Tag
The netbox-data-flows plugin is vulnerable to stored cross-site scripting (XSS). An authenticated user with permissions to create or edit ObjectAlias objects can inject arbitrary HTML/JavaScript into the alias name. This payload is then rendered unescaped in DataFlow table views, leading to XSS when another user views the affected page. Successful exploitation can result in session theft, privileged action execution, and data exfiltration.