XSS

A stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-54527, in the `jupyterlab-git` JupyterLab extension (versions >= 0.30.0b3, < 0.54.0a1), specifically in `PlainTextDiff.ts`, allows an adversary with Git commit access to execute arbitrary JavaScript in a victim's browser and achieve Remote Code Execution (RCE) on the JupyterLab server by crafting a malicious filename in a Git commit that, when viewed as a rename diff, triggers the XSS payload to steal `_xsrf` cookies, open a terminal, and execute arbitrary shell commands to exfiltrate data.

A remote, authenticated attacker can exploit multiple vulnerabilities in pgAdmin to achieve arbitrary code execution with user or administrator privileges, bypass security measures, perform SQL Injection and Cross-Site Scripting attacks, redirect users to malicious websites, disclose sensitive information, and manipulate data. This comprehensive set of capabilities allows for significant compromise of system integrity, confidentiality, and potentially availability, posing a high risk to affected environments.

Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3 are vulnerable to a self-cross-site scripting (self-XSS) flaw, CVE-2026-49276, in the writer field, allowing an attacker to inject malicious JavaScript as the target of a link or email link which, if clicked by an authenticated user before saving, will execute in their browser context, potentially making API requests with their permissions, while Panel plugins using the `<k-writer>` component may be vulnerable to stored XSS if they don't sanitize HTML.

A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.

A critical stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-44727, exists in `jupyter_server` versions up to 2.19.0 due to a missing `sandbox` directive in Content-Security-Policy (CSP) headers, allowing authenticated attackers to craft malicious notebooks that exfiltrate victim tokens and achieve kernel Remote Code Execution (RCE) when viewed.

Multiple high-severity vulnerabilities discovered in various SAP products, including SQL injection (SQLi), remote indirect code injection (XSS), and security policy bypasses, could allow unauthenticated attackers to compromise sensitive enterprise systems by June 2026.

Vitest browser mode is vulnerable to reflected cross-site scripting (XSS) due to the `otelCarrier` query parameter being inserted directly into an inline module script without sanitization, enabling an attacker to craft a browser-runner URL that executes arbitrary JavaScript in the Vitest server origin, potentially leading to remote code execution (RCE).

Multiple vulnerabilities in JetBrains TeamCity allow an attacker to disclose information, perform a cross-site scripting attack, bypass security measures, and execute arbitrary program code.

CVE-2026-44839 is a cross-site scripting (XSS) vulnerability in the RabbitMQ management UI that arises from unsanitized virtual host (vhost) names, potentially allowing an attacker to execute arbitrary JavaScript in the context of a user's browser.

Multiple vulnerabilities in Elastic Kibana allow for privilege escalation, remote denial of service, data breach, server-side request forgery (SSRF), and cross-site scripting (XSS).

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS), allowing unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user accesses the injected page, affecting versions up to and including 0.9.0.

CubeCart versions before 6.7.0 are vulnerable to reflected cross-site scripting (XSS), allowing an unauthenticated attacker to inject malicious JavaScript payloads via the search functionality, which will be executed in the context of the victim's browser.

Multiple vulnerabilities exist in Jenkins Plugins that could allow an attacker to disclose information, manipulate files, conduct cross-site scripting attacks, execute arbitrary code, and bypass security measures.

The SlimStat Analytics plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via the User-Agent header, allowing unauthenticated attackers to inject arbitrary web scripts if the 'show_complete_user_agent_tooltip' setting is enabled.

Kirby CMS is vulnerable to stored cross-site scripting (XSS) due to insufficient sanitization of links within KirbyTags and image blocks, allowing authenticated users with content editing privileges to inject malicious JavaScript that executes when other users interact with the crafted links on the site frontend; patched in versions 4.9.1 and 5.4.1.

Multiple vulnerabilities in Symfony, including SSRF, XSS, and security policy bypass, can be exploited by an attacker to compromise the application.

