoC published in the GHSA advisory) but there is no public exploit identified at time of analysis as actively exploited in the wild.

XSS Python
NVD GitHub
CVSS 3.1
8.9
EPSS
0.4%
CVE-2026-48167 PHP MEDIUM POC PATCH GHSA This Month

Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Filament
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-56698 npm MEDIUM PATCH This Month

Reflected XSS in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 enables client-side script execution in the application's first-party origin when user-controlled input is passed to the `navigateTo()` composable's `open` parameter. The client-side early-open handler invoked `window.open(toPath, ...)` without running the `isScriptProtocol` check that guards the normal navigation path, allowing `javascript:`, `data:`, and `vbscript:` scheme URLs to reach `window.open()` directly. No active exploitation has been confirmed (not listed in CISA KEV), but vendor-released patches are available in versions 4.4.7 and 3.21.7.

XSS Nuxt
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-44793 Maven LOW PATCH GHSA Monitor

Reflected XSS in OpenAM's SAML2 federation library (openam-federation-library versions prior to 16.1.1) allows unauthenticated remote attackers to inject arbitrary JavaScript into the OpenAM origin via the Cookie-Hash-Redirect path, exploiting inconsistent output encoding in the FSUtils.postToTarget method. The attack surface is limited to deployments using a non-default clustered configuration; standard single-node deployments are not affected. A vendor-released patch (16.1.1) is available, and no public exploit has been identified at time of analysis.

XSS
NVD GitHub
CVE-2026-44203 Maven CRITICAL PATCH GHSA Act Now

Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. No public exploit identified at time of analysis, but the high CVSS score (9.3) reflects the pre-authentication nature of the attack and the federated-identity context, where script execution in the OpenAM origin can compromise SSO sessions.

XSS
NVD GitHub
CVSS 3.1
9.3
CVE-2026-11994 MEDIUM This Month

Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or update permissions to persist arbitrary HTML/JavaScript in the description field of the report management workflow. Any user - including administrators - who subsequently views the poisoned report will have the malicious script execute in their browser session, enabling session token theft, credential harvesting, or unauthorized UI actions on behalf of the victim. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the stored nature of the payload amplifies impact over reflected XSS variants in shared-user deployments.

XSS Akaunting
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-11943 MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML and JavaScript into their profile name, which is subsequently rendered unsanitized in the document timeline displayed on invoice and bill detail pages. Any other authenticated user - including administrators - who views those pages will have the malicious script execute in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Akaunting
NVD GitHub
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-50178 HIGH PATCH This Week

Command injection via untrusted Markdown rendering in the Angular Language Service VS Code extension (versions prior to 21.2.4) allows attackers to execute arbitrary commands on a developer's host when the developer hovers over and clicks a crafted JSDoc tooltip. The client trusts all rendered Markdown (isTrusted: true) while the language server fails to sanitize JSDoc content, enabling embedded command: URIs to fire from malicious source files or npm dependencies. No public exploit identified at time of analysis, but the supply-chain reach via npm packages makes this a notable developer-workstation risk.

XSS Node.js Angular Angular Ng Template
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-11942 MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privileges to embed malicious HTML/JavaScript into record name fields (such as Items), which subsequently executes in any other user's browser session when the reusable delete confirmation dialog renders that name unsanitized. The vulnerability is confirmed by Fluid Attacks security research and affects the shared delete confirmation component across multiple record types. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects the authentication barrier and required victim interaction as meaningful limiting factors.

XSS Akaunting
NVD GitHub
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-49241 HIGH PATCH This Week

Arbitrary code execution in the Angular Language Service VS Code extension prior to 21.2.4 allows attackers to silently run code on a developer's machine simply by having them open a malicious repository in VS Code. The extension reads the typescript.tsdk and js/ts.tsdk.path workspace settings without checking Workspace Trust, then require()s a tsserverlibrary.js file from that attacker-controlled path. No public exploit identified at time of analysis, though the patch diff in PR #68857 clearly illustrates the exploit primitive.

XSS Node.js Angular
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2024-51454 MEDIUM PATCH This Month

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XSS Engineering Workflow Management
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-8059 MEDIUM PATCH This Month

Cross-site scripting in IBM Datacap and Datacap Navigator 9.1.7 through 9.1.9 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript within the Web UI, targeting authenticated users during active sessions. Successful exploitation can lead to credential theft or session hijacking by abusing the trust context of a legitimate user's browser. No public exploit code has been identified at time of analysis, and IBM has released a patch via official advisory.

IBM XSS Datacap Datacap Navigator
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11372 MEDIUM PATCH This Month

Stored cross-site scripting in IBM TRIRIGA Application Platform 5.0.2 and 5.0.3 allows an authenticated low-privileged user to inject arbitrary JavaScript into the Web UI, which executes in the browser context of other users who view the affected page - enabling session hijacking and credential theft within trusted sessions. No public exploit code has been identified at time of analysis, and IBM has released a patch via their support advisory. The CVSS score of 5.4 (Medium) reflects the authentication prerequisite and limited direct impact scope, though the credential disclosure risk elevates practical severity for privilege-escalation scenarios.

IBM XSS Tririga Application Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-33128 MEDIUM PATCH This Month

Stored cross-site scripting in IBM Engineering Workflow Management's Web UI enables an authenticated low-privileged attacker to inject arbitrary JavaScript that executes in the browser sessions of other users, including administrators, within the same trusted application context. Affected versions span 7.0.3 through 7.0.3 Interim Fix 020 and 7.1 through 7.1 Interim Fix 007. The scope-changed CVSS vector (S:C) confirms that impact crosses the attacker's own session boundary, creating a realistic path to credential theft or session hijacking against higher-privileged users. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

IBM XSS Engineering Workflow Management
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-12580 MEDIUM This Month

Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers to inject persistent JavaScript that executes in other users' browsers on page load. The CVSS 4.0 vector (PR:L/UI:P/SC:L/SI:L) confirms the attacker requires a valid low-privilege account to plant the payload, while victims trigger execution passively by navigating to affected pages - including administrators who may have elevated session privileges worth hijacking. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing real-world risk in the medium tier, concentrated in multi-tenant or shared-user deployments.

