CWE-80
AllowedImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
936 vulnerabilities reference this CWE, most recent first.
GHSA-6J65-Q38M-C8JQ
Vulnerability from github – Published: 2025-06-06 09:30 – Updated: 2025-06-06 09:30The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
{
"affected": [],
"aliases": [
"CVE-2025-5686"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T07:15:30Z",
"severity": "MODERATE"
},
"details": "The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027gallery\u0027 shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
"id": "GHSA-6j65-q38m-c8jq",
"modified": "2025-06-06T09:30:25Z",
"published": "2025-06-06T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5686"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/paged-gallery/trunk/paged-gallery.php#L64"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc7dbdbe-fd0f-404b-9f9f-06e942f60a73?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6JJ5-J4J8-8473
Vulnerability from github – Published: 2026-03-16 16:22 – Updated: 2026-05-07 13:24Summary
LeafKit HTML-escaping is not working correctly when a template prints a collection (Array / Dictionary) via #(value). This can result in XSS, allowing potentially untrusted input to be rendered unescaped.
Details
LeafKit attempts to escape expressions during serialization, but due to LeafData.htmlEscaped()'s implementation, when the escaped type's conversion to String is marked as .ambiguous (as it is the case for Arrays and Dictionaries), an unescaped self is returned.
Note: I recommend first looking at the POC, before taking a look at the details below, as it is simple. In the detailed, verbose analysis below, I explored the functions involved in more detail, in hopes that it will help you understand and locate this issue.
The issue's detailed analysis:
- Leaf expression serialization eventually reaches
LeafSerializer'sserializeprivate function below. This is where theleafDatais.htmlEscaped(), and then serialized.
https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafSerialize/LeafSerializer.swift#L60-L66
- The
LeafData.htmlEscaped()method uses theLeafData.stringcomputed property to convert itself to a string. Then, it calls thehtmlEscaped()method on it. However, if the string conversion fails, notice that an unescaped, unsafeselfis returned (line 324 below):
https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L321-L328
- Regarding why
.stringmay return nil, if the escaped value is not a string already, a convesion is attempted, which may fail.
https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L211-L216
In this specific case, the conversion fails at line 303 below, when conversion.is >= level is checked. The check fails because .array and .dictionary conversions to .string are deemed .ambiguous. If we forcefully allow ambiguous conversions, the vulnerability disappears, as the conversion is successful.
https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L295-L319
- Coming back to
LeafSerializer'sserializeprivate method, we are now interested in finding out what happens afterLeafData.htmlEscaped()returns self. Recall from1.that the output was then.serialized(). Thus, the unescapedLeafDatafollows the normal serialization path, as if it were HTML-escaped. More specifically, serialization is done here, where.map/.mapValuesis called, unsafely serializing each element of the dictionary.
PoC
In a new Vapor project created with vapor new poc -n --leaf, use a simple leaf template like the following:
<!doctype html>
<html>
<body>
<h1>#(username)</h1>
<h2>someDict:</h2>
<p>#(someDict)</p>
</body>
</html>
And the following routes.swift:
import Vapor
struct User: Encodable {
var username: String
var someDict: [String: String]
}
func routes(_ app: Application) throws {
app.get { req async throws in
try await req.view.render("index", User(
username: "Escaped XSS - <img src=x onerror=alert(1)>",
someDict: ["<img src=x onerror=alert(1337)>":"<img src=x onerror=alert(31337)>"]
))
}
}
By running and accessing the server in a browser, XSS should be triggered twice (with alert(1337) and alert(31337)). var someDict: [String: String] could also be replaced with an array / dictionary of a different type, such as another Encodable stuct.
Also note that, in a real concerning scenario, the array / dictionary would contain (i.e. reflect) data inputted by the user.
Impact
This is a cross-site scripting (XSS) vulnerability in rendered Leaf templates. Vapor/Leaf applications that render user-controlled data inside arrays or dictionaries using #(value) may be impacted.