Multiple vulnerabilities in Joomla! versions before 5.4.6 and 6.x before 6.1.1 can allow attackers to perform privilege escalation, compromise data confidentiality, perform cross-site scripting (XSS), and conduct cross-site request forgery (CSRF) attacks.

Multiple vulnerabilities have been discovered in Kaspersky Anti Targeted Attack Platform versions prior to 7.1.7, allowing an attacker to cause a remote cross-site scripting (XSS) vulnerability, tracked as CVE-2026-28348 and CVE-2026-28350.

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters (CVE-2026-8143) in versions up to 2.1.6, potentially leading to arbitrary script execution in the administrator's browser.

The LiteSpeed Cache plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints, affecting versions up to 7.7, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content by bypassing IP-based access controls.

Typebot is vulnerable to stored cross-site scripting (XSS) due to the rating block's custom icon feature, which accepts arbitrary HTML/SVG via the `customIcon.svg` field without sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder's DOM context, bypassing the `isUnsafe` Web Worker sandbox that protects Script blocks during preview, allowing session hijacking and privilege escalation within the builder application.

Multiple vulnerabilities in Roundcube Webmail allow an attacker to perform SQL injection attacks, bypass security measures, manipulate data, disclose confidential information, obtain extended privileges, execute arbitrary code, or perform cross-site scripting attacks.

A remote, anonymous attacker can exploit multiple vulnerabilities in IBM App Connect Enterprise to execute arbitrary program code, manipulate data, conduct cross-site scripting attacks, disclose confidential information, or cause a denial-of-service condition.

A remote, unauthenticated attacker can exploit a cross-site scripting (XSS) vulnerability in the Royal Elementor Addons plugin for WordPress.

A remote, anonymous attacker can exploit a vulnerability in cPanel cPanel/WHM to perform an HTTP response header injection, enabling cross-site scripting (XSS), open redirect attacks, and cache or header manipulation.

A cross-site scripting (XSS) vulnerability exists in md-fileserver's Markdown rendering logic, where user-supplied Markdown content containing raw HTML, including <script> tags, is processed and injected into the resulting page without sanitization, leading to arbitrary JavaScript execution and potential account takeover.

ABB B&R Automation Runtime versions before 6.4 are vulnerable to predictable number generation (CVE-2025-3449), reflected XSS (CVE-2025-3448), and CSV injection (CVE-2025-11498), potentially allowing attackers to hijack sessions or execute arbitrary code in a user's browser context.

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 is vulnerable to stored cross-site scripting (CVE-2026-9144) in the web configuration interface, allowing authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields for persistent code execution.

The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an injected page.

CVE-2026-5783 is a reflected cross-site scripting (XSS) vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus before version V24.29750.1.0, allowing attackers to inject malicious scripts into web pages viewed by users.

Multiple vulnerabilities in Symfony, including CVE-2026-45070, CVE-2026-45077, CVE-2026-45304, CVE-2026-45305, CVE-2026-45753, CVE-2026-45754, CVE-2026-45755, CVE-2026-45756, CVE-2026-46626, and CVE-2026-47212, can lead to remote denial of service, cross-site scripting (XSS), and cross-site request forgery (CSRF) attacks.

Multiple vulnerabilities exist in Atlassian products including Bamboo, Bitbucket, Confluence, Crucible, Fisheye, and Jira which could lead to arbitrary code execution, denial of service, information disclosure, cross-site scripting, and security bypass.

Multiple vulnerabilities exist in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow a remote attacker to execute arbitrary code, disclose sensitive information, bypass security measures, or conduct cross-site scripting or spoofing attacks.

Budibase is vulnerable to persistent stored XSS (CVE-2026-46426) due to unrestricted file upload of active content by authenticated users, leading to potential session cookie theft and account takeover.

A cross-site scripting vulnerability, CVE-2026-4293, exists in multiple Kieback & Peter DDC Building Controllers that could allow an attacker to take control of the victim's browser.