XSS Easyflow Net
NVD
CVSS 4.0
5.1
EPSS
0.2%
CVE-2023-45795 HIGH PATCH This Week

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pmi V8Xx Pasvisu
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2023-45796 HIGH PATCH This Week

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pmi V8Xx Pasvisu
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-6858 HIGH POC PATCH This Week

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

WordPress XSS Transbank Webpay
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-4259 HIGH POC This Week

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS Ultimate Woocommerce Auction Pro
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-4110 MEDIUM POC This Month

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS Ultimate Woocommerce Auction Pro
NVD WPScan VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12812 LOW Monitor

HTML injection in Radware Cyber Controller's HTML Report Generation component allows authenticated remote attackers to embed arbitrary HTML tags - including script-related content - into generated reports, enabling potential cross-site scripting scenarios targeting users who view those reports. All 10.x releases through 10.11.0 are confirmed affected per ENISA EUVD-2026-38198. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P); the vendor was notified but did not respond, leaving no vendor-released patch available at time of analysis.

XSS Cyber Controller
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-12811 LOW POC PATCH Monitor

Reflected cross-site scripting in Suna's authentication endpoint allows remote attackers to execute arbitrary JavaScript in a victim's browser by manipulating the returnURL parameter passed to Next.js router.replace/router.push. All Suna releases from 0.8.0 through 0.8.38 are affected; the flaw spans every auth action (signIn, signUp, resetPassword, signInWithPassword, signUpWithPassword, sendOtpCode, resendMagicLink, installOwner) because none sanitized the returnUrl form field before use. A public proof-of-concept exploit exists (GitHub Gist by TrebledJ); no public exploitation confirmed and the vulnerability is not listed in CISA KEV.

XSS Suna
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-56397 Go CRITICAL PATCH Act Now

Remote code execution in SiYuan note-taking application (before v3.6.1) allows any malicious Bazaar marketplace package author to compromise users via unsanitized HTML rendering of package displayName, description, and README content. Because the Electron renderer is configured with nodeIntegration:true and contextIsolation:false, injected JavaScript pivots directly to arbitrary OS command execution. No public exploit identified at time of analysis, but VulnCheck published a detailed technical advisory documenting both zero-click (metadata) and one-click (README) vectors.

RCE XSS Siyuan
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-56395 Go CRITICAL PATCH Act Now

Remote code execution in SiYuan note-taking application before v3.6.1 occurs when users browse the built-in Bazaar marketplace, because package metadata (displayName, description) and README content are rendered without HTML sanitization. Because the Electron shell ships with nodeIntegration:true and contextIsolation:false, an injected script in the renderer executes arbitrary OS commands as the user. Reported by VulnCheck with detailed vulnerable-code analysis published in the GHSA advisory; no public exploit identified at time of analysis and not listed in CISA KEV.

RCE XSS Siyuan
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-56393 PHP MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. No public exploit identified at time of analysis, though a proof of concept is documented in the upstream security advisory GHSA-4mgv-366x-qxvx, and the upstream CHANGELOG characterizes the severity as low.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-56383 PHP MEDIUM PATCH This Month

Stored XSS in Craft CMS's Table field component allows an authenticated administrator to persist arbitrary JavaScript via the Row Heading column type's default values, executing in the browser of any subsequent user who views a page rendering the affected table field. Affected deployments span Craft CMS 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22; patches are available in 4.16.19 and 5.8.23. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the GHSA advisory published a working proof-of-concept payload, and real-world risk is substantially constrained by the non-default allowAdminChanges production setting.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-56381 PHP MEDIUM PATCH This Month

Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. Vendor-confirmed proof-of-concept steps are publicly documented in GHSA-g3hp-vvqf-8vw6; no confirmed active exploitation or CISA KEV listing at time of analysis.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.1%
CVE-2026-56347 PHP MEDIUM This Month

Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.

XSS Avideo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-71331 npm MEDIUM PATCH This Month

Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS Flowise
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56317 npm LOW PATCH Monitor

Cross-site scripting in Nuxt's globally registered NoScript component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payload via attacker-controlled slot content, such as URL query parameters. The vulnerability exists in both supported release lines - 3.x before 3.21.7 and 4.x before 4.4.7 - and is rooted in the server-side rendering pipeline writing slot content to innerHTML without escaping, bypassing Vue's normal template sanitization. No active exploitation has been confirmed in CISA KEV; vendor-released patches are available and the fix is a one-line change confirmed in open commit history.

XSS Nuxt
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2025-62198 MEDIUM This Month

Stored XSS in Apache Atlas's Create Entity page allows any authenticated user to inject persistent malicious JavaScript that executes in other users' browsers. All deployments running Apache Atlas 2.4.0 and earlier are affected. An attacker with a valid account can store a crafted payload that triggers against higher-privileged users - such as administrators - who later view the poisoned entity, enabling session hijacking or credential theft. No public exploit or CISA KEV listing has been identified at time of analysis.

Apache XSS Atlas
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-55877 PHP MEDIUM PATCH GHSA This Month

Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in `Icon::fromFile()` only stripped top-level `<script>` children of `<svg>`, ignoring nested scripts and all `on*` event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON `body` field before inlining it as HTML. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-55692 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.