{
"affected": [
{
"package": {
"ecosystem": "SwiftURL",
"name": "github.com/vapor/leaf-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28499"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T16:22:56Z",
"nvd_published_at": "2026-03-18T02:16:24Z",
"severity": "MODERATE"
},
"details": "### Summary\nLeafKit HTML-escaping is not working correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped.\n\n### Details\nLeafKit attempts to escape expressions during serialization, but due to [`LeafData.htmlEscaped()`](https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L322)\u0027s implementation, when the escaped type\u0027s conversion to `String` is marked as `.ambiguous` (as it is the case for Arrays and Dictionaries), an unescaped `self` is returned.\n\n\u003e **Note: I recommend first looking at the POC, before taking a look at the details below, as it is simple.** In the detailed, verbose analysis below, I explored the functions involved in more detail, in hopes that it will help you understand and locate this issue.\n\n#### The issue\u0027s detailed analysis:\n1. Leaf expression serialization eventually reaches `LeafSerializer`\u0027s `serialize` private function below. This is where the `leafData` is `.htmlEscaped()`, and then serialized.\n\nhttps://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafSerialize/LeafSerializer.swift#L60-L66\n\n2. The `LeafData.htmlEscaped()` method uses the `LeafData.string` computed property to convert itself to a string. Then, it calls the `htmlEscaped()` method on it. However, if the string conversion fails, notice that an unescaped, unsafe `self` is returned (line 324 below):\n\nhttps://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L321-L328\n\n\n3. Regarding why `.string` may return nil, if the escaped value is not a string already, a convesion is attempted, which may fail.\n\nhttps://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L211-L216\n\nIn this specific case, the conversion fails at line 303 below, when `conversion.is \u003e= level` is checked. The check fails because [`.array` and `.dictionary` conversions to `.string` are deemed `.ambiguous`](https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L525-L535). If we forcefully allow ambiguous conversions, the vulnerability disappears, as the conversion is successful.\n\nhttps://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafData.swift#L295-L319\n\n5. Coming back to `LeafSerializer`\u0027s `serialize` private method, we are now interested in finding out what happens after `LeafData.htmlEscaped()` returns self. Recall from `1.` that the output was then `.serialized()`. Thus, the unescaped `LeafData` follows the normal serialization path, as if it were HTML-escaped. More specifically, serialization is done [here](https://github.com/vapor/leaf-kit/blob/8ff06839d8b3ddf74032d2ade01e3453eb556d30/Sources/LeafKit/LeafData/LeafDataStorage.swift#L52-L63), where `.map` / `.mapValues` is called, unsafely serializing each element of the dictionary.\n\n### PoC\n\u003c!-- _Complete instructions, including specific configuration details, to reproduce the vulnerability._ --\u003e\n\nIn a new Vapor project created with `vapor new poc -n --leaf`, use a simple leaf template like the following:\n```html\n\u003c!doctype html\u003e\n\u003chtml\u003e\n \u003cbody\u003e\n \u003ch1\u003e#(username)\u003c/h1\u003e\n \u003ch2\u003esomeDict:\u003c/h2\u003e\n \u003cp\u003e#(someDict)\u003c/p\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\nAnd the following `routes.swift`:\n```swift\nimport Vapor\n\nstruct User: Encodable {\n var username: String\n var someDict: [String: String]\n}\n\nfunc routes(_ app: Application) throws {\n app.get { req async throws in\n try await req.view.render(\"index\", User(\n username: \"Escaped XSS - \u003cimg src=x onerror=alert(1)\u003e\",\n someDict: [\"\u003cimg src=x onerror=alert(1337)\u003e\":\"\u003cimg src=x onerror=alert(31337)\u003e\"]\n ))\n }\n}\n\n```\n\nBy running and accessing the server in a browser, XSS should be triggered twice (with `alert(1337)` and `alert(31337)`). `var someDict: [String: String]` could also be replaced with an array / dictionary of a different type, such as another `Encodable` stuct.\n\nAlso note that, in a real concerning scenario, the array / dictionary would contain (i.e. reflect) data inputted by the user.\n\n### Impact\nThis is a cross-site scripting (XSS) vulnerability in rendered Leaf templates. Vapor/Leaf applications that render user-controlled data inside arrays or dictionaries using `#(value)` may be impacted.",
"id": "GHSA-6jj5-j4j8-8473",
"modified": "2026-05-07T13:24:10Z",
"published": "2026-03-16T16:22:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28499"
},
{
"type": "WEB",
"url": "https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/vapor/leaf-kit"
},
{
"type": "WEB",
"url": "https://github.com/vapor/leaf-kit/releases/tag/1.14.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LeafKit\u0027s HTML escaping may be skipped for Collection values, enabling XSS"
}
GHSA-6M53-GPJ2-W66J
Vulnerability from github – Published: 2026-04-07 21:32 – Updated: 2026-04-16 00:54Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
{
"affected": [],
"aliases": [
"CVE-2026-39837"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T20:16:33Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.",
"id": "GHSA-6m53-gpj2-w66j",
"modified": "2026-04-16T00:54:04Z",
"published": "2026-04-07T21:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39837"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237979"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T416402"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6MRF-W24G-2MJ6
Vulnerability from github – Published: 2025-02-07 03:32 – Updated: 2025-02-07 03:32Dell Update Manager Plugin, version(s) 1.5.0 through 1.6.0, contain(s) an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
{
"affected": [],
"aliases": [
"CVE-2025-22402"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-07T03:15:12Z",
"severity": "LOW"
},
"details": "Dell Update Manager Plugin, version(s) 1.5.0 through 1.6.0, contain(s) an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.",
"id": "GHSA-6mrf-w24g-2mj6",
"modified": "2025-02-07T03:32:03Z",
"published": "2025-02-07T03:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22402"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000281885/dsa-2025-047-security-update-for-dell-update-manager-plugin-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6P68-6R83-GC73
Vulnerability from github – Published: 2022-06-30 00:00 – Updated: 2022-07-09 00:00A vulnerability has been found in TrueConf Server 4.3.7 and classified as problematic. This vulnerability affects unknown code of the file /admin/conferences/get-all-status/. The manipulation of the argument keys[] leads to basic cross site scripting (Reflected). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2017-20114"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-29T17:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in TrueConf Server 4.3.7 and classified as problematic. This vulnerability affects unknown code of the file /admin/conferences/get-all-status/. The manipulation of the argument keys[] leads to basic cross site scripting (Reflected). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-6p68-6r83-gc73",
"modified": "2022-07-09T00:00:20Z",
"published": "2022-06-30T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20114"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.96628"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/41184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6QJX-787V-6PXR
Vulnerability from github – Published: 2023-05-26 13:56 – Updated: 2023-05-26 21:50Summary
XSS can be triggered via the Update Asset Index utility
PoC
- Access setting tab
- Create new assets
- In assets name inject payload: "alert(26)
- Click Utilities tab
- Choose all volumes, or volume trigger xss
- Click Update asset indexes.
XSS will be triggered
Json response volumes name makes triggers the payload
"session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"},
It’s run on every POST request in the utility.
Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.5"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33197"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-26T13:56:26Z",
"nvd_published_at": "2023-05-26T20:15:48Z",
"severity": "MODERATE"
},
"details": "### Summary\nXSS can be triggered via the Update Asset Index utility\n\n### PoC\n1. Access setting tab\n2. Create new assets\n3. In assets name inject payload: \"\u003cscript\u003ealert(26)\u003c/script\u003e\n4. Click Utilities tab\n5. Choose all volumes, or volume trigger xss\n7. Click Update asset indexes.\n\nXSS will be triggered\n\nJson response volumes name makes triggers the payload\n\n \"session\":{\"id\":1,\"indexedVolumes\":{\"1\":\"\\\"\u003cscript\u003ealert(26)\u003c/script\u003e\"},\n\nIt\u2019s run on every POST request in the utility.\n\nResolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766\n\n",
"id": "GHSA-6qjx-787v-6pxr",
"modified": "2023-05-26T21:50:24Z",
"published": "2023-05-26T13:56:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33197"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/4.4.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Craft CMS stored XSS in indexedVolumes"
}
GHSA-6QWM-5FM9-CVJX
Vulnerability from github – Published: 2026-06-09 09:32 – Updated: 2026-06-09 18:30Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer.
This issue affects Apache Answer: through 2.0.0.
User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-34033"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T09:16:29Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 2.0.0.\n\nUser-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users.\nUsers are recommended to upgrade to version 2.0.1, which fixes the issue.",
"id": "GHSA-6qwm-5fm9-cvjx",
"modified": "2026-06-09T18:30:37Z",
"published": "2026-06-09T09:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34033"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/wrfd9blbfotfg479jr8vlwfx6pwr9sgj"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VXV-WG6J-5QWP
Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42Summary
Gogs renders Jupyter notebook files (.ipynb) using jsvine/notebookjs, but the version is outdated, missing patches for known XSS vulnerabilities.
Details
Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:
https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47
The latest version of jsvine/notebookjs is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.
PoC
- Create a new repository
- Create a file inside the repository named
xss.ipynband give it the following content:
{"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2}
- Save the file and view the file in Gogs. Notice that the XSS popup triggers:
Impact
Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:42:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nGogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities.\n\n### Details\n\nGogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:\n\nhttps://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47\n\nThe latest version of [jsvine/notebookjs](https://github.com/jsvine/notebookjs) is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.\n\n### PoC\n\n1. Create a new repository\n2. Create a file inside the repository named `xss.ipynb` and give it the following content:\n\n```json\n{\"cells\": [{\"cell_type\": \"markdown\", \"metadata\": {}, \"source\": [\"\u003cimg src=x onerror=\\\"alert(origin)\\\"\u003e\"]}], \"metadata\": {}, \"nbformat\": 4, \"nbformat_minor\": 2}\n```\n\n\u003cimg width=\"1054\" height=\"208\" alt=\"image\" src=\"https://github.com/user-attachments/assets/49b7f33c-c4df-4537-99e9-b1ea74f2c6de\" /\u003e\n\n3. Save the file and view the file in Gogs. Notice that the XSS popup triggers:\n\n\u003cimg width=\"1317\" height=\"407\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3b18d870-7194-41b0-92db-687e952abc07\" /\u003e\n\n### Impact\n\nAny user with rights to create repositories can create XSS payloads that take over the victim\u0027s account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.",
"id": "GHSA-6vxv-wg6j-5qwp",
"modified": "2026-06-19T21:42:52Z",
"published": "2026-06-19T21:42:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-6vxv-wg6j-5qwp"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gogs: XSS in .ipynb files renderer due to outdated notebookjs"
}
GHSA-6W9X-4C3F-J6GH
Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.",
{
"affected": [],
"aliases": [
"CVE-2025-11265"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T08:15:50Z",
"severity": "MODERATE"
},
"details": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027vkExUnit_cta_url\u0027 and \u0027vkExUnit_cta_button_text\u0027 parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.\",",
"id": "GHSA-6w9x-4c3f-j6gh",
"modified": "2025-11-18T09:30:51Z",
"published": "2025-11-18T09:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11265"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/block/index.php#L259"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/block/index.php#L271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/class-vk-call-to-action.php#L198"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394731%40vk-all-in-one-expansion-unit%2Ftrunk\u0026old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file2"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e5a6158-03d4-4ac7-8a4b-666cedabb433?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WPP-88CP-7Q68
Vulnerability from github – Published: 2026-04-28 22:50 – Updated: 2026-05-08 15:29Summary
The HTML Writer in PhpSpreadsheet bypasses htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items" or "Total: "@). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file.
Details
1. Conditional escaping in Html.php:1586-1594
$cellData = NumberFormat::toFormattedString(
$origData2,
$formatCode ?? NumberFormat::FORMAT_GENERAL,
[$this, 'formatColor']
);
if ($cellData === $origData) {
$cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags());
}
htmlspecialchars() is only called when $cellData === $origData (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely.
2. Early return in Formatter.php:136-152
if (preg_match(self::SECTION_SPLIT, $format) === 0
&& preg_match(self::SYMBOL_AT, $formatx) === 1) {
if (!str_contains($format, '"')) {
return str_replace('@', /* raw value */, $format);
}
return str_replace(/* ... preg_replace with raw value ... */);
}
When the format code contains @ with additional literal text (e.g., @ "items"), the formatter substitutes the raw cell value into the format string and returns early — the formatColor callback (which would have applied htmlspecialchars) is never invoked.
PoC
test.php
<?php
require '/app/vendor/autoload.php';
use PhpOffice\PhpSpreadsheet\Spreadsheet;
use PhpOffice\PhpSpreadsheet\Writer\Html;
$spreadsheet = new Spreadsheet();
$sheet = $spreadsheet->getActiveSheet();
$payload = '<img src=x onerror=alert(document.domain)>';
$formatCode = '@ "items"';
$sheet->setCellValue('A1', $payload);
$sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode);
$writer = new Html($spreadsheet);
$html = $writer->generateHTMLAll();
file_put_contents('/app/output.html', $html);
echo "HTML output saved to /app/output.html\n";
The produced output contains unescaped data.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" />
<title>Untitled Spreadsheet</title>
<meta name="author" content="Unknown Creator" />
<meta name="title" content="Untitled Spreadsheet" />
<meta name="lastModifiedBy" content="Unknown Creator" />
<meta name="created" content="2026-04-02T16:34:44+00:00" />
<meta name="modified" content="2026-04-02T16:34:44+00:00" />
<style type="text/css">
[..SNIP..]
</style>
</head>
<body>
<div style='page: page0'>
<table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'>
<col class="col0" />
<tbody>
<tr class="row0">
<td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td>
</tr>
</tbody></table>
</div>
</body>
</html>
Impact
The impact changes based on the way the HTML is served. In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.6.0"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "5.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.4"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.4"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.15"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.30.3"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.30.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35453"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:50:31Z",
"nvd_published_at": "2026-05-05T20:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ \"items\"` or `\"Total: \"@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file.\n\n### Details\n\n\n#### 1. Conditional escaping in `Html.php:1586-1594`\n\n```php\n$cellData = NumberFormat::toFormattedString(\n $origData2,\n $formatCode ?? NumberFormat::FORMAT_GENERAL,\n [$this, \u0027formatColor\u0027]\n);\n\nif ($cellData === $origData) {\n $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags());\n}\n```\n\n`htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely.\n\n#### 2. Early return in `Formatter.php:136-152`\n\n```php\nif (preg_match(self::SECTION_SPLIT, $format) === 0\n \u0026\u0026 preg_match(self::SYMBOL_AT, $formatx) === 1) {\n if (!str_contains($format, \u0027\"\u0027)) {\n return str_replace(\u0027@\u0027, /* raw value */, $format);\n }\n return str_replace(/* ... preg_replace with raw value ... */);\n}\n```\n\nWhen the format code contains `@` with additional literal text (e.g., `@ \"items\"`), the formatter substitutes the raw cell value into the format string and **returns early** \u2014 the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked.\n\n\n### PoC\n\n**test.php**\n``` php\n\u003c?php\n\nrequire \u0027/app/vendor/autoload.php\u0027;\n\nuse PhpOffice\\PhpSpreadsheet\\Spreadsheet;\nuse PhpOffice\\PhpSpreadsheet\\Writer\\Html;\n\n$spreadsheet = new Spreadsheet();\n$sheet = $spreadsheet-\u003egetActiveSheet();\n\n$payload = \u0027\u003cimg src=x onerror=alert(document.domain)\u003e\u0027;\n$formatCode = \u0027@ \"items\"\u0027;\n\n\n$sheet-\u003esetCellValue(\u0027A1\u0027, $payload);\n$sheet-\u003egetStyle(\u0027A1\u0027)-\u003egetNumberFormat()-\u003esetFormatCode($formatCode);\n\n$writer = new Html($spreadsheet);\n$html = $writer-\u003egenerateHTMLAll();\n\nfile_put_contents(\u0027/app/output.html\u0027, $html);\n\necho \"HTML output saved to /app/output.html\\n\";\n```\n\nThe produced output contains unescaped data.\n``` html\n\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"\u003e\n\u003chtml xmlns=\"http://www.w3.org/1999/xhtml\"\u003e\n \u003chead\u003e\n \u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /\u003e\n \u003cmeta name=\"generator\" content=\"PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet\" /\u003e\n \u003ctitle\u003eUntitled Spreadsheet\u003c/title\u003e\n \u003cmeta name=\"author\" content=\"Unknown Creator\" /\u003e\n \u003cmeta name=\"title\" content=\"Untitled Spreadsheet\" /\u003e\n \u003cmeta name=\"lastModifiedBy\" content=\"Unknown Creator\" /\u003e\n \u003cmeta name=\"created\" content=\"2026-04-02T16:34:44+00:00\" /\u003e\n \u003cmeta name=\"modified\" content=\"2026-04-02T16:34:44+00:00\" /\u003e\n \u003cstyle type=\"text/css\"\u003e\n[..SNIP..]\n \u003c/style\u003e\n \u003c/head\u003e\n\n \u003cbody\u003e\n\u003cdiv style=\u0027page: page0\u0027\u003e\n \u003ctable border=\u00270\u0027 cellpadding=\u00270\u0027 cellspacing=\u00270\u0027 id=\u0027sheet0\u0027 class=\u0027sheet0 gridlines\u0027\u003e\n \u003ccol class=\"col0\" /\u003e\n \u003ctbody\u003e\n \u003ctr class=\"row0\"\u003e\n \u003ctd class=\"column0 style1 s\"\u003e\u003cimg src=x onerror=alert(document.domain)\u003e items\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\u003c/table\u003e\n\u003c/div\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\n\u003cimg width=\"719\" height=\"716\" alt=\"Screenshot 2026-04-02 at 18 45 53\" src=\"https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe\" /\u003e\n\n\n\n### Impact\n\nThe impact changes based on the way the HTML is served. \nIn case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.",
"id": "GHSA-6wpp-88cp-7q68",
"modified": "2026-05-08T15:29:45Z",
"published": "2026-04-28T22:50:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35453"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer"
}
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.