Argo CD is vulnerable to stored cross-site scripting (XSS) via manipulated application link annotations, allowing a low-privileged user to execute arbitrary JavaScript in a higher-privileged user's session, leading to privilege escalation.

HAXcms is vulnerable to stored XSS and exposes authentication tokens in the `/system/api/connectionSettings` endpoint, allowing an attacker to perform cross-tenant account takeover by injecting malicious JavaScript to steal the `jwt`, `user_token`, `site_token`, and `appstore_token`.

Multiple vulnerabilities in Atlassian Jira could allow an attacker to execute arbitrary code, manipulate and disclose data, conduct cross-site scripting attacks, or cause a denial-of-service condition.

Multiple vulnerabilities in Apache OFBiz could allow an attacker to execute arbitrary code, circumvent security measures, manipulate data, disclose confidential information, or conduct cross-site scripting attacks.

Multiple Livewire components in the Shopper framework admin panel allowed authenticated low-privilege users to bypass authorization and mutate data without the required permissions, leading to potential privilege escalation and cross-site scripting.

A stored XSS vulnerability (CVE-2026-45270) exists in the Pages module of CI4MS due to improper sanitization of page content, allowing an attacker with `pages.create` permissions to inject malicious code and escalate privileges if an administrator views the page.

Arcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected XSS (CVE-2026-45627) via the SVG color parameter, allowing attackers to inject executable script content and compromise admin accounts by enticing them to visit a malicious link.

CVE-2026-7498 is a stored cross-site scripting (XSS) vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb through 30122025, allowing attackers to inject arbitrary web scripts in the browser of an unsuspecting user.

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities, allowing attackers to inject malicious code through profile fields and POST parameters, potentially leading to information disclosure or arbitrary code execution.

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability (CVE-2021-47975) that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter via a POST request to the jslm_fieldordering page, resulting in arbitrary JavaScript execution when administrators view the field ordering interface.

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field, allowing attackers to access sensitive files, and a stored XSS vulnerability due to improper input sanitization, leading to arbitrary script execution in the context of affected users (CVE-2020-37245).

Supsystic Pricing Table plugin version 1.8.7 contains an SQL injection vulnerability via the 'sidx' GET parameter, enabling unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action, as well as stored XSS vulnerabilities.

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments, potentially leading to session hijacking and application takeover.

Anote 1.0 is vulnerable to persistent cross-site scripting (CVE-2021-47963), allowing attackers to inject malicious payloads into markdown files, leading to remote code execution when opened by a victim.

NukeViet CMS version 4.5.08 and earlier is vulnerable to stored cross-site scripting (XSS) via insufficient server-side input sanitization in the Request class, allowing attackers to inject malicious payloads that can lead to session hijacking, defacement, and phishing attacks.

Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) can allow an attacker to perform arbitrary code execution, compromise data confidentiality, perform server-side request forgery (SSRF), and other security breaches.

A remote, anonymous attacker can exploit a vulnerability in HCL BigFix to manipulate data and conduct a cross-site scripting attack.

Multiple vulnerabilities in SAP software could allow an attacker to perform SQL injection, gain elevated privileges, execute arbitrary code, bypass security measures, perform cross-site scripting attacks, manipulate data, disclose sensitive information, or cause other unspecified impacts.

Open WebUI is vulnerable to stored cross-site scripting (XSS) via OAuth profile picture handling, allowing an attacker to inject malicious SVG code and potentially takeover user accounts by exfiltrating JWT tokens.

A DOM-based XSS vulnerability (CVE-2026-44541) exists in ethyca-fides' fides.js script, allowing arbitrary JavaScript execution in the embedding site's origin via crafted links when HTML-formatted descriptions are enabled.

