CVE-2026-45088

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through...

XSS-Payload-Generator

XSS-Payload-Generator user guide 0. This script is an XSS payl...

Malicious code in 0ctf-chalweb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d The package's entire content xss.js is a 2-line cookie-stealing payload that creates an Image element pointing to...

CVE-2026-25932

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24...

CVE-2026-26997

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 59 fixes the issue...

CVE-2022-50906

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting XSS payloads...

CVE-2023-50072

A Stored Cross-Site Scripting XSS vulnerability exists in OpenKM version 7.1.40 dbb6e88 With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS...

CVE-2018-21030

Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document...

CVE-2022-27244

An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user...

CVE-2019-12095

Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload...

Malicious Package

Overview xss-payload-7n-ctf is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in xss-payload-7n-ctf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc9fcaefcc21332259306a4bbad6a54cda89ef8c6d4874d5176f4bf8f9cb194c The package xss-payload-7n-ctf was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-38225

Malicious code in xss-payload-7n-ctf npm...

EUVD-2020-5521

Malware in sbrugna...

EUVD-2018-8204

Malware in sbrugna...

EUVD-2017-2613

Malware in sbrugna...

EUVD-2020-21619

Malware in sbrugna...

EUVD-2018-11235

Malware in sbrugna...

EUVD-2019-5215

Malware in sbrugna...

EUVD-2020-29666

Malware in sbrugna...