Lucene search
K

362 matches found

ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-15298

The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for...

7.2CVSS6AI score0.00314EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/01 10:57 p.m.26 views

CVE-2026-55790 Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...

7.4CVSS0.00311EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 10:57 p.m.25 views

CVE-2026-55790

Summary of CVE-2026-55790 (Craft CMS) : This is a DOM-based cross-site scripting flaw in Craft CMS. Versions affected are 5.0.0-RC1–5.9.22 and 4.0.0-RC1–4.17.15. An attacker with only a GitHub account can insert a JavaScript payload into a craftcms/cms issue title. When a Craft admin uses the Cra...

7.4CVSS5.8AI score0.00311EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.19 views

PT-2026-51625

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Gitea affected versions not specified Description A stored DOM-based Cross-Site Scripting XSS issue exists where an attacker can store an HTML or JavaScript payload in a milestone name. When a user opens th...

4.8CVSS6AI score0.00483EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41201

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated vi...

9.1CVSS5.3AI score0.00331EPSS
Exploits0References1
OSV
OSV
added 2026/06/04 6:57 p.m.10 views

GHSA-8WHC-2WMV-WW35 WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

Unauthenticated Stored DOM XSS via pagetitle Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

9.6CVSS6.2AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/04 6:57 p.m.14 views

WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

Unauthenticated Stored DOM XSS via pagetitle Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

6.2AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.12 views

PT-2026-49154

Unauthenticated Stored DOM XSS via page title Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

9.6CVSS5.8AI score
Exploits0References4
GithubExploit
GithubExploit
added 2026/05/28 8:57 a.m.87 views

portswigger-xss-labs

PortSwigger Web Security Academy — XSS Labs All 30 Completed...

5.8AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/05/20 6:0 p.m.7 views

CVE-2026-47099

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS6AI score0.00358EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/15 1:37 p.m.88 views

dvwa_xss_lab

DVWA XSS Lab Project Introduction This project creates a...

5.8AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.19 views

PT-2026-41138

Name of the Vulnerable Software and Affected Versions Fides versions 2.33.0 through 2.84.4 Description A DOM-based Cross-Site Scripting XSS issue exists in fides.js, the script used to render consent banners. The problem occurs when the fides description variable is overridden via a URL query...

7CVSS5.9AI score0.00297EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/11 9:42 p.m.50 views

CVE-2026-43900 DeepChat: Persistent DOM XSS via HTML Entity Encoding in `<antArtifact>` SVG Rendering (Bypass of `svgSanitizer.ts`)

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting XSS vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer...

9.3CVSS0.00306EPSS
Exploits0References1
OSV
OSV
added 2026/05/11 9:42 p.m.2 views

CVE-2026-43900 DeepChat: Persistent DOM XSS via HTML Entity Encoding in `<antArtifact>` SVG Rendering (Bypass of `svgSanitizer.ts`)

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting XSS vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer...

9.3CVSS6.2AI score0.00306EPSS
Exploits0References3
CVE
CVE
added 2026/05/11 9:42 p.m.14 views

CVE-2026-43900

DeepChat vuln CVE-2026-43900 affects the SvgArtifact rendering path. The sanitizer in src/main/lib/svgSanitizer.ts scrubs javascript: protocols with plain-text regex but fails to account for HTML entity decoding before Vue’s v-html insertion in SvgArtifact.vue. Crafting an SVG artifact with obfus...

9.3CVSS6AI score0.00306EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/07 3:16 a.m.58 views

CVE-2026-41201 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated vi...

9.1CVSS0.00331EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/01 5:29 a.m.4 views

CVE-2024-13362 Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

6.1CVSS6AI score0.00276EPSS
Exploits0References24
OSV
OSV
added 2026/04/22 7:52 p.m.4 views

CVE-2026-3837 Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without...

4.6CVSS6.1AI score0.00193EPSS
Exploits1References5
CVE
CVE
added 2026/04/22 7:52 p.m.15 views

CVE-2026-3837

CVE-2026-3837 – Frappe Framework 16.10.0 : An authenticated attacker can store crafted values in multiple field formatters and cause client-side script execution when another user opens the affected document in Desk. The issue arises because the vulnerable formatters interpolate stored values int...

5.4CVSS5.9AI score0.00193EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/22 5:42 p.m.7 views

GHSA-6457-MXPQ-4FQQ i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Summary Versions of i18nextify prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in src/localize.js replaceInside handler around line 122 only guards against a duplicated http:// origin prefix ...

4.7CVSS5.9AI score0.00144EPSS
Exploits0References4
Rows per page
Query Builder