A stored cross-site scripting vulnerability (CVE-2026-45011) was identified in ApostropheCMS image widget functionality, where a user with the Editor role can configure an image widget link to use a javascript: URL payload, which will execute arbitrary JavaScript in the victim’s browser when clicked.

sanitize-html version 2.17.3 and earlier is vulnerable to cross-site scripting (XSS) due to the improper handling of the `xmp` tag, allowing attackers to inject arbitrary HTML and JavaScript code.

CVE-2026-42897 is a cross-site scripting (XSS) vulnerability in Microsoft Exchange Server that allows an attacker to perform spoofing attacks by injecting malicious scripts into web pages.

The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'MWP-Key-Name' HTTP request header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator visits the plugin's connection management page with debug parameters; this affects all versions up to and including 4.9.31.

Kuicms Php EE 2.0 is vulnerable to persistent cross-site scripting (CVE-2020-37222), allowing unauthenticated attackers to inject malicious scripts via the bbs reply endpoint, leading to arbitrary script execution in users' browsers.

A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to inject a JavaScript payload via the web interface, potentially impacting other administrators.

The Custom Twitter Feeds plugin for WordPress is vulnerable to stored cross-site scripting (XSS) in versions up to and including 2.5.4 due to insufficient output escaping, allowing unauthenticated attackers to inject arbitrary web scripts.

SiYuan's Bazaar marketplace is vulnerable to stored cross-site scripting (XSS) via unescaped package metadata, leading to arbitrary OS command execution in the desktop Electron client.

Multiple vulnerabilities in ArubaOS allow an attacker to execute arbitrary code, perform cross-site scripting attacks, or cause a denial-of-service condition.

A remote, authenticated attacker can exploit a vulnerability in Kyverno to perform a cross-site scripting attack.

Adobe Commerce versions 2.4.9-beta1 and earlier are susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-34686) that allows low-privileged attackers to inject malicious scripts into form fields, leading to potential account compromise.

CVE-2026-41611 is a cross-site scripting (XSS) vulnerability in Visual Studio Code that allows an attacker to execute code locally due to improper neutralization of script-related HTML tags.

Dalfox in REST API server mode is vulnerable to CVE-2026-45089, an unauthenticated arbitrary file create/append vulnerability, due to the `output`, `output-all`, and `debug` options being deserialized directly from the attacker's request body, allowing a network caller to create or append to any file writable by the dalfox process.

Multiple vulnerabilities in Centreon products allow for remote code execution, SQL injection, and cross-site scripting.

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in LibreNMS versions 25.12.0 to before 26.3.0, allowing an attacker to inject malicious code into a user's browser session.

A remote, authenticated attacker can exploit multiple vulnerabilities in Siemens SIMATIC S7 PLCs Web Server to perform cross-site scripting attacks, potentially leading to information disclosure or further unauthorized actions.

Siemens Teamcenter versions V2312 (before V2312.0014), V2406 (before V2406.0012), V2412 (before V2412.0009), V2506 (before V2506.0005), and V2512 are vulnerable to cross-site scripting (XSS) due to improper encoding or filtering of user-supplied data, potentially leading to arbitrary code execution by other users.

CVE-2026-25789 describes a vulnerability where affected devices do not properly validate and sanitize filenames on the Firmware Update page, potentially allowing a remote attacker to execute malicious JavaScript in the context of the user's session through social engineering, leading to session hijacking or credential theft.

Multiple vulnerabilities in pgAdmin could allow an attacker to escalate privileges, execute arbitrary code, bypass security measures, perform SQL injection and cross-site scripting attacks, manipulate data, or disclose sensitive information.

The LifePress plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping within the `lp_update_mds` AJAX action, allowing unauthenticated attackers to inject arbitrary web scripts via the 'n' parameter that execute when a user accesses the injected page; this affects versions up to and including 2.2.2.

MantisBT is vulnerable to stored cross-site scripting (XSS) via file_download.php by using the `show_inline=1` parameter with a valid CSRF token to upload a crafted XHTML attachment referencing a JavaScript attachment, leading to arbitrary code execution.