Microsoft XSS PHP
NVD GitHub
CVSS 3.1
7.5
CVE-2026-55650 npm MEDIUM PATCH GHSA This Month

Stored XSS in Outerbase Studio's Text Widget (npm/@outerbase/studio <= 0.10.2) allowed arbitrary HTML injection through React's dangerouslySetInnerHTML, enabling script execution in any user who viewed a malicious dashboard. The real-world severity is substantially reduced from legacy disclosures: Outerbase Cloud was discontinued in 2025, leaving the application as a purely client-side tool with no backend, no shared sessions, and no persistent authentication tokens - eliminating the originally described token-theft and account-takeover scenarios. No public exploit identified at time of analysis, though the advisory itself contains a functional reproduction payload.

XSS
NVD GitHub
CVSS 3.1
4.4
CVE-2026-32208 MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.

Microsoft Google XSS Edge Chromium
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-55847 Maven MEDIUM PATCH GHSA This Month

Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.

Gitlab Java Jenkins XSS
NVD GitHub
CVSS 3.1
6.1
CVE-2026-55660 npm HIGH PATCH GHSA This Week

Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. There is no public exploit identified at time of analysis; a vendor patch is available in PR #7056 and the flaw carries a CVSS 4.0 base score of 7.6.

XSS
NVD GitHub
CVSS 4.0
7.6
EPSS
0.2%
CVE-2026-55791 PHP MEDIUM PATCH GHSA This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache XSS Nginx
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-55691 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any wiki user to inject arbitrary HTML and JavaScript into rendered pages by abusing the unsanitized class attribute on embed tags such as <youtube>. Because the user-supplied class is concatenated into an HTML template via sprintf without escaping, an attacker can break out of the class attribute and execute script in the context of every visitor that views the page. No public exploit identified at time of analysis beyond the advisory's own PoC, and the issue is not listed in CISA KEV.

PHP XSS
NVD GitHub
CVSS 3.1
8.6
CVE-2026-55690 PHP HIGH POC PATCH GHSA This Week

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.

PHP XSS
NVD GitHub
CVSS 3.1
7.5
CVE-2026-55778 npm LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-54527 LIB CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in the jupyterlab-git extension (versions 0.30.0b3 through 0.53.x) escalates to remote code execution when a victim views a rename diff in the Git History tab. The PlainTextDiff.ts createHeader() method injects unsanitized Git filenames into innerHTML, so a filename such as <img src=x onerror=eval(atob(...))>.py fires JavaScript that reads the _xsrf cookie, spawns a JupyterLab terminal via POST /api/terminals, and runs arbitrary shell commands. Reported by AWS Security; no public exploit identified at time of analysis, though the vendor advisory (GHSA-f962-v9hr-pfg5) documents a detailed reproduction path, and it is not listed in CISA KEV.

XSS RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-49216 PHP MEDIUM PATCH This Month

Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's `_createAutocompleteWithRemoteData()` function interpolates the `text` field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. The vulnerability affects composer package versions 2.2.0-2.36.0 and 3.0.0-3.1.0; a vendor-released patch is available, and no active exploitation has been confirmed (not in CISA KEV).

XSS
NVD GitHub
CVE-2026-49210 PHP MEDIUM PATCH This Month

Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. Direct exploitation is constrained to applications with permissive CORS or same-origin pivot contexts; under default configuration the required Accept header provides partial protection that makes this a defense-in-depth gap rather than an immediately weaponizable internet-wide threat. No public exploit and no CISA KEV listing are confirmed at time of analysis.

XSS
NVD GitHub
CVE-2026-12621 MEDIUM This Month

DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; however, the network-accessible web interface and low-privilege authentication requirement make this exploitable in typical enterprise or utility network deployments where the device's management UI is reachable.

XSS Gridtime 3000
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12619 MEDIUM This Month

Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. Despite limited per-impact ratings, compromise of the web management interface of a critical time-synchronization appliance carries downstream risk to time-dependent infrastructure.

XSS Gridtime 3000
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-8296 MEDIUM PATCH This Month

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.

XSS Octopus Server
NVD VulDB
CVSS 4.0
5.6
EPSS
0.2%
CVE-2026-12430 MEDIUM This Month

Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. No public exploit has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis; an upstream patch commit (changeset 3576066) exists but the exact fixed release version is not independently confirmed from available data.

WordPress XSS Blocksy Companion
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-4328 MEDIUM This Month

Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.

XSS WordPress SSRF Advanced Import
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12157 MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.

WordPress XSS Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-1856 MEDIUM This Month

Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.

WordPress XSS Creavi Appointment Booking Calendar
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12048 CRITICAL PATCH Act Now

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.

PostgreSQL XSS Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-12047 MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-22674 MEDIUM PATCH This Month

Stored cross-site scripting in Hashgraph Guardian through 3.5.0 allows an authenticated user holding the STANDARD_REGISTRY role to inject persistent JavaScript payloads into the branding configuration's companyName field via the branding API endpoint. The injected script executes in every authenticated user's browser on every page load due to unsanitized innerHTML assignments in both the BrandingService and BrandingComponent Angular classes. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the fix diff is publicly visible in GitHub PR #6190, lowering the barrier for exploit development.

XSS Guardian
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-43915 MEDIUM PATCH This Month

Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject persistent JavaScript that executes in an authenticated administrator's browser when they view the session list. The attack is staged via a crafted USERNAME value in a TURN Allocate request, bridging the TURN protocol surface into the web-admin UI context. In anonymous deployments (--no-auth), no TURN credentials are required for the injection phase, broadening the exposure; in authenticated deployments the attacker must hold valid TURN credentials. No public exploit has been identified and this vulnerability is not listed in CISA KEV.

