{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/reflected-xss/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-14320"}],"_cs_exploited":false,"_cs_products":["Online Support Application (V3 through 31122025)"],"_cs_severities":["medium"],"_cs_tags":["xss","reflected-xss","cve-2025-14320"],"_cs_type":"advisory","_cs_vendors":["Tegsoft"],"content_html":"\u003cp\u003eA reflected cross-site scripting (XSS) vulnerability, identified as CVE-2025-14320, exists within the Tegsoft Management and Information Services Trade Limited Company Online Support Application. This vulnerability affects versions V3 through 31122025. An attacker can exploit this vulnerability by injecting malicious scripts into a web page, which is then reflected back to the user, leading to potential data theft, session hijacking, or website defacement. This vulnerability was reported by the Computer Emergency Response Team of the Republic of Turkey. Successful exploitation requires tricking a user into clicking a specially crafted link.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a JavaScript payload.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the crafted URL via email, social media, or other means.\u003c/li\u003e\n\u003cli\u003eUnsuspecting user clicks the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser sends a request to the vulnerable Tegsoft Online Support Application with the malicious script as a parameter.\u003c/li\u003e\n\u003cli\u003eThe Tegsoft application fails to properly sanitize the input.\u003c/li\u003e\n\u003cli\u003eThe application reflects the malicious script back to the user\u0026rsquo;s browser within the HTML response.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the malicious script.\u003c/li\u003e\n\u003cli\u003eThe script can then perform actions such as stealing cookies, redirecting the user to a phishing site, or defacing the web page.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim\u0026rsquo;s browser. This can result in session hijacking, where an attacker gains unauthorized access to the user\u0026rsquo;s account. It can also lead to data theft, where sensitive information is stolen from the user\u0026rsquo;s browser. Furthermore, the attacker can redirect the user to a phishing website or deface the Online Support Application, potentially impacting multiple users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates from Tegsoft to address CVE-2025-14320 on the Online Support Application.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and output encoding to prevent XSS vulnerabilities in the application based on CWE-79.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential XSS attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of clicking on suspicious links to mitigate the initial access vector.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T09:15:59Z","date_published":"2026-05-04T09:15:59Z","id":"/briefs/2024-01-tegsoft-xss/","summary":"CVE-2025-14320 is a reflected cross-site scripting (XSS) vulnerability in Tegsoft Online Support Application versions V3 through 31122025, allowing attackers to inject arbitrary web scripts into user browsers.","title":"Tegsoft Online Support Application Reflected XSS Vulnerability (CVE-2025-14320)","url":"https://feed.craftedsignal.io/briefs/2024-01-tegsoft-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-27245"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","adobe-connect","cve-2026-27245","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-27245, affects Adobe Connect versions 2025.3, 12.10, and earlier. This vulnerability allows an attacker to inject malicious JavaScript code into a user\u0026rsquo;s browser by convincing them to click on a specially crafted URL. When the victim visits the malicious URL, the injected script executes within their browser session, potentially enabling the attacker to steal cookies, redirect the user to a malicious website, or deface the web page. This vulnerability poses a significant risk to Adobe Connect users, as it can lead to account compromise and data breaches. Exploitation requires user interaction, but the impact can be severe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload within a parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the crafted URL via email, social media, or other means to a targeted user.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious link, unknowingly initiating the XSS attack.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser sends a request to the Adobe Connect server with the malicious JavaScript in the URL.\u003c/li\u003e\n\u003cli\u003eThe Adobe Connect server reflects the malicious JavaScript code back to the user\u0026rsquo;s browser without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the reflected JavaScript code within the context of the Adobe Connect application.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal the victim\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eUsing the stolen cookies, the attacker can hijack the victim\u0026rsquo;s session, gaining unauthorized access to their Adobe Connect account and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability (CVE-2026-27245) in Adobe Connect could lead to unauthorized access to user accounts, sensitive data, and the Adobe Connect environment. An attacker could potentially deface web pages, redirect users to phishing sites, or inject malware. The impact ranges from user-specific data theft to wider compromise of the Adobe Connect platform. While the number of victims is unknown, any organization using the affected Adobe Connect versions is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Adobe Connect that addresses CVE-2026-27245. Refer to the vendor advisory at \u003ca href=\"https://helpx.adobe.com/security/products/connect/apsb26-37.html\"\u003ehttps://helpx.adobe.com/security/products/connect/apsb26-37.html\u003c/a\u003e for specific upgrade instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Adobe Connect XSS Attempt via URI\u003c/code\u003e to identify requests containing suspicious JavaScript payloads targeting Adobe Connect.\u003c/li\u003e\n\u003cli\u003eEducate users to be cautious about clicking on URLs received from untrusted sources to mitigate the initial access vector.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual URI patterns and JavaScript-like syntax using the \u003ccode\u003eDetect Reflected XSS Payloads in URI\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:16:55Z","date_published":"2026-04-14T18:16:55Z","id":"/briefs/2024-02-adobe-connect-xss/","summary":"Adobe Connect versions 2025.3, 12.10, and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) attack, enabling attackers to execute malicious JavaScript in a victim's browser by enticing them to visit a crafted URL.","title":"Adobe Connect Reflected XSS Vulnerability (CVE-2026-27245)","url":"https://feed.craftedsignal.io/briefs/2024-02-adobe-connect-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2025-58920"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA reflected XSS vulnerability, identified as CVE-2025-58920, affects the Zootemplate Cerato WordPress theme. The vulnerability resides in versions ranging from n/a through 2.2.18. It stems from the improper neutralization of input during web page generation, which can allow an attacker to inject malicious scripts into a web page viewed by other users. Successful exploitation could allow an attacker to steal cookies, redirect users to malicious websites, or deface web pages. Given the widespread use of WordPress and its themes, this vulnerability poses a risk to websites using the affected Cerato theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable endpoint within the Cerato theme that does not properly sanitize user input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload within a parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL via email, social media, or other means.