Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8. [CVSS 7.1 HIGH]

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through < 1.3.0. [CVSS 7.1 HIGH]

vulnerability in Sync-in Server versions up to 1.9.3 is affected by cross-site scripting (xss) (CVSS 6.1).

silence Silencesoft RSS Reader external-rss-reader is affected by cross-site scripting (xss) (CVSS 5.9).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14. [CVSS 7.1 HIGH]

wpdevstudio Easy Taxonomy Images easy-taxonomy-images is affected by cross-site scripting (xss) (CVSS 7.1).

jezza101 bbpress Simple Advert Units bbpress-simple-advert-units is affected by cross-site scripting (xss) (CVSS 7.1).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= 1.0.71. [CVSS 6.5 MEDIUM]

Liton Arefin Master Addons for Elementor master-addons is affected by cross-site scripting (xss) (CVSS 5.9).

LiteSpeed Technologies LiteSpeed Cache litespeed-cache is affected by cross-site scripting (xss) (CVSS 6.5).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows Stored XSS.This issue affects Elementor Website Builder: from n/a through <= 3.29.0. [CVSS 6.5 MEDIUM]

POSIMYTH Nexter Blocks the-plus-addons-for-block-editor is affected by cross-site scripting (xss) (CVSS 6.5).

Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.

A vulnerability has been found in rachelos WeRSS we-mp-r versions up to 1.4.8. is affected by cross-site scripting (xss) (CVSS 3.5).

The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.

Stored XSS in Flare file sharing platform versions 1.7.0 and below allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG or HTML files that execute when viewed in raw mode, potentially enabling session hijacking or data theft. The vulnerability stems from insufficient file content validation and sanitization during upload. Public exploit code exists; upgrade to version 1.7.1 or later to remediate.

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized port group names, which execute when other users view the affected port group. Public exploit code exists for this vulnerability. The issue is resolved in version 26.2.0.

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.

Stored cross-site scripting in LibreNMS versions 24.10.0 through 26.1.1 allows authenticated users to inject malicious scripts through the unsanitized unit parameter in Custom OID configurations, which are then executed when other users view the affected pages. An attacker with login credentials could exploit this to steal session tokens, perform actions on behalf of other administrators, or compromise the monitoring infrastructure. The vulnerability has been patched in version 26.2.0.

Stored XSS in LibreNMS Alert Rules allows authenticated administrators to inject malicious scripts that execute when other users view the Alert Rules page, affecting versions 25.12.0 and below. Public exploit code exists for this vulnerability, though exploitation requires high-level administrative privileges and user interaction. The vulnerability has been patched in version 26.2.0.

Reflected cross-site scripting in LibreNMS versions 25.12.0 and earlier allows unauthenticated remote attackers to inject malicious scripts via the email field, potentially compromising user sessions and enabling credential theft or malware distribution. Public exploit code exists for this vulnerability, and affected organizations should upgrade to version 26.2.0 or later immediately.

OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. [CVSS 5.4 MEDIUM]

Web Site Management Server versions up to 16.7.0 is affected by cross-site scripting (xss) (CVSS 5.4).

Stored cross-site scripting in myCred versions up to 2.9.7.6 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage the vulnerability to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

Stored XSS in 10Web Photo Gallery through version 1.8.37 enables authenticated users with high privileges to inject malicious scripts that execute in victims' browsers when they view affected pages. The vulnerability requires user interaction to trigger but can compromise confidentiality, integrity, and availability across different security contexts. No patch is currently available.

Stored XSS in Fabric.js prior to version 7.2.0 allows attackers to inject arbitrary SVG elements and event handlers when user-supplied JSON is loaded and exported via toSVG(), affecting applications that process collaborative designs, imports, or CMS plugins. Public exploit code exists for this vulnerability. Applications rendering the SVG output in browsers are vulnerable to arbitrary JavaScript execution.

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. [CVSS 7.3 HIGH]

Stored XSS in Open WebUI prior to version 0.7.0 allows authenticated users to inject malicious HTML payloads into chat document metadata, which execute in the browser when citations are previewed or viewed in shared chats. Public exploit code exists for this vulnerability, and an attacker with login access can compromise any user who interacts with their weaponized chat documents. Upgrade to version 0.7.0 or later to remediate.