XSS Coturn Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-11982 MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-55237 HIGH PATCH This Week

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose `next` URL parameter is passed unsanitized into `router.push`. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.

XSS Autogpt
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54002 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Kirby CMS (getkirby/cms) lets an authenticated Panel editor inject markup that survives Dom::sanitize() and executes as JavaScript when content is rendered in the Panel or on the site frontend. The flaw affects the writer and list fields plus the Sane HTML/SVG/XML sanitization API, and versions ≤ 4.9.3 and 5.0.0-alpha.1 through 5.4.3 are vulnerable. No public exploit identified at time of analysis, and this is not in CISA KEV, but the vendor rates it high severity because a low-privileged editor can escalate to an admin session.

File Upload XSS
NVD GitHub
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-49276 PHP HIGH PATCH GHSA This Week

Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. There is no public exploit and it is not in CISA KEV; the vendor rates it high severity for affected sites.

XSS
NVD GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-44727 PyPI CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in jupyter_server's nbconvert HTTP handlers allows a malicious notebook to execute JavaScript in the Jupyter origin, leading to session token theft, full /api/* control, and kernel remote code execution. The NbconvertFileHandler and NbconvertPostHandler render notebook-authored HTML without a CSP sandbox directive, and combined with HTMLExporter's non-sanitizing default, any display_data HTML payload runs with the victim's authority. No public exploit identified at time of analysis, but the CVSS 4.0 base score is 9.3 and a vendor patch is available in v2.20.0.

XSS
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-55890 PHP MEDIUM PATCH GHSA This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-55885 PHP MEDIUM PATCH GHSA This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE XSS Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55672 Go HIGH PATCH GHSA This Week

Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.

Authentication Bypass Microsoft XSS
NVD GitHub
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-55661 npm MEDIUM PATCH GHSA This Month

Stored XSS in TinaCMS rich-text rendering allows any content author with editor-level access to inject `javascript:` or `data:text/html` URLs into Slate link/image nodes, which execute in the browsers of editors and site visitors when affected content is viewed. Both `tinacms` (< 3.9.3) and `@tinacms/mdx` (< 2.1.7) are confirmed affected, with the vulnerable path covering case-variant, whitespace-padded, and control-character-obfuscated scheme bypass techniques indicating deliberate evasion of naive sanitization. No public exploit or CISA KEV listing exists; vendor-released patches are available.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-54221 MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54219 MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-40457 LOW PATCH Monitor

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.

PHP XSS Lms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-56009 MEDIUM This Month

Stored Cross-Site Scripting in the Bricksable for Bricks Builder WordPress plugin (versions through 1.6.83) allows a high-privileged attacker to inject persistent malicious scripts into page builder elements, which then execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms the injected payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the viewing user. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the stored nature of this XSS increases persistence risk relative to reflected variants.

XSS Bricksable For Bricks Builder
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-56007 MEDIUM This Month

Stored XSS in OceanWP's Ocean Product Sharing WordPress plugin (all versions through 2.2.2) allows administrator-level attackers to persist malicious JavaScript into plugin configuration or product sharing fields. When other authenticated users or site visitors load affected product pages, the injected scripts execute in their browsers, enabling session cookie theft, credential harvesting, or unauthorized UI manipulation. No public exploit code has been identified and no active exploitation is confirmed (not in CISA KEV) at time of analysis; real-world risk is constrained by the PR:H requirement.

XSS Ocean Product Sharing
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-2021 MEDIUM This Month

Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Slideshow Gallery Lite
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-8039 MEDIUM This Month

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.

WordPress XSS Fancy Testimonials
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-12098 MEDIUM This Month

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.

WordPress XSS Powerpress Podcasting Plugin By Blubrry
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12137 MEDIUM This Month

Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable `plugin_options_page()` function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. No public exploit code or CISA KEV listing has been identified at time of analysis; this is a no public exploit identified at time of analysis scenario reported by Wordfence.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12136 MEDIUM This Month

Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though Wordfence has published full technical details including the vulnerable source lines.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-55746 PHP HIGH GHSA This Week

Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.

PHP XSS Cotonti
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-11358 MEDIUM This Month

Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.

WordPress XSS Orbit Fox
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-11402 MEDIUM This Month

Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the scope-changed (S:C) nature means injected content executes in any site visitor's browser session, enabling session hijacking or credential theft at scale.

WordPress XSS Services Section Block Showcase Service Details In Grid Or Columns
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-48768 CRITICAL Act Now

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.

Path Traversal XSS Typebot Io
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54386 PyPI MEDIUM PATCH This Month

Reflected XSS in the marimo notebook server before version 0.23.9 enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in the origin of a victim's marimo server by supplying a crafted `file` query parameter. The flaw stems from improper single-quote escaping in assets.py when reflecting the parameter into an inline JavaScript string literal; attackers bypass the server's 404 check by prefixing payloads with `__new__`, and execution occurs without Content-Security-Policy restrictions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the attack mechanism is straightforward for a motivated attacker targeting shared or collaborative marimo deployments.

XSS Marimo
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-48821 MEDIUM This Month

DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. Successful exploitation can lead to session hijacking, privilege escalation, and backdoor injection against administrator accounts. No public exploit or KEV listing is confirmed at time of analysis; a vendor patch is available in v0.16.2.

Privilege Escalation XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-48823 MEDIUM This Month

Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. The vulnerability enables session hijacking or credential exfiltration against any user who triggers the tag search, with no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch v0.16.2 (2026-05-23) resolves the issue.

XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-48822 MEDIUM This Month

Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.

