CVE-2026-23769

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files...

PT-2026-3340

The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR Uploader class. This makes it possible for authenticated attackers,...

SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload

Summary A Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an untrusted source, arbitrary JavaScript code is executed in the context of their authenticate...

GHSA-PCJQ-J3MQ-JV5J SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload

Summary A Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an untrusted source, arbitrary JavaScript code is executed in the context of their authenticate...

CVE-2021-47842

The CVE-2021-47842 entry concerns StudyMD 0.3.2, where a persistent cross-site scripting (XSS) vulnerability exists. Attackers can upload crafted Markdown files containing embedded JavaScript payloads, causing scripts to execute when the file is opened, potentially enabling remote code execution ...

CVE-2021-47839 Marky 0.0.1 - Persistent Cross-Site Scripting

Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code executio...

CVE-2026-0949

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting XSS vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and...

CVE-2026-0949

CVE-2026-0949 describes a stored XSS in PEM versions

CVE-2026-23769

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files...

CVE-2026-23769

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files...

CVE-2026-0858

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to...

PT-2026-3304

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4-dev2 Description SiYuan Note does not properly sanitize uploaded SVG files. This allows a user to upload a malicious SVG file, such as one obtained from an untrusted source, which can then execute arbitrary...

CVE-2021-47843

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...

PT-2026-3057

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...

CVE-2026-0601

A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction...

CVE-2026-0601

CVE-2026-0601 is a reflected XSS affecting Nexus Repository 3. An unauthenticated attacker can cause arbitrary JavaScript execution in a victim’s browser by sending a crafted request that requires user interaction. The vulnerability impacts the Nexus Repository 3 ecosystem (notably the nexus-extd...

CVE-2025-71164

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting XSS vulnerability in the Editing component. The images parameter submitted as images in a POST request is reflected into an HTML href attribute without proper context-aware output encoding in...

CVE-2025-71164

Typesetter CMS

CVE-2026-22813

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2023-54332

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the postid parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact wit...