Reflected XSS in SPIP versions before 4.4.9 permits attackers to execute arbitrary scripts in the private area through insufficiently sanitized input, form, button, and anchor HTML tags. An unauthenticated attacker can craft malicious payloads that bypass the incomplete anti-XSS protection introduced in version 4.4.8, affecting all SPIP installations without the patch.

Stored XSS in SPIP before 4.4.9 allows authenticated attackers to inject malicious scripts through syndicated site URLs that execute in the private administrative area when other admins view syndication details. An attacker with the ability to configure a malicious syndication feed can achieve persistent code execution affecting other administrators. No patch is currently available for this vulnerability.

Stored cross-site scripting in ChurchCRM versions before 6.8.2 allows authenticated users with group editing permissions to inject malicious JavaScript that executes when other users view affected groups. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires user interaction and can result in session hijacking or unauthorized actions performed on behalf of affected users.

GFI MailEssentials AI versions before 22.4 contain a stored XSS vulnerability in the Local Domains settings page that allows authenticated users to inject malicious scripts into the txtDescription parameter, which are then executed when administrators view the management interface. An attacker with valid credentials can exploit this to perform actions as a logged-in administrator or steal sensitive information from the management console. No patch is currently available for this vulnerability.

Stored cross-site scripting in GFI MailEssentials AI before version 22.4 allows authenticated users to inject malicious JavaScript through the Spam Keyword Checking interface, which executes when administrators access the management console. An attacker with valid credentials can exploit this to steal session tokens, modify security policies, or perform actions on behalf of logged-in administrators. No patch is currently available for this vulnerability.

GFI MailEssentials AI prior to version 22.4 is vulnerable to stored cross-site scripting in the Spam Keyword Checking interface, where authenticated users can inject malicious scripts that execute when administrators access the management console. An attacker with valid credentials can leverage this to perform actions on behalf of logged-in users or steal session information, affecting organizations using vulnerable versions of the product.

Stored cross-site scripting in GFI MailEssentials AI before version 22.4 allows authenticated users to inject malicious scripts into the Anti-Spoofing configuration page, which execute when administrators view the management interface. An attacker with valid credentials can exploit the TxtSmtpDesc parameter to compromise other authenticated users through arbitrary JavaScript execution. No patch is currently available for this medium-severity vulnerability.

Stored XSS in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious scripts into the Sender Policy Framework Email Exceptions interface that execute when administrators view the management console. An attacker with valid credentials can inject HTML/JavaScript through the email description parameter, compromising other logged-in users' sessions.

GFI MailEssentials AI before version 22.4 contains a stored cross-site scripting vulnerability in the Sender Policy Framework configuration interface that allows authenticated users to inject malicious scripts into IP description fields. An attacker with valid credentials can execute arbitrary JavaScript in the context of administrators accessing the management interface, potentially compromising administrative sessions. No patch is currently available for this vulnerability.

GFI MailEssentials AI prior to version 22.4 allows authenticated users to inject malicious scripts into the URI DNS Blocklist configuration page, which are stored and executed when administrators access the management interface. An attacker with valid credentials can exploit the unsanitized ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to perform actions in the context of logged-in users, such as stealing session tokens or modifying security settings. No patch is currently available for this stored cross-site scripting vulnerability.

Stored cross-site scripting in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious scripts into the IP DNS Blocklist configuration page that execute when administrators access the management interface. An attacker with valid credentials can inject HTML/JavaScript through the IP configuration parameter to compromise other authenticated users' sessions. No patch is currently available for this vulnerability.

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page that allows authenticated users to inject malicious scripts into the IP description field, which are executed when administrators view the management interface. An attacker with valid credentials can exploit this to hijack administrator sessions or perform unauthorized actions with their privileges. Currently, no patch is available and the vulnerability requires user interaction to trigger.

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint that allows authenticated users to inject malicious scripts through the POP3 server login field. An attacker with valid credentials can execute arbitrary JavaScript in the context of administrators viewing the management interface, potentially compromising administrative sessions. No patch is currently available for this vulnerability.

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page that allows authenticated users to inject malicious scripts into the management interface. An attacker with valid credentials can execute arbitrary JavaScript in the context of other logged-in administrators by manipulating the description parameter. No patch is currently available for this vulnerability.