PHP XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-55409 PHP HIGH PATCH GHSA This Week

Stored XSS in Filament v3 PHP admin panel framework occurs when a RichEditor form field is rendered in disabled mode, because the disabled view binds raw state via Alpine's x-html directive without HTML sanitization. Authenticated attackers who can write into the underlying field state can plant HTML or JavaScript that executes in the browser of any user later viewing the form, with no public exploit identified at time of analysis and no KEV listing.

XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-28737 Go HIGH PATCH GHSA This Week

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a crafted .gltf file with an unsupported extension name in extensionsRequired is rendered into the DOM via innerHTML without sanitization. Any low-privileged user who can push a file to a repository (including a public fork) can compromise the session of any user who later views the file, enabling token theft and full account takeover. Publicly available exploit code exists (a working PoC is included in the GHSA-9cpj-qc93-vw8v advisory); no public exploit identified at time of analysis in CISA KEV.

Gitea CSRF XSS Node.js
NVD GitHub
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-48591 MEDIUM This Month

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.

XSS Earmark
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-10850 MEDIUM This Month

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary HTML and JavaScript via the `description_html` field through the API v1 intake endpoint, with payloads persisting in the database and executing in the browsers of any user who views the affected intake item. The CVSS 4.0 vector rates confidentiality impact on the vulnerable system as High (VC:H), reflecting the realistic threat of session token exfiltration from higher-privileged users such as project administrators. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis.

XSS Plane
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored XSS in Crawl4AI's monitor dashboard (versions before 0.8.7) enables an unauthenticated remote attacker to inject persistent malicious markup by submitting a crafted crawl URL or triggering a crafted error message; the payload executes in any operator's browser that subsequently views the dashboard. This flaw is one of six vulnerabilities disclosed together in GHSA-365w-hqf6-vxfg, and its impact is materially amplified in unpatched deployments by a co-disclosed authentication bypass (CWE-306) that left all monitor endpoints, including the dashboard, accessible without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Crawl4ai
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL. On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.

XSS Eclipse Open Vsx
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.

XSS WordPress Frontend File Manager Plugin
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows unauthenticated remote attackers to execute arbitrary JavaScript in a visitor's browser when the victim follows a crafted link or submits a cross-site forged form that triggers a validation error. Publicly available exploit details have been published by WPScan, though the issue is not listed in CISA KEV and no EPSS data is provided in the input.

XSS WordPress Simple Basic Contact Form
NVD WPScan VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Stored cross-site scripting in Gogs (self-hosted Git service) versions through 0.14.2 allows a low-privileged repository user to inject JavaScript via a crafted Jupyter notebook (.ipynb) Markdown cell containing a javascript: scheme link, which executes in the Gogs origin when a victim clicks the rendered link. Although server-side sanitization is performed via /-/api/sanitize_ipynb, the client subsequently re-renders Markdown cells with marked() and regenerates the dangerous links, and the file preview page is served without a Content Security Policy. Publicly available exploit code exists (full PoC published in the GHSA advisory) but there is no public exploit identified at time of analysis as actively exploited in the wild.

XSS Python
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Filament
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected XSS in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 enables client-side script execution in the application's first-party origin when user-controlled input is passed to the `navigateTo()` composable's `open` parameter. The client-side early-open handler invoked `window.open(toPath, ...)` without running the `isScriptProtocol` check that guards the normal navigation path, allowing `javascript:`, `data:`, and `vbscript:` scheme URLs to reach `window.open()` directly. No active exploitation has been confirmed (not listed in CISA KEV), but vendor-released patches are available in versions 4.4.7 and 3.21.7.

XSS Nuxt
NVD GitHub
LOW PATCH Monitor

Reflected XSS in OpenAM's SAML2 federation library (openam-federation-library versions prior to 16.1.1) allows unauthenticated remote attackers to inject arbitrary JavaScript into the OpenAM origin via the Cookie-Hash-Redirect path, exploiting inconsistent output encoding in the FSUtils.postToTarget method. The attack surface is limited to deployments using a non-default clustered configuration; standard single-node deployments are not affected. A vendor-released patch (16.1.1) is available, and no public exploit has been identified at time of analysis.

XSS
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. No public exploit identified at time of analysis, but the high CVSS score (9.3) reflects the pre-authentication nature of the attack and the federated-identity context, where script execution in the OpenAM origin can compromise SSO sessions.

XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or update permissions to persist arbitrary HTML/JavaScript in the description field of the report management workflow. Any user - including administrators - who subsequently views the poisoned report will have the malicious script execute in their browser session, enabling session token theft, credential harvesting, or unauthorized UI actions on behalf of the victim. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the stored nature of the payload amplifies impact over reflected XSS variants in shared-user deployments.

XSS Akaunting
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML and JavaScript into their profile name, which is subsequently rendered unsanitized in the document timeline displayed on invoice and bill detail pages. Any other authenticated user - including administrators - who views those pages will have the malicious script execute in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Akaunting
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection via untrusted Markdown rendering in the Angular Language Service VS Code extension (versions prior to 21.2.4) allows attackers to execute arbitrary commands on a developer's host when the developer hovers over and clicks a crafted JSDoc tooltip. The client trusts all rendered Markdown (isTrusted: true) while the language server fails to sanitize JSDoc content, enabling embedded command: URIs to fire from malicious source files or npm dependencies. No public exploit identified at time of analysis, but the supply-chain reach via npm packages makes this a notable developer-workstation risk.

XSS Node.js Angular +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privileges to embed malicious HTML/JavaScript into record name fields (such as Items), which subsequently executes in any other user's browser session when the reusable delete confirmation dialog renders that name unsanitized. The vulnerability is confirmed by Fluid Attacks security research and affects the shared delete confirmation component across multiple record types. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects the authentication barrier and required victim interaction as meaningful limiting factors.