A content security policy bypass vulnerability, CVE-2026-40597, exists in MantisBT versions 2.28.1 and earlier, allowing an attacker to bypass the _script-src_ directive by uploading a crafted attachment that, when downloaded, executes as JavaScript due to MIME type sniffing, given a pre-existing XSS / HTML injection vulnerability.

CVE-2026-39826 is an escaper bypass vulnerability that leads to cross-site scripting (XSS).

CVE-2026-39823 is a cross-site scripting (XSS) vulnerability in Microsoft's html/template component caused by a bypass of meta content URL escaping, potentially allowing an attacker to inject malicious scripts into web pages.

A stored cross-site scripting (XSS) vulnerability exists in SiYuan due to the kernel storing Attribute View (AV) names without HTML escaping, allowing a malicious actor to inject arbitrary HTML which leads to Node.js code execution due to insecure Electron configuration, resulting in remote code execution (RCE).

A stored cross-site scripting (XSS) vulnerability exists in PrestaShop's back-office customer service view, where an unauthenticated attacker can submit a malicious email address via the Contact Us form, leading to session hijacking and full back-office takeover when an employee opens the affected customer thread; patched in PrestaShop 8.2.6 and 9.1.1.

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 6.8.8 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into the admin statistics page.

CVE-2026-32207 is a cross-site scripting vulnerability in Azure Machine Learning, allowing an unauthorized attacker to perform spoofing over a network.

DivvyDrive versions 4.8.2.9 before 4.8.3.2 are susceptible to stored cross-site scripting (XSS) due to improper neutralization of user-supplied input during web page generation, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

DivvyDrive versions 4.8.2.9 before 4.8.3.2 are susceptible to cross-site scripting (XSS) due to improper neutralization of script-related HTML tags, potentially allowing an attacker to inject malicious scripts.

A reflected cross-site scripting (XSS) vulnerability exists in Gosoft Software Industry and Trade Ltd. Co.'s Proticaret E-Commerce software (versions v5.0.0 before V 6.0.1767.1383) due to improper neutralization of input during web page generation, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

Multiple vulnerabilities in IBM SPSS can be exploited by an attacker to perform cross-site scripting (XSS) attacks, denial of service attacks, and to manipulate files.

An unauthenticated or authenticated remote attacker can exploit vulnerabilities in Red Hat Enterprise Linux to perform cross-site scripting, cause denial of service, or disclose sensitive information.

An authenticated attacker with agent privileges can upload malicious files to Cisco Enterprise Chat and Email (ECE) via the Lite Agent feature, leading to potential browser-based attacks against other users.

A stored XSS vulnerability exists in Grav Core + Admin Plugin versions before 2.0.0-beta.2, where a low-privileged user can inject malicious code via a crafted tag, potentially leading to the exfiltration of admin session context, bypassing CSRF protections, and escalating to remote code execution (RCE).

Multiple vulnerabilities in Apache Wicket could allow an attacker to bypass security measures, perform Cross-Site Scripting (XSS) attacks, disclose confidential information, or manipulate data.

Multiple vulnerabilities in Snipe-IT could allow an attacker to perform cross-site scripting attacks, redirect users to malicious websites, gain administrator rights, or execute arbitrary code.

The LatePoint WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'first_name' parameter, affecting versions up to 5.5.0, allowing unauthenticated attackers to inject malicious scripts.

Multiple vulnerabilities in Zabbix versions 6.0.x before 6.0.45, 7.0.x before 7.0.24, and 7.4.x before 7.4.8 allow for data confidentiality breaches and remote cross-site scripting (XSS) attacks.

YAFNET is vulnerable to an unauthenticated stored second-order XSS vulnerability in the admin event log, triggered by a reflected `User-Agent` header, allowing an attacker to execute arbitrary JavaScript in an administrator's session.

The @tdurieux/anonymous_github application is vulnerable to cross-site scripting (XSS) because it renders unsanitized content from GitHub repositories, allowing a malicious GitHub repository to execute arbitrary JavaScript in the Anonymous GitHub origin.

