Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image widget's link URL field and having it rendered on the page. This affects...

CVE-2026-2300

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterimages function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing pregreplace that does not properly handle HTML attribute boundaries when replacing sr...

CVE-2026-42948

Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser...

SUSE CVE-2026-7958

Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML UXSS via a crafted Chrome Extension. Chromium security severity: Medium...

Astra Linux - уязвимость в libreoffice

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint servers. An additional scheme ‘vnd.libreoffice.command’ specific to LibreOffice was added. In the affected versions of LibreOffice, links using this scheme could be used to invoke internal macr...

CVE-2026-40230

Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0...

CVE-2025-56535

OpenNebula 6.10.0.1 is affected by a cross-site scripting (XSS) vulnerability in the zone attribute parameter. The issue allows an attacker to render arbitrary web scripts or HTML in the victim’s browser. The available documents consistently describe the vulnerability as XSS in OpenNebula v6.10.0...

WordPress plugin ITERAS 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

EUVD-2026-24648

The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the swiffy shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'n', 'w', 'h'. These attributes are...

EUVD-2026-24605

DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user...

PT-2026-34540

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...

GFI HelpDesk 安全漏洞

GFI HelpDesk is an open-source service request and ticket management system for enterprise IT support processes developed by GFI. Versions of GFI HelpDesk prior to 4.99.9 contained security vulnerabilities. These vulnerabilities stemmed from insufficient cleaning of the charset POST parameter in...

EUVD-2026-23168

The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocsoptionsiconsize' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level...

PT-2026-33246

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

GROWI vulnerable to stored cross-site scripting

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2026-26291 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...

CVE-2026-26291

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser...

CVE-2026-26291

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser...

PT-2026-32998

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser...

GHSA-VFFH-X6R8-XX99 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer

Impact Stored cross-site scripting XSS via crafted metric names in the Prometheus web UI: Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script...

Cross-site Scripting (XSS)

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of URL sanitization helpers, HTML serialization, Markdown passthrough, and custom sanitization-policy edge cases. An attacker can execut...