XSS Akaunting
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary code execution in the Angular Language Service VS Code extension prior to 21.2.4 allows attackers to silently run code on a developer's machine simply by having them open a malicious repository in VS Code. The extension reads the typescript.tsdk and js/ts.tsdk.path workspace settings without checking Workspace Trust, then require()s a tsserverlibrary.js file from that attacker-controlled path. No public exploit identified at time of analysis, though the patch diff in PR #68857 clearly illustrates the exploit primitive.

XSS Node.js Angular
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XSS Engineering Workflow Management
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in IBM Datacap and Datacap Navigator 9.1.7 through 9.1.9 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript within the Web UI, targeting authenticated users during active sessions. Successful exploitation can lead to credential theft or session hijacking by abusing the trust context of a legitimate user's browser. No public exploit code has been identified at time of analysis, and IBM has released a patch via official advisory.

IBM XSS Datacap +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM TRIRIGA Application Platform 5.0.2 and 5.0.3 allows an authenticated low-privileged user to inject arbitrary JavaScript into the Web UI, which executes in the browser context of other users who view the affected page - enabling session hijacking and credential theft within trusted sessions. No public exploit code has been identified at time of analysis, and IBM has released a patch via their support advisory. The CVSS score of 5.4 (Medium) reflects the authentication prerequisite and limited direct impact scope, though the credential disclosure risk elevates practical severity for privilege-escalation scenarios.

IBM XSS Tririga Application Platform
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM Engineering Workflow Management's Web UI enables an authenticated low-privileged attacker to inject arbitrary JavaScript that executes in the browser sessions of other users, including administrators, within the same trusted application context. Affected versions span 7.0.3 through 7.0.3 Interim Fix 020 and 7.1 through 7.1 Interim Fix 007. The scope-changed CVSS vector (S:C) confirms that impact crosses the attacker's own session boundary, creating a realistic path to credential theft or session hijacking against higher-privileged users. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

IBM XSS Engineering Workflow Management
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers to inject persistent JavaScript that executes in other users' browsers on page load. The CVSS 4.0 vector (PR:L/UI:P/SC:L/SI:L) confirms the attacker requires a valid low-privilege account to plant the payload, while victims trigger execution passively by navigating to affected pages - including administrators who may have elevated session privileges worth hijacking. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing real-world risk in the medium tier, concentrated in multi-tenant or shared-user deployments.

XSS Easyflow Net
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pmi V8Xx Pasvisu
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pmi V8Xx Pasvisu
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

WordPress XSS Transbank Webpay
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS Ultimate Woocommerce Auction Pro
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS Ultimate Woocommerce Auction Pro
NVD WPScan VulDB
EPSS 0% CVSS 2.0
LOW Monitor

HTML injection in Radware Cyber Controller's HTML Report Generation component allows authenticated remote attackers to embed arbitrary HTML tags - including script-related content - into generated reports, enabling potential cross-site scripting scenarios targeting users who view those reports. All 10.x releases through 10.11.0 are confirmed affected per ENISA EUVD-2026-38198. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P); the vendor was notified but did not respond, leaving no vendor-released patch available at time of analysis.

XSS Cyber Controller
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Reflected cross-site scripting in Suna's authentication endpoint allows remote attackers to execute arbitrary JavaScript in a victim's browser by manipulating the returnURL parameter passed to Next.js router.replace/router.push. All Suna releases from 0.8.0 through 0.8.38 are affected; the flaw spans every auth action (signIn, signUp, resetPassword, signInWithPassword, signUpWithPassword, sendOtpCode, resendMagicLink, installOwner) because none sanitized the returnUrl form field before use. A public proof-of-concept exploit exists (GitHub Gist by TrebledJ); no public exploitation confirmed and the vulnerability is not listed in CISA KEV.

XSS Suna
NVD VulDB GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan note-taking application (before v3.6.1) allows any malicious Bazaar marketplace package author to compromise users via unsanitized HTML rendering of package displayName, description, and README content. Because the Electron renderer is configured with nodeIntegration:true and contextIsolation:false, injected JavaScript pivots directly to arbitrary OS command execution. No public exploit identified at time of analysis, but VulnCheck published a detailed technical advisory documenting both zero-click (metadata) and one-click (README) vectors.

RCE XSS Siyuan
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan note-taking application before v3.6.1 occurs when users browse the built-in Bazaar marketplace, because package metadata (displayName, description) and README content are rendered without HTML sanitization. Because the Electron shell ships with nodeIntegration:true and contextIsolation:false, an injected script in the renderer executes arbitrary OS commands as the user. Reported by VulnCheck with detailed vulnerable-code analysis published in the GHSA advisory; no public exploit identified at time of analysis and not listed in CISA KEV.

RCE XSS Siyuan
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. No public exploit identified at time of analysis, though a proof of concept is documented in the upstream security advisory GHSA-4mgv-366x-qxvx, and the upstream CHANGELOG characterizes the severity as low.

XSS Cms
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Craft CMS's Table field component allows an authenticated administrator to persist arbitrary JavaScript via the Row Heading column type's default values, executing in the browser of any subsequent user who views a page rendering the affected table field. Affected deployments span Craft CMS 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22; patches are available in 4.16.19 and 5.8.23. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the GHSA advisory published a working proof-of-concept payload, and real-world risk is substantially constrained by the non-default allowAdminChanges production setting.

XSS Cms
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. Vendor-confirmed proof-of-concept steps are publicly documented in GHSA-g3hp-vvqf-8vw6; no confirmed active exploitation or CISA KEV listing at time of analysis.