\u003c/li\u003e\n\u003cli\u003eA victim clicks the malicious URL, sending a request to the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eThe WordPress server, using the Cerato theme, reflects the attacker\u0026rsquo;s JavaScript payload in the response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions on behalf of the victim, such as stealing cookies or redirecting the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability can lead to several adverse effects. An attacker could steal a user\u0026rsquo;s session cookies, gaining unauthorized access to their account. Victims can be redirected to phishing sites, potentially compromising their credentials. Further, attackers might inject malicious content into the web page, defacing the site or spreading malware. The impact of this vulnerability is limited by the need for user interaction (clicking a malicious link), but the potential for widespread exploitation remains significant for sites using the vulnerable Cerato theme.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Zootemplate Cerato WordPress theme to a version beyond 2.2.18 to remediate CVE-2025-58920.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts against this vulnerability (see the \u0026ldquo;Reflected XSS Attempt via GET\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block common XSS payloads to mitigate this and similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T14:16:25Z","date_published":"2026-04-10T14:16:25Z","id":"/briefs/2024-01-cerato-xss/","summary":"A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.","title":"Zootemplate Cerato Theme Reflected XSS Vulnerability (CVE-2025-58920)","url":"https://feed.craftedsignal.io/briefs/2024-01-cerato-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","siyuan","svg","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan Note, a note-taking application, is susceptible to a reflected XSS vulnerability in its dynamic icon generation functionality. This flaw, present in versions prior to commit f09953afc57a, arises from an insufficient sanitization of SVG content, specifically failing to account for namespace prefixes in SVG elements. The vulnerability resides in the \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e endpoint, which is accessible without authentication.  An attacker can exploit this by crafting a malicious SVG payload containing namespaced \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags (e.g., \u003ccode\u003e\u0026lt;x:script xmlns:x=\u0026quot;http://www.w3.org/2000/svg\u0026quot;\u0026gt;\u003c/code\u003e), which bypasses the application\u0026rsquo;s XSS mitigation measures. Successful exploitation allows arbitrary JavaScript execution within the context of the victim\u0026rsquo;s SiYuan Note instance, potentially leading to data theft or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting the \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e endpoint with the \u003ccode\u003etype=8\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes a \u003ccode\u003econtent\u003c/code\u003e parameter containing a specially crafted SVG payload. This SVG payload leverages a namespace prefix to bypass the \u003ccode\u003eSanitizeSVG\u003c/code\u003e function\u0026rsquo;s intended filtering, e.g., \u003ccode\u003e%3C%2Fx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim, either unknowingly or through social engineering, opens the malicious URL in their browser.\u003c/li\u003e\n\u003cli\u003eThe SiYuan server processes the request without proper sanitization, inserting the attacker-controlled content into the SVG, and serves the response with \u003ccode\u003eContent-Type: image/svg+xml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s XML parser interprets the namespace prefix, resolving it to the SVG namespace, and executes the embedded JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code executes within the security context of the SiYuan application (\u003ccode\u003ehttp://\u0026lt;siyuan-host\u0026gt;:6806\u003c/code\u003e), due to \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script can now interact with the SiYuan API using the victim\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eThe attacker can perform actions such as reading notes, exporting data, or modifying settings without authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a significant risk to SiYuan Note users, particularly those whose instances are reachable on a local network. An attacker could potentially compromise sensitive information, manipulate user data, or gain unauthorized access to the application. The ease of exploitation and the absence of authentication requirements make this vulnerability particularly dangerous. Because SiYuan sets \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e and the script runs same-origin, it can call any API endpoint using the victim\u0026rsquo;s existing session cookies, including endpoints to read all notes, export data, or modify settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan Note to a version that includes the fix for commit f09953afc57a to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SiYuan SVG XSS Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e containing SVG payloads with namespace-prefixed script tags, as demonstrated in the PoC.\u003c/li\u003e\n\u003cli\u003eConsider implementing a Content Security Policy (CSP) on the SiYuan server to restrict the execution of inline JavaScript.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T00:30:01Z","date_published":"2026-04-01T00:30:01Z","id":"/briefs/2026-04-siyuan-xss/","summary":"SiYuan Note versions prior to the fix for commit f09953afc57a are vulnerable to reflected cross-site scripting (XSS) via a namespace prefix bypass in the SanitizeSVG function when handling dynamic icons, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.","title":"SiYuan Note Reflected XSS Vulnerability in SVG Processing","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4267"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","reflected-xss","cve-2026-4267"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Query Monitor plugin for WordPress, a developer tool panel, is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-4267, this flaw exists in all versions up to and including 3.20.3. The vulnerability arises from the plugin\u0026rsquo;s failure to adequately sanitize input and escape output related to the \u003ccode\u003e$_SERVER['REQUEST_URI']\u003c/code\u003e parameter. An unauthenticated attacker can exploit this by injecting malicious web scripts into pages, posing a threat to users who…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:31Z","date_published":"2026-03-31T12:16:31Z","id":"/briefs/2024-01-query-monitor-xss/","summary":"The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"Query Monitor WordPress Plugin Vulnerable to Reflected XSS (CVE-2026-4267)","url":"https://feed.craftedsignal.io/briefs/2024-01-query-monitor-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Reflected-Xss","version":"https://jsonfeed.org/version/1.1"}