CVE-2026-23769

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files...

CVE-2026-23769

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files...

CVE-2026-0858

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to...

PT-2026-3304

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4-dev2 Description SiYuan Note does not properly sanitize uploaded SVG files. This allows a user to upload a malicious SVG file, such as one obtained from an untrusted source, which can then execute arbitrary...

CVE-2021-47843

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...

PT-2026-3057

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...

CVE-2026-0601

A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction...

CVE-2026-0601

CVE-2026-0601 is a reflected XSS affecting Nexus Repository 3. An unauthenticated attacker can cause arbitrary JavaScript execution in a victim’s browser by sending a crafted request that requires user interaction. The vulnerability impacts the Nexus Repository 3 ecosystem (notably the nexus-extd...

CVE-2025-71164

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting XSS vulnerability in the Editing component. The images parameter submitted as images in a POST request is reflected into an HTML href attribute without proper context-aware output encoding in...

CVE-2025-71164

Typesetter CMS

CVE-2026-22813

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2023-54332

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the postid parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact wit...

CVE-2023-53985

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in...

CVE-2023-53985

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in...

CVE-2021-47750

YouPHPTube = 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they...

CVE-2021-47750

YouPHPTube = 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they...

CVE-2020-36919

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser...

CVE-2021-47750

YouPHPTube versions up to 7.8 contain a cross-site scripting (XSS) vulnerability in the redirectUri parameter of the signup page, allowing an attacker to craft signups that execute arbitrary JavaScript in victims’ browsers. The root cause is improper handling of the redirectUri in the signup flow...

PT-2026-2372

Name of the Vulnerable Software and Affected Versions Testa version 3.5.1 Description The software contains a reflected cross-site scripting issue in the login.php file. Specifically, the redirect parameter is susceptible to malicious script injection. An attacker can craft a specially encoded...

PT-2026-2417

Name of the Vulnerable Software and Affected Versions Zippy CRM version 6.5.4 Description The software contains a reflected cross-site scripting issue that enables attackers to inject malicious scripts via unvalidated input parameters. Attackers can submit crafted payloads in manual insertion...