Cross-Site Scripting

Horilla versions up to 1.5.0 is affected by unrestricted upload of file with dangerous type (CVSS 5.4).

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. [CVSS 7.6 HIGH]

A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. [CVSS 6.8 MEDIUM]

Stored XSS in Group-Office through unsanitized filenames allows authenticated users to inject malicious scripts that execute when other users view affected files, potentially compromising sessions or triggering unintended browser actions. The vulnerability affects versions 6.8.148 and below, and 25.0.1 through 25.0.79, with public exploit code available. Patches are available in versions 6.8.149 and 25.0.80.

Stored XSS in Docmost 0.3.0-0.23.2 allows authenticated users to execute arbitrary JavaScript in the browsers of document viewers through malicious Mermaid diagram code blocks. The vulnerability exists because unsanitized SVG/HTML output from Mermaid rendering is directly injected into the DOM, and Mermaid's security controls can be disabled via diagram directives. Public exploit code exists for this vulnerability, which is fixed in version 0.24.0.

Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.

Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]

fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]

5ire AI assistant desktop application prior to version 0.10.0 has an output encoding vulnerability that allows malicious AI model responses to execute code through the Electron renderer.

VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. [CVSS 7.2 HIGH]

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. [CVSS 5.4 MEDIUM]

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. [CVSS 5.3 MEDIUM]

Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. [CVSS 7.2 HIGH]

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. [CVSS 7.2 HIGH]

Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. [CVSS 7.2 HIGH]

OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. [CVSS 5.4 MEDIUM]

Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts by exploiting insufficient input validation. Successful exploitation enables arbitrary script execution within the management interface context or theft of sensitive browser-based information from authorized users. No patch is currently available; exploitation requires high-level privileges and user interaction.

Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially enabling session hijacking or sensitive data theft. The vulnerability stems from inadequate input validation on specific interface pages and requires high-privilege account access and user interaction to exploit. No patch is currently available for this medium-severity issue (CVSS 4.8).

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.

Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.

Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. [CVSS 6.1 MEDIUM]

WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).

IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]

IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 5.4).

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).

Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.

Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]

HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.

Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter.

Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'.

Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized.

An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting'). [CVSS 5.5 MEDIUM]

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. [CVSS 6.1 MEDIUM]

Stored XSS in the Viet contact WordPress plugin versions up to 1.3.2 allows authenticated administrators to inject malicious scripts into admin settings due to inadequate input sanitization and output escaping. The injected scripts execute when other users access affected pages, impacting multi-site WordPress installations and sites with unfiltered_html disabled. Exploitation requires administrator-level access and no patch is currently available.

Stored XSS in WP Hello Bar plugin up to version 1.02 allows authenticated administrators to inject malicious scripts through the 'digit_one' and 'digit_two' parameters due to inadequate input validation. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

OnboardLite's user migration feature in the admin dashboard is vulnerable to stored cross-site scripting, allowing authenticated attackers to inject malicious scripts that execute when administrators process Discord account migrations. This vulnerability affects versions prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f and could enable session hijacking or credential theft targeting privileged users. No patch is currently available.

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code execution through crafted knowledge base entries.

Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows attackers to inject malicious JavaScript through unescaped SVG content in dynamically generated icon images. An unauthenticated attacker can craft a malicious link that, when clicked by a victim, executes arbitrary scripts in the context of the SiYuan application. Public exploit code exists for versions prior to 3.5.4, which contains the necessary patches.

Movary has a third input validation vulnerability that allows authenticated users to delete arbitrary files from the server, potentially causing data loss or service disruption.

Movary has a second input validation vulnerability allowing authenticated users to write arbitrary files on the server, enabling code execution through web shell upload.

Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.

A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. [CVSS 3.5 LOW]

Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.

E-Learning System versions up to 1.0 contains a vulnerability that allows attackers to basic cross site scripting (CVSS 4.3).

A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. [CVSS 2.4 LOW]

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. [CVSS 3.5 LOW]

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Title parameter in /admin/activity.php. Public exploit code exists for this vulnerability, enabling potential attacks against affected deployments. A security patch is not currently available.

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows remote attackers to inject malicious scripts through the detail parameter in /admin/expenses.php, potentially compromising administrator sessions and data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk of client-side attacks.

Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.

Stored XSS in 1Panel's App Store allows attackers to inject malicious scripts into application details that execute in users' browsers when viewed, potentially enabling session hijacking or unauthorized system access. Versions up to v1.10.33-lts and v2.0.16 are vulnerable, with no patch currently available. An attacker could publish a compromised application to steal credentials, modify system functions, or compromise system availability.