Astra Linux – Vulnerability in Chromium

In incorrect security user interfaces of web app installations in Google Chrome on Android before version 90.0.4430.212, an attacker who convinced a user to install a web application could inject scripts or HTML into a privileged page through a crafted HTML page...

Astra Linux – Vulnerability in Firefox

Because Firefox did not implement the unsafe-hashes CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy might have been able to inject executable scripts. This would be severely restricted by the specified Content Security Policy o...

dvwa-xss

Cross-Site Scripting XSS Attack & Analysis — DVWA A hands-o...

CVE-2026-4790

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customsvg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

CVE-2026-6916

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sgcontentnumberprefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output...

PT-2026-36573

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

EUVD-2024-55564

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

CVE-2026-6127 Elementor Website Builder <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...

EUVD-2026-26479

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...

CVE-2026-3346

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

GHSA-537J-GQPC-P7FQ n8n Vulnerable to XSS via MCP OAuth client

Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...

EUVD-2018-21830

MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browser...

CVE-2026-39712

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through = 5.4.3...

CVE-2026-2902

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontendrewrite' function's 'WPMETEORNWPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. Th...

PT-2026-35992

Name of the Vulnerable Software and Affected Versions MyBB Recent threads version 17.0 Description A persistent cross-site scripting issue allows attackers to inject malicious scripts by creating threads with crafted subject lines. By using script tags in the subject parameter, an attacker can...

CVE-2025-56536

CVE-2025-56536 is a stored XSS in OpenNebula v6.10.0.1 where an attacker can inject payload via the user information parameter. The vulnerability affects OpenNebula 6.10.0.1 and is tracked with a CVSSv3.1 base score of 6.1 (Medium), attack vector Network, required user interaction, and changed sc...

Cross-site Scripting (XSS)

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Cross-site Scripting XSS in the HTML generation process when a cell uses a custom number format containing the @ text placeholde...

CVE-2026-6551 Timeline Blocks for Gutenberg <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titleTag' Block Attribute

The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-7072

CVE-2026-7072 affects CodePanda Source canteen_management_system 1.0. The flaw resides in the login component (file /api/login.php), where manipulating the Username parameter enables a SQL injection. The vulnerability is exploitable remotely and the exploit is public. Metrics indicate CVSS metric...