EUVD-2026-25235

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40472

The CVE-2026-40472 affects the Hackage Haskell server (hackage-server). It enables stored XSS by injecting user-controlled metadata from .cabal files that is rendered into HTML href attributes without proper sanitization. The underlying issue is unsanitized rendering of certain metadata fields (e...

PT-2026-29785

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit faq permission can upload a malicious SVG that executes...

CVE-2025-13885 Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

GO-2025-4058 Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server

Mattermost Server is vulnerable to XSS through lack of link relationship attributes noreferrer and noopener in github.com/mattermost/mattermost-server...

EUVD-2020-13193

Malware in sbrugna...

EUVD-2018-6731

Malware in sbrugna...

CVE-2025-53838 LinkAce has a Stored One Click XSS vulnerability

LinkAce is a self-hosted archive to collect website links. A stored cross-site scripting XSS vulnerability was discovered in versions prior to 2.1.9 that allows an attacker to inject arbitrary JavaScript, which is then executed in the context of a user's browser when the malicious link is clicked...

PT-2025-36500

Name of the Vulnerable Software and Affected Versions: LinkAce versions prior to 2.1.9 Description: LinkAce is a self-hosted archive to collect website links. A stored cross-site scripting XSS vulnerability allows an attacker to inject arbitrary JavaScript, which is then executed in the context o...

PT-2025-36093

Name of the Vulnerable Software and Affected Versions: Promptcraft Forge Studio affected versions not specified Description: Promptcraft Forge Studio, a toolkit for evaluating, optimizing, and maintaining LLM-powered applications, contains an incomplete URL scheme check that does not prevent...

CVE-2023-1891

The Accordion & FAQ WordPress plugin before 1.9.9 does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting...

GHSA-J58C-WW9W-PWP5 AngularJS improperly sanitizes SVG elements

Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/ContentSpoofing and also negatively affect...

CVE-2025-30342

An XSS issue was discovered in OpenSlides before 4.2.5. When submitting descriptions such as Moderator Notes or Agenda Topics, an editor is shown that allows one to format the submitted text. This allows insertion of various HTML elements. When trying to insert a SCRIPT element, it is properly...

CVE-2025-30342

An XSS issue was discovered in OpenSlides before 4.2.5. When submitting descriptions such as Moderator Notes or Agenda Topics, an editor is shown that allows one to format the submitted text. This allows insertion of various HTML elements. When trying to insert a SCRIPT element, it is properly...

CVE-2024-27060 thunderbolt: Fix NULL pointer dereference in tb_port_update_credits()

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix NULL pointer dereference in tbportupdatecredits Olliver reported that his system crashes when plugging in Thunderbolt 1 device: BUG: kernel NULL pointer dereference, address: 0000000000000020 PF: supervisor read...

Cross-site Scripting (XSS)

Overview phlex is a high-performance view framework optimised for fun. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper sanitization of href attributes on tags. An attacker can execute arbitrary JavaScript code by inserting tab \t or newline \n characte...

PT-2023-16766 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: pimcore/pimcore versions prior to 10.5.18 Description: The issue is related to Cross-site Scripting XSS - Stored, which can be exploited by an attacker to send a malicious script to any user. This can be done through the Document Page Link...

CVE-2022-41941 glpi contains XSS Stored inside Standard Interface Help Link href attribute

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6...

Cross-site Scripting (XSS)

Overview github.com/mattermost/mattermost-server is an open source Slack-alternative in Golang and React. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the lack of noreferrer and noopener link relationship attributes. An attacker can execute arbitrary scripts in...

CVE-2020-20406

A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions. It is caused by inadequate filtering on the link custom attributes...