Cross-Site Scripting

Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. [CVSS 6.1 MEDIUM]

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped. [CVSS 6.1 MEDIUM]

Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS).This issue affects E-Commerce Package: through 27112025. [CVSS 8.2 HIGH]

Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content.

Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.

Dify versions prior to 1.13.0 contain a stored cross-site scripting vulnerability in the chat frontend's echarts integration that executes malicious JavaScript payloads embedded in user or LLM-generated inputs. An attacker can exploit this to perform actions in the context of other users' browsers, potentially stealing session tokens or conducting phishing attacks. Public exploit code exists for this vulnerability, though a patch is available in version 1.13.0 and later.

Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious code into task descriptions that are rendered without sanitization in hover tooltips. An attacker can exploit this by sharing a project and creating a specially crafted task that triggers the vulnerability when other users hover over it. A patch is available in version 1.1.0 and later.

Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. A patch is available in version 6.2.3.

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin management. PoC available.

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser. [CVSS 6.1 MEDIUM]

Reflected XSS in MiniGal Nano 0.3.5 and earlier allows unauthenticated remote attackers to inject malicious scripts through the dir parameter in index.php, enabling arbitrary JavaScript execution in victim browsers. The vulnerability stems from insufficient output encoding when constructing error messages with user-supplied input. No patch is currently available for affected installations.

A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. [CVSS 6.4 MEDIUM]

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. [CVSS 6.4 MEDIUM]

WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. [CVSS 5.4 MEDIUM]

thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. [CVSS 6.4 MEDIUM]

Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. [CVSS 6.4 MEDIUM]

A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1.

Critical XSS vulnerability in E-Kalite software allows remote attackers to execute arbitrary code.

Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.

Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.

Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.

Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.

Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.

Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.

Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.

The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL:  https://zeus.microcom.es:4040/index.html?zeus6=true .

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true .

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html  resulting in a stored XSS.

Saastech Cleaning and Internet Services Inc. TemizlikYolda is affected by cross-site scripting (xss) (CVSS 8.3).

Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. [CVSS 5.5 MEDIUM]

Stored XSS in Docmost before version 0.25.0 allows authenticated attackers to inject malicious scripts into public share page titles that execute when victims visit shared links, compromising user sessions and data. The vulnerability stems from improper HTML escaping of page titles in meta and title tags, and public exploit code is available. Upgrade to version 0.25.0 or later to remediate.

Azure HDInsight contains a cross-site scripting (XSS) vulnerability in web page generation that allows authenticated attackers to conduct spoofing attacks over the network. An attacker with valid credentials and user interaction can exploit this weakness to manipulate web content and deceive users. No patch is currently available for this issue.

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]

The Simplicity Device Manager Tool has a Reflected XSS (Cross-site-scripting) vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack.

Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. [CVSS 7.6 HIGH]

Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.

Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

Stored XSS in SAP BusinessObjects Enterprise results from insufficient input encoding, allowing high-privileged administrators to inject malicious JavaScript that executes in other users' browsers. This vulnerability affects confidentiality and integrity with medium severity, though no patch is currently available. Exploitation requires administrative access and user interaction to trigger the malicious payload.

Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP applications to redirect users to malicious websites, potentially compromising user credentials or distributing malware. The vulnerability requires user interaction to exploit and has limited impact on confidentiality and integrity, with no availability impact. No patch is currently available.

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.

Stored XSS in Craft CMS Number field settings (versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21) allows authenticated users with high privileges to inject malicious scripts via the Prefix or Suffix fields, which execute when the field is viewed on user profiles. Public exploit code exists for this vulnerability. Updates to versions 4.16.18 and 5.8.22 are available to remediate the issue.

Stored cross-site scripting in Craft CMS versions 5.0.0-RC1 through 5.8.21 allows authenticated users with high privileges to inject malicious scripts through Entry Type names that are not sanitized when displayed in the Entry Types list. An attacker exploiting this vulnerability can execute arbitrary JavaScript in the browsers of other users viewing the affected list, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available in version 5.8.22 and later.

FileRise versions before 3.3.0 contain an HTML injection vulnerability that allows authenticated users to manipulate the DOM and inject malicious form or link elements to redirect users or trigger unauthorized actions. Public exploit code exists for this medium-severity flaw, and no patch is currently available. The vulnerability requires user interaction and valid credentials to exploit, limiting its immediate impact but creating risk for organizations running affected FileRise instances.

Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript. [CVSS 4.8 MEDIUM]

Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint.

Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'descripción' parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.

In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible [CVSS 8.2 HIGH]

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

Zirve Information Technologies Inc. E-Taxpayer Accounting Website is affected by cross-site scripting (xss) (CVSS 8.6).

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

jsonpath library before 1.2.0 has an arbitrary code injection vulnerability via unsafe use of eval-like constructs in JSONPath expressions.

A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. [CVSS 2.4 LOW]

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. [CVSS 2.4 LOW]

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. [CVSS 3.5 LOW]

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.

Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.

Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. [CVSS 3.5 LOW]

Cross-site scripting in NiceGUI's ui.markdown() component allows unauthenticated attackers to inject malicious HTML and JavaScript into applications that render user-controlled markdown content, as the component lacks built-in sanitization unlike other NiceGUI HTML rendering functions. Public exploit code exists for this vulnerability affecting NiceGUI versions before 3.7.0. Applications using ui.markdown() with untrusted input are vulnerable to session hijacking, credential theft, and other client-side attacks.

Reflected cross-site scripting in SCEditor prior to version 3.2.1 allows attackers with control over configuration parameters to inject malicious scripts through unsanitized options like emoticons or charset settings. Public exploit code exists for this vulnerability, which affects any application integrating the affected SCEditor versions. A patch is available in version 3.2.1 and later.