XSS Cms
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.

XSS Avideo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS Flowise
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-site scripting in Nuxt's globally registered NoScript component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payload via attacker-controlled slot content, such as URL query parameters. The vulnerability exists in both supported release lines - 3.x before 3.21.7 and 4.x before 4.4.7 - and is rooted in the server-side rendering pipeline writing slot content to innerHTML without escaping, bypassing Vue's normal template sanitization. No active exploitation has been confirmed in CISA KEV; vendor-released patches are available and the fix is a one-line change confirmed in open commit history.

XSS Nuxt
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Apache Atlas's Create Entity page allows any authenticated user to inject persistent malicious JavaScript that executes in other users' browsers. All deployments running Apache Atlas 2.4.0 and earlier are affected. An attacker with a valid account can store a crafted payload that triggers against higher-privileged users - such as administrators - who later view the poisoned entity, enabling session hijacking or credential theft. No public exploit or CISA KEV listing has been identified at time of analysis.

Apache XSS Atlas
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in `Icon::fromFile()` only stripped top-level `<script>` children of `<svg>`, ignoring nested scripts and all `on*` event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON `body` field before inlining it as HTML. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS
NVD GitHub VulDB
CVSS 7.5
HIGH POC PATCH This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.

Microsoft XSS PHP
NVD GitHub
CVSS 4.4
MEDIUM PATCH This Month

Stored XSS in Outerbase Studio's Text Widget (npm/@outerbase/studio <= 0.10.2) allowed arbitrary HTML injection through React's dangerouslySetInnerHTML, enabling script execution in any user who viewed a malicious dashboard. The real-world severity is substantially reduced from legacy disclosures: Outerbase Cloud was discontinued in 2025, leaving the application as a purely client-side tool with no backend, no shared sessions, and no persistent authentication tokens - eliminating the originally described token-theft and account-takeover scenarios. No public exploit identified at time of analysis, though the advisory itself contains a functional reproduction payload.

XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.

Microsoft Google XSS +1
NVD VulDB
CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.

Gitlab Java Jenkins +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. There is no public exploit identified at time of analysis; a vendor patch is available in PR #7056 and the flaw carries a CVSS 4.0 base score of 7.6.

XSS
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache +2
NVD GitHub
CVSS 8.6
HIGH POC PATCH This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any wiki user to inject arbitrary HTML and JavaScript into rendered pages by abusing the unsanitized class attribute on embed tags such as <youtube>. Because the user-supplied class is concatenated into an HTML template via sprintf without escaping, an attacker can break out of the class attribute and execute script in the context of every visitor that views the page. No public exploit identified at time of analysis beyond the advisory's own PoC, and the issue is not listed in CISA KEV.

PHP XSS
NVD GitHub
CVSS 7.5
HIGH POC PATCH This Week

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.

PHP XSS
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in the jupyterlab-git extension (versions 0.30.0b3 through 0.53.x) escalates to remote code execution when a victim views a rename diff in the Git History tab. The PlainTextDiff.ts createHeader() method injects unsanitized Git filenames into innerHTML, so a filename such as <img src=x onerror=eval(atob(...))>.py fires JavaScript that reads the _xsrf cookie, spawns a JupyterLab terminal via POST /api/terminals, and runs arbitrary shell commands. Reported by AWS Security; no public exploit identified at time of analysis, though the vendor advisory (GHSA-f962-v9hr-pfg5) documents a detailed reproduction path, and it is not listed in CISA KEV.

XSS RCE
NVD GitHub VulDB
MEDIUM PATCH This Month

Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's `_createAutocompleteWithRemoteData()` function interpolates the `text` field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. The vulnerability affects composer package versions 2.2.0-2.36.0 and 3.0.0-3.1.0; a vendor-released patch is available, and no active exploitation has been confirmed (not in CISA KEV).

XSS
NVD GitHub
MEDIUM PATCH This Month

Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. Direct exploitation is constrained to applications with permissive CORS or same-origin pivot contexts; under default configuration the required Accept header provides partial protection that makes this a defense-in-depth gap rather than an immediately weaponizable internet-wide threat. No public exploit and no CISA KEV listing are confirmed at time of analysis.

XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; however, the network-accessible web interface and low-privilege authentication requirement make this exploitable in typical enterprise or utility network deployments where the device's management UI is reachable.

XSS Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. Despite limited per-impact ratings, compromise of the web management interface of a critical time-synchronization appliance carries downstream risk to time-dependent infrastructure.

XSS Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.

XSS Octopus Server
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. No public exploit has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis; an upstream patch commit (changeset 3576066) exists but the exact fixed release version is not independently confirmed from available data.

WordPress XSS Blocksy Companion
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.

XSS WordPress SSRF +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.

WordPress XSS Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.

WordPress XSS Creavi Appointment Booking Calendar
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.

PostgreSQL XSS Pgadmin 4
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Hashgraph Guardian through 3.5.0 allows an authenticated user holding the STANDARD_REGISTRY role to inject persistent JavaScript payloads into the branding configuration's companyName field via the branding API endpoint. The injected script executes in every authenticated user's browser on every page load due to unsanitized innerHTML assignments in both the BrandingService and BrandingComponent Angular classes. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the fix diff is publicly visible in GitHub PR #6190, lowering the barrier for exploit development.

XSS Guardian
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject persistent JavaScript that executes in an authenticated administrator's browser when they view the session list. The attack is staged via a crafted USERNAME value in a TURN Allocate request, bridging the TURN protocol surface into the web-admin UI context. In anonymous deployments (--no-auth), no TURN credentials are required for the injection phase, broadening the exposure; in authenticated deployments the attacker must hold valid TURN credentials. No public exploit has been identified and this vulnerability is not listed in CISA KEV.