GFI MailEssentials AI prior to version 22.4 contains a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint that allows authenticated users to inject malicious JavaScript through the rule name field. When an administrator views the affected rules in the management interface, the stored script executes in their browser session, potentially enabling session hijacking or unauthorized administrative actions. No patch is currently available for this vulnerability.

GFI MailEssentials AI prior to version 22.4 contains a stored XSS vulnerability in the Anti-Spam Whitelist management interface that allows authenticated users to inject malicious scripts through the description field. An attacker with valid credentials can craft payloads that execute in the browser context of other administrators accessing the management console, potentially compromising administrative sessions. No patch is currently available for this vulnerability.

GFI MailEssentials AI prior to version 22.4 contains a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which are later executed in the browsers of administrators viewing the management interface. An attacker with valid credentials can exploit this to perform actions as a logged-in administrator, including potential unauthorized configuration changes or credential theft. No patch is currently available for this vulnerability.

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which execute when administrators access the management interface. An attacker with valid credentials can exploit this to perform actions on behalf of logged-in administrators or steal sensitive information from the management dashboard. No patch is currently available for this medium-severity vulnerability.

Stored cross-site scripting in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious JavaScript into the Keyword Filtering rule creation interface, which executes when administrators view the management console. An attacker with valid credentials can compromise other users' sessions and perform unauthorized actions within the MailEssentials application. No patch is currently available for this vulnerability.

Stored XSS in SPIP before 4.4.8 allows authenticated users with content-editing privileges to inject malicious scripts through inadequate sanitization in the echapper_html_suspect() function, which then execute in the browsers of other users including administrators. Attackers can exploit this vulnerability to perform unauthorized actions and modify application state within the security context of victim users. No patch is currently available.

Improper iframe sanitization in SPIP before 4.4.8 enables stored cross-site scripting attacks within the private administrative area, allowing attackers to execute arbitrary JavaScript in the context of backend users. An unauthenticated attacker can inject malicious iframe tags that bypass the application's security filters and execute in victims' browsers when they access the affected area. No patch is currently available and the built-in SPIP security screen does not mitigate this vulnerability.

jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. The vulnerability is fixed in jsPDF 4.2.0 and can be mitigated by sanitizing all user input before passing it to affected Acroform properties and methods.

Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through material file uploads, potentially compromising other users' sessions or stealing sensitive data. The vulnerability affects Indico deployments using Flask-Multipass authentication and requires both user interaction and authenticated access to exploit. A patch is available, and administrators should upgrade to version 3.3.10 and update webserver configurations to enforce strict Content Security Policy for file downloads.

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. [CVSS 6.1 MEDIUM]

SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser. [CVSS 5.4 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpn_advanced endpoint. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the openvpn_users endpoint that allow attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the antispyware endpoint. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the dnsmasq endpoint. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the VIRUS_ADMIN parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input to the EXCEPTIONSITELIST parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the /korugan/proxyconfig endpoint that allow attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the vpnfw endpoint. [CVSS 7.2 HIGH]

Comodo Dome Firewall 2.7.0 contains multiple cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the policyfw endpoint. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the snat endpoint. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the schedule endpoint. [CVSS 7.2 HIGH]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the FWADDRESSES parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the protocol parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through the device parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input to the hotspot_permanent_users endpoint. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the ID parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the ID parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input through the NTP_SERVER_LIST parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the GATEWAY_GREEN parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through the source and destination parameters. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the destination parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the netmask_addr parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the organization parameter. [CVSS 6.1 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. [CVSS 7.2 HIGH]

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input through admin management parameters. [CVSS 6.4 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the comment parameter. [CVSS 6.4 MEDIUM]

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. [CVSS 6.1 MEDIUM]

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker. [CVSS 6.1 MEDIUM]

The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.

Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.

Reflected XSS in OpenCms v18.0 via the 'q' parameter in /search/index.html allows unauthenticated attackers to inject malicious scripts through crafted URLs. Successful exploitation enables session hijacking, credential theft, and arbitrary actions performed on behalf of authenticated users. No patch is currently available.

Stored XSS in OpenCms v18.0 allows authenticated attackers to inject malicious scripts through the 'text' parameter in blog article creation requests, which execute in other users' browsers when they view the affected content. The vulnerability requires user interaction and results in limited impact to confidentiality and integrity, but currently has no available patch.