Multiple stored cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject malicious code into specific pages of the interface, leading to arbitrary script execution or sensitive information access.

Multiple vulnerabilities in Grafana allow a remote, anonymous attacker to conduct a Cross-Site Scripting attack or disclose information.

CVE-2025-14320 is a reflected cross-site scripting (XSS) vulnerability in Tegsoft Online Support Application versions V3 through 31122025, allowing attackers to inject arbitrary web scripts into user browsers.

The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.

The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook versions 7.0.0 through 7.5.5 and JupyterLab versions up to 4.5.6 allows attackers to steal authentication tokens by tricking users into interacting with malicious notebook files, leading to complete account takeover via the Jupyter REST API.

A cross-site scripting (XSS) vulnerability affects Netgate pfSense CE (<= 2.8.1) and pfSense Plus (<= 26.03), potentially allowing attackers to inject malicious code.

n8n is vulnerable to cross-site scripting (XSS) via a malicious MCP OAuth client, allowing an unauthenticated attacker to inject arbitrary JavaScript into an authenticated user's session.

Multiple vulnerabilities in Atlassian Bamboo, Bitbucket, Confluence, Jira, and Jira Service Management allow attackers to execute arbitrary code, bypass security measures, manipulate data, disclose information, or perform cross-site scripting attacks.

An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.

Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.

Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.

Multiple vulnerabilities in Fortinet FortiSandbox allow attackers to perform cross-site scripting attacks, disclose information, bypass security measures, and execute arbitrary code, potentially leading to system compromise.

Multiple vulnerabilities in Roundcube allow an attacker to manipulate files, bypass security measures, perform cross-site scripting attacks, and disclose information.

Multiple vulnerabilities in Langflow allow an attacker to manipulate files, disclose sensitive information, or conduct cross-site scripting attacks.

Multiple vulnerabilities in Gitea could allow an attacker to disclose information, bypass security measures, and perform cross-site scripting attacks.

DNN (formerly DotNetNuke) before 10.2.2 is vulnerable to stored cross-site scripting (XSS) via malicious SVG file uploads, potentially leading to account takeover and arbitrary code execution.

A stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.6.10, allowing attackers to inject malicious scripts into the 'Member Name' field during member registration, leading to persistent execution upon user access.

Multiple vulnerabilities in Cisco Unity Connection can be exploited by an attacker to conduct cross-site scripting attacks, redirect users to malicious websites, manipulate data, and disclose confidential information.

CVE-2026-4344 is a stored cross-site scripting (XSS) vulnerability in the Autodesk Fusion desktop application where a malicious HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can lead to arbitrary code execution.

A remote, anonymous attacker can exploit multiple vulnerabilities in Red Hat Ansible Automation Platform to perform denial of service, execute arbitrary code, bypass security measures, manipulate data, disclose information, or conduct XSS attacks.

An authenticated remote attacker can exploit a vulnerability in Keycloak to perform a Cross-Site Scripting attack, potentially leading to unauthorized access and data compromise.

Adobe Connect versions 2025.3, 12.10, and earlier are susceptible to a Cross-Site Scripting (XSS) vulnerability (CVE-2026-34617) that can lead to privilege escalation if a user interacts with a malicious URL or compromised web page.

Adobe Connect versions 2025.3, 12.10, and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) attack, enabling attackers to execute malicious JavaScript in a victim's browser by enticing them to visit a crafted URL.

DotNetNuke.Core is vulnerable to stored cross-site scripting (XSS) where a user can upload a specially crafted SVG file containing malicious scripts, potentially targeting both authenticated and unauthenticated DNN users, with successful exploitation requiring user interaction and leading to high impact on confidentiality, integrity, and availability.

A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

Multiple vulnerabilities in Zammad allow a remote attacker to execute arbitrary code, bypass security measures, disclose sensitive information, and perform cross-site scripting attacks.