XSS Coturn Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose `next` URL parameter is passed unsanitized into `router.push`. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.

XSS Autogpt
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Kirby CMS (getkirby/cms) lets an authenticated Panel editor inject markup that survives Dom::sanitize() and executes as JavaScript when content is rendered in the Panel or on the site frontend. The flaw affects the writer and list fields plus the Sane HTML/SVG/XML sanitization API, and versions ≤ 4.9.3 and 5.0.0-alpha.1 through 5.4.3 are vulnerable. No public exploit identified at time of analysis, and this is not in CISA KEV, but the vendor rates it high severity because a low-privileged editor can escalate to an admin session.

File Upload XSS
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. There is no public exploit and it is not in CISA KEV; the vendor rates it high severity for affected sites.

XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in jupyter_server's nbconvert HTTP handlers allows a malicious notebook to execute JavaScript in the Jupyter origin, leading to session token theft, full /api/* control, and kernel remote code execution. The NbconvertFileHandler and NbconvertPostHandler render notebook-authored HTML without a CSP sandbox directive, and combined with HTMLExporter's non-sanitizing default, any display_data HTML payload runs with the victim's authority. No public exploit identified at time of analysis, but the CVSS 4.0 base score is 9.3 and a vendor patch is available in v2.20.0.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.

Authentication Bypass Microsoft XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in TinaCMS rich-text rendering allows any content author with editor-level access to inject `javascript:` or `data:text/html` URLs into Slate link/image nodes, which execute in the browsers of editors and site visitors when affected content is viewed. Both `tinacms` (< 3.9.3) and `@tinacms/mdx` (< 2.1.7) are confirmed affected, with the vulnerable path covering case-variant, whitespace-padded, and control-character-obfuscated scheme bypass techniques indicating deliberate evasion of naive sanitization. No public exploit or CISA KEV listing exists; vendor-released patches are available.

XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.

PHP XSS Lms
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored Cross-Site Scripting in the Bricksable for Bricks Builder WordPress plugin (versions through 1.6.83) allows a high-privileged attacker to inject persistent malicious scripts into page builder elements, which then execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms the injected payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the viewing user. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the stored nature of this XSS increases persistence risk relative to reflected variants.

XSS Bricksable For Bricks Builder
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in OceanWP's Ocean Product Sharing WordPress plugin (all versions through 2.2.2) allows administrator-level attackers to persist malicious JavaScript into plugin configuration or product sharing fields. When other authenticated users or site visitors load affected product pages, the injected scripts execute in their browsers, enabling session cookie theft, credential harvesting, or unauthorized UI manipulation. No public exploit code has been identified and no active exploitation is confirmed (not in CISA KEV) at time of analysis; real-world risk is constrained by the PR:H requirement.

XSS Ocean Product Sharing
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Slideshow Gallery Lite
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.

WordPress XSS Fancy Testimonials
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.

WordPress XSS Powerpress Podcasting Plugin By Blubrry
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable `plugin_options_page()` function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. No public exploit code or CISA KEV listing has been identified at time of analysis; this is a no public exploit identified at time of analysis scenario reported by Wordfence.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though Wordfence has published full technical details including the vulnerable source lines.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.

PHP XSS Cotonti
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.

WordPress XSS Orbit Fox
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the scope-changed (S:C) nature means injected content executes in any site visitor's browser session, enabling session hijacking or credential theft at scale.

WordPress XSS Services Section Block Showcase Service Details In Grid Or Columns
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.

Path Traversal XSS Typebot Io
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in the marimo notebook server before version 0.23.9 enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in the origin of a victim's marimo server by supplying a crafted `file` query parameter. The flaw stems from improper single-quote escaping in assets.py when reflecting the parameter into an inline JavaScript string literal; attackers bypass the server's 404 check by prefixing payloads with `__new__`, and execution occurs without Content-Security-Policy restrictions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the attack mechanism is straightforward for a motivated attacker targeting shared or collaborative marimo deployments.

XSS Marimo
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. Successful exploitation can lead to session hijacking, privilege escalation, and backdoor injection against administrator accounts. No public exploit or KEV listing is confirmed at time of analysis; a vendor patch is available in v0.16.2.

Privilege Escalation XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. The vulnerability enables session hijacking or credential exfiltration against any user who triggers the tag search, with no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch v0.16.2 (2026-05-23) resolves the issue.

XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.

PHP XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored XSS in Filament v3 PHP admin panel framework occurs when a RichEditor form field is rendered in disabled mode, because the disabled view binds raw state via Alpine's x-html directive without HTML sanitization. Authenticated attackers who can write into the underlying field state can plant HTML or JavaScript that executes in the browser of any user later viewing the form, with no public exploit identified at time of analysis and no KEV listing.

XSS
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a crafted .gltf file with an unsupported extension name in extensionsRequired is rendered into the DOM via innerHTML without sanitization. Any low-privileged user who can push a file to a repository (including a public fork) can compromise the session of any user who later views the file, enabling token theft and full account takeover. Publicly available exploit code exists (a working PoC is included in the GHSA-9cpj-qc93-vw8v advisory); no public exploit identified at time of analysis in CISA KEV.

Gitea CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.

XSS Earmark
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary HTML and JavaScript via the `description_html` field through the API v1 intake endpoint, with payloads persisting in the database and executing in the browsers of any user who views the affected intake item. The CVSS 4.0 vector rates confidentiality impact on the vulnerable system as High (VC:H), reflecting the realistic threat of session token exfiltration from higher-privileged users such as project administrators. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis.

XSS Plane
NVD GitHub VulDB
Prev Page 8 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy