Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php.

Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. [CVSS 5.3 MEDIUM]

PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. Upgrade to jsPDF 4.1.0 or later to remediate the issue.

FacturaScripts versions 2025.71 and earlier contain a stored XSS vulnerability in the Observations field that executes arbitrary JavaScript when administrators view historical data. An authenticated attacker can inject malicious scripts that persist in the database and compromise admin sessions, with public exploit code already available. The vulnerability remains unpatched and requires administrator interaction to trigger.

Reflected cross-site scripting in FacturaScripts prior to version 2025.8 allows authenticated attackers to inject malicious scripts through crafted input that triggers database errors, which are then rendered without HTML sanitization due to unsafe Twig template filters. Public exploit code exists for this vulnerability. The issue affects error message handling and requires user interaction to exploit, with impacts limited to session hijacking or credential theft within the affected user's browser context.

A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]

A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]

Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. [CVSS 6.1 MEDIUM]

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. [CVSS 4.7 MEDIUM]

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. [CVSS 4.7 MEDIUM]

Cloud Pak For Business Automation versions up to 24.0.0 is affected by cross-site scripting (xss) (CVSS 6.4).

Cybozu Garoon 5.15.0 through 6.0.3 contains a cross-site scripting vulnerability in the Message function that allows authenticated attackers to reset arbitrary user passwords through malicious scripts. The vulnerability requires user interaction and affects the confidentiality and integrity of user accounts. No patch is currently available.

Cybozu Garoon versions 5.0.0 through 6.0.3 contain a cross-site scripting vulnerability in the email function that enables attackers to reset arbitrary user passwords by crafting malicious email content. The attack requires user interaction to trigger and can affect confidentiality and integrity across security boundaries. No patch is currently available for this vulnerability.

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]

Unauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded without authentication.

Dsl-6641K Firmware versions up to n8.tr069.20131126 is affected by cross-site scripting (xss) (CVSS 2.4).

QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. [CVSS 6.4 MEDIUM]

TextBox Name Profile input. Attackers can inject malicious script code through a POST request is affected by cross-site scripting (xss) (CVSS 6.4).

WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. [CVSS 6.4 MEDIUM]

Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. [CVSS 5.4 MEDIUM]

BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. [CVSS 6.4 MEDIUM]

Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]

Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. [CVSS 6.4 MEDIUM]

WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. [CVSS 5.4 MEDIUM]

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]

Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. [CVSS 6.4 MEDIUM]

PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. [CVSS 6.4 MEDIUM]

Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. [CVSS 5.4 MEDIUM]

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. [CVSS 6.4 MEDIUM]

Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. [CVSS 6.4 MEDIUM]

Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents inline in the browser instead of forcing download, allowing malicious HTML or SVG files to execute JavaScript with access to user credentials and HotCRP API permissions. Attackers can exploit this stored XSS vulnerability by uploading crafted documents to submission fields, which then compromise any user who clicks the document link. A patch is available to restrict inline rendering to safe document types.

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]

Cross-site scripting (XSS) in LocalSend up to version 1.17.0 allows unauthenticated attackers to inject malicious scripts through the "Share via Link" web interface, which fails to properly sanitize file names in the file list display. An attacker can craft a malicious file name that executes arbitrary JavaScript in the context of a victim's browser when they access the shared link, potentially leading to session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c.

A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. [CVSS 2.4 LOW]

House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. [CVSS 6.4 MEDIUM]

Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. [CVSS 6.4 MEDIUM]

Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. [CVSS 6.4 MEDIUM]

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]

ChurchCRM versions before 6.7.2 contain a stored XSS vulnerability in the event creation feature that allows low-privileged users to inject malicious scripts into event descriptions. These payloads persist in the database and execute when administrators or other users view the affected events, potentially enabling account takeover. Public exploit code exists for this vulnerability, though a patch is available in version 6.7.2.

Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. [CVSS 4.6 MEDIUM]

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. [CVSS 4.8 MEDIUM]

Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. [CVSS 6.1 MEDIUM]

A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. [CVSS 3.5 LOW]

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. [CVSS 5.4 MEDIUM]

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025. [CVSS 7.5 HIGH]

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. [CVSS 6.4 MEDIUM]

Stored XSS in RLE NOVA PlanManager allows authenticated users to inject malicious scripts via the comment and brand parameters, which are executed in other users' browsers without sanitization. An attacker can leverage this to hijack sessions, steal credentials, or perform unauthorized actions on behalf of victims. Exploitation requires user interaction and network access, with no patch currently available.

NocoDB spreadsheet platform prior to 0.301.0 has a stored XSS vulnerability (CVSS 9.0) that enables code execution through malicious cell content in shared views.

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. [CVSS 6.1 MEDIUM]

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM]

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM]

Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement.

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. [CVSS 4.6 MEDIUM]

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. [CVSS 4.6 MEDIUM]

A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. [CVSS 4.8 MEDIUM]

A vulnerability was identified in rethinkdb versions up to 2.4.3. is affected by cross-site scripting (xss) (CVSS 2.4).

The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. [CVSS 5.4 MEDIUM]

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. [CVSS 5.4 MEDIUM]

Stored XSS in WP Google Ad Manager Plugin up to version 1.1.0 allows administrators to inject malicious scripts into WordPress pages through insufficiently sanitized admin settings, affecting multi-site installations and configurations with disabled unfiltered_html. Authenticated attackers with administrator privileges can exploit this to execute arbitrary JavaScript that persists and runs for all users visiting affected pages. No patch is currently available.

The Vzaar Media Management WordPress plugin through version 1.2 contains a reflected cross-site scripting vulnerability in the PHP_SELF variable that lacks proper input sanitization, allowing unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link and tricking users into clicking it, leading to arbitrary script execution in their browsers. No patch is currently available for this vulnerability.

Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72.

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST.

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]