A stored cross-site scripting (XSS) vulnerability in Immich versions before 2.7.0 allows authenticated users to inject arbitrary JavaScript via crafted equirectangular images, leading to session hijacking, data exfiltration, and unauthorized access.

Unauthenticated attackers can perform a stored XSS attack against CoolerControl/coolercontrol-ui versions less than 4.0.0 by injecting malicious JavaScript into log entries, leading to potential service takeover.

A stored cross-site scripting (XSS) vulnerability in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject arbitrary JavaScript code via dynamically assigned person properties, leading to potential session hijacking or account compromise when other users view the affected profile.

CVE-2026-25932 is a cross-site scripting vulnerability in GLPI versions 0.60 to before 10.0.24, where an authenticated technician user can store a malicious XSS payload within supplier fields, potentially leading to arbitrary code execution in the context of other users' browsers.

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.

A context isolation bypass vulnerability exists in Electron applications that bridge VideoFrame objects via contextBridge, potentially allowing an attacker with JavaScript execution in the main world to access the isolated world and Node.js APIs.

A stored cross-site scripting (XSS) vulnerability in Budibase versions prior to 3.32.5 allows authenticated users with Builder access to inject malicious HTML payloads into entity names, leading to potential session cookie theft and account takeover when other Builder users open the Command Palette.

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in the Distribution Lists report, allowing attackers to inject malicious scripts.

A stored cross-site scripting (XSS) vulnerability in CI4MS versions prior to 0.31.0.0 allows attackers to inject persistent JavaScript code into the backend user management functionality, leading to session hijacking, privilege escalation, and full administrative account compromise.

File Browser versions prior to 2.62.2 are vulnerable to stored cross-site scripting (XSS) via the EPUB preview function, allowing attackers to execute arbitrary JavaScript in a user's browser by embedding malicious code in a crafted EPUB file.

A stored Cross-Site Scripting (XSS) vulnerability exists in Payload CMS versions prior to 3.78.0, allowing authenticated users with write access to inject malicious scripts that execute in the browsers of other users.

A remote, authenticated attacker with administrator rights can exploit multiple vulnerabilities in SonicWall Email Security Appliance to perform cross-site scripting, manipulate data, or cause a denial-of-service.

A remote, anonymous attacker can exploit multiple vulnerabilities in IBM App Connect Enterprise to cause a denial-of-service condition or bypass security measures, enabling cross-site scripting attacks.

SiYuan Note versions prior to the fix for commit f09953afc57a are vulnerable to reflected cross-site scripting (XSS) via a namespace prefix bypass in the SanitizeSVG function when handling dynamic icons, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.

File Browser version 2.62.1 and earlier is vulnerable to stored cross-site scripting (XSS) via crafted EPUB files, allowing attackers to execute arbitrary JavaScript in a victim's browser by exploiting the application's misconfigured iframe sandbox and stealing sensitive information like JWT tokens.

The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.

A stored cross-site scripting (XSS) vulnerability in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x (CVE-2025-10553) allows attackers to execute arbitrary script code within a user's browser session.

A stored cross-site scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator allows an attacker to execute arbitrary script code in a user's browser session by injecting malicious code into document management functions.

baserCMS versions prior to 5.2.3 are vulnerable to DOM-based Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation, potentially allowing a remote attacker to execute arbitrary JavaScript in a user's browser.

An anonymous, remote attacker can exploit multiple vulnerabilities in OpenBao to bypass security measures or conduct cross-site scripting attacks.

Kestra versions up to 1.3.3 are vulnerable to a cross-site scripting (XSS) vulnerability (CVE-2026-33664) allowing arbitrary JavaScript execution by viewing crafted flow metadata.

Ory Polis versions prior to 26.2.0 are vulnerable to DOM-based XSS due to improper handling of the `callbackUrl` parameter, allowing attackers to execute arbitrary JavaScript in a user's browser.

The Fluent Booking plugin for WordPress is vulnerable to stored cross-site scripting (XSS) allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page, affecting versions up to and including 2.0.01.

The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.

An anonymous remote attacker can exploit multiple vulnerabilities in cPanel/WHM to bypass security measures, perform XSS and SSRF attacks, disclose information, and potentially execute code.

An anonymous remote attacker can exploit a vulnerability in Znuny to perform a cross-site scripting attack, potentially leading to information disclosure or session hijacking.

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect-CMS, affecting versions 1.35.0 to 1.41.0 and 2.35.0 to 2.41.0, which can lead to arbitrary script execution in the victim's browser.

A Russian APT group is exploiting a Zimbra XSS vulnerability (details unspecified) to target the Ukrainian government in an operation dubbed 'GhostMail'.

Two critical XSS vulnerabilities, Reflected XSS in the /image-proxy endpoint and Stored XSS in bookmark cards, were discovered in AFFiNE, a self-hosted alternative to Notion, with the vendor being unresponsive.

A cross-site scripting (XSS) vulnerability exists in Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, allowing attackers to execute arbitrary code within the context of the vulnerable application, potentially leading to session hijacking, data exfiltration, and unauthorized actions.

The netbox-data-flows plugin is vulnerable to stored cross-site scripting (XSS). An authenticated user with permissions to create or edit ObjectAlias objects can inject arbitrary HTML/JavaScript into the alias name. This payload is then rendered unescaped in DataFlow table views, leading to XSS when another user views the affected page. Successful exploitation can result in session theft, privileged action execution, and data exfiltration.

The GrimResource technique leverages a stored XSS vulnerability in apds.dll to achieve arbitrary code execution within a signed mmc.exe process by delivering a malicious .msc file.

Multiple vulnerabilities in Roundcube allow an attacker to perform a cross-site scripting attack and disclose confidential information.

A remote, authenticated attacker can exploit multiple vulnerabilities in MediaWiki to execute arbitrary code, disclose information, perform a cross-site scripting attack, or cause a denial of service condition.

A cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) could allow attackers to execute arbitrary JavaScript within a user's session, potentially leading to unauthorized access to sensitive information.

A reflected cross-site scripting (XSS) vulnerability exists in Icinga Web versions 0.13.0 and earlier, allowing attackers to inject malicious JavaScript into a victim's browser through malformed search requests, potentially leading to arbitrary code execution within the Icinga Web context.

Xerte Online Toolkits 3.15 and earlier are vulnerable to relative path traversal, allowing attackers to move files and potentially achieve remote code execution.

The LatePoint WordPress plugin is vulnerable to stored XSS via the booking_form_page_url parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user accesses the injected page.

The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.

The fast-xml-builder library allows attribute injection when handling attribute values containing quotes, leading to potential execution of arbitrary code.

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.

A stored XSS vulnerability in YAFNET.Core allows an attacker to inject arbitrary JavaScript into forum posts, which executes in the browsers of other users viewing the thread, potentially leading to account compromise and malware delivery.

A stored XSS vulnerability in phpMyFAQ version 4.1.1 allows an authenticated user to inject JavaScript code into comments, leading to session cookie theft and potential admin account takeover when other users view the affected FAQ or News page.

MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability (CVE-2018-25309) that allows attackers to inject malicious scripts by creating threads with crafted subject lines, leading to arbitrary JavaScript execution in the browsers of users viewing the index page.

The locize client SDK versions prior to 4.0.21 are vulnerable to cross-origin DOM XSS and handler hijack due to missing origin validation in the InContext Editor, allowing attackers to inject malicious code and exfiltrate data via crafted postMessage events.

The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.

AVideo is vulnerable to unauthenticated cross-site scripting (XSS) due to an incomplete server-side fix for a YPTSocket `autoEvalCodeOnHTML` eval sink, allowing an attacker to bypass the fix by nesting the payload under a top-level `json` field, leading to arbitrary JavaScript execution in any logged-in user's browser session.