CWE-80
AllowedImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
936 vulnerabilities reference this CWE, most recent first.
GHSA-R584-6283-P7XC
Vulnerability from github – Published: 2026-03-27 20:33 – Updated: 2026-03-27 21:48Summary
An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device's movement, as shown in the screenshot below, with the example showing a html-injection using <s> to strikethrough the text)
This allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.
Details
The vulnerability exists in the map-card by adding a malicious entity and having the property hours_to_show set.
See example below, with the malicious entity being Pixel 9 <s> Fold Robin {{7*7}}:
Map card with malicious device entity:
YAML-view of same card:
This issue largely resembles the issue documented in: CVE-2025-62172, but with an entity which can be displayed in a Map, instead of in an energy-dashboard.
PoC
- Register a new sensor (or device) or change the name of an existing one, which provides a location
-
Change the name to something malicious, for example
test <img src=x onerror=alert(document.domain) />For a new entity, it should work when setting the name. For old entities, go here:
-
Add the entity to a map card, which has the "hours to show"-attribute set, to display movement history
(The left arrow showing the custom setting, and the right arrow showing a data point which needs to be hovered)
- The payload executes when hovering a data-point (here shown with an "alert(document.domain"-payload)
Impact
The impact of this vulnerability is that a user can target other users of the system and perform account takeover through client side exploitation of XSS.
In the context of this system, I believe the vulnerability to be less impactful than the CVSS metric describes, as it requires a specific setup (map-card with attribute hours_to_show set, as this brings up the trail). It is interesting to note that any user who sets this attribute, will be highly likely to trigger the vulnerability through normal use. It also has no potential for being imported through seemingly innocent integrations and can only be set explicitly by another invited user, a device name, a cloud service or through social engineering. Other devices which has the same sensor can trigger the same vulnerability, and I expect there to exists cloud-based devices that would enable a threat actor to deliver the payload remotely.
Suggested criticality: Medium
Credit: Robin Lunde - https://robinlunde.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "homeassistant"
},
"ranges": [
{
"events": [
{
"introduced": "2020.02"
},
{
"fixed": "2026.01"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33044"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T20:33:22Z",
"nvd_published_at": "2026-03-27T20:16:30Z",
"severity": "LOW"
},
"details": "### Summary\nAn authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device\u0027s movement, as shown in the screenshot below, with the example showing a html-injection using `\u003cs\u003e` to strikethrough the text)\n\u003cimg width=\"348\" height=\"355\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1af3ef33-3a72-4816-8ade-e6405aace176\" /\u003e\n\nThis allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.\n\n### Details\n\nThe vulnerability exists in the map-card by adding a malicious entity and having the property `hours_to_show` set.\nSee example below, with the malicious entity being `Pixel 9 \u003cs\u003e Fold Robin {{7*7}}`:\nMap card with malicious device entity:\n\u003cimg width=\"338\" height=\"332\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15229cc3-1b69-438c-9ee5-cbfa9483aec9\" /\u003e\n\nYAML-view of same card:\n\u003cimg width=\"338\" height=\"198\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd579266-75c3-4cdf-9d08-1544a6887feb\" /\u003e\n\n\nThis issue largely resembles the issue documented in: [CVE-2025-62172](https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m), but with an entity which can be displayed in a Map, instead of in an energy-dashboard.\n\n\n### PoC\n1. Register a new sensor (or device) or change the name of an existing one, which provides a location\n2. Change the name to something malicious, for example `test \u003cimg src=x onerror=alert(document.domain) /\u003e`\nFor a new entity, it should work when setting the name. For old entities, go here:\n\u003cimg width=\"1300\" height=\"411\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d240549e-f26c-4617-89d7-5480451ae5a3\" /\u003e\n\u003cimg width=\"1383\" height=\"885\" alt=\"image\" src=\"https://github.com/user-attachments/assets/94db6186-ad54-476c-92a3-9f6870b0c862\" /\u003e\n\u003cimg width=\"387\" height=\"436\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f4c4b9f6-b1e7-4b50-9012-3be31c617be4\" /\u003e\n\u003cbr\u003e\n\u003cimg width=\"392\" height=\"515\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a0f24d2f-cc18-4ef7-9071-40376dbb38c1\" /\u003e\n\n3. Add the entity to a map card, which has the \"hours to show\"-attribute set, to display movement history\n\u003cimg width=\"296\" height=\"383\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b2db55b6-3d4b-4ab0-91fe-fc26813ad5ff\" /\u003e\n\u003cimg width=\"692\" height=\"410\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aec15e07-12c0-4abf-ba73-979736131c7c\" /\u003e\n\n\u003cimg width=\"694\" height=\"302\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e4bb7cac-fe85-41eb-963c-1743e78d937c\" /\u003e\n\n(The left arrow showing the custom setting, and the right arrow showing a data point which needs to be hovered)\n\n4. The payload executes when hovering a data-point (here shown with an \"alert(document.domain\"-payload)\n\u003cimg width=\"504\" height=\"118\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9f24e1fe-949f-4fa5-9e4f-781828a1343b\" /\u003e\n\n### Impact\nThe impact of this vulnerability is that a user can target other users of the system and perform account takeover through client side exploitation of XSS.\n\nIn the context of this system, I believe the vulnerability to be less impactful than the CVSS metric describes, as it requires a specific setup (map-card with attribute `hours_to_show` set, as this brings up the trail). It is interesting to note that any user who sets this attribute, will be highly likely to trigger the vulnerability through normal use. It also has no potential for being imported through seemingly innocent integrations and can only be set explicitly by another invited user, a device name, a cloud service or through social engineering. Other devices which has the same sensor can trigger the same vulnerability, and I expect there to exists cloud-based devices that would enable a threat actor to deliver the payload remotely.\n\nSuggested criticality: **Medium**\n\nCredit: Robin Lunde - [https://robinlunde.com](https://robinlunde.com)",
"id": "GHSA-r584-6283-p7xc",
"modified": "2026-03-27T21:48:32Z",
"published": "2026-03-27T20:33:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33044"
},
{
"type": "PACKAGE",
"url": "https://github.com/home-assistant/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Home Assistant has stored XSS in Map-card through malicious device name"
}
GHSA-R5XW-GCGW-HWP5
Vulnerability from github – Published: 2026-07-09 21:01 – Updated: 2026-07-09 21:01Summary
YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using strip_tags() only. Because strip_tags() does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the victim's browser.
This issue is reachable without authentication. During validation, the vulnerable widget route returned the injected HTML for both /HomePage/widget?id=... and /NoSuchPage/widget?id=..., which shows that no login, no page ownership, no edit rights, and not even a valid page tag were required. The only routing prerequisite observed was that the Bazar extension is enabled and the request includes an id parameter.
Details
The primary sink is in tools/bazar/presentation/templates/widget.tpl.html around lines 4-7, where $_GET['id'] is inserted into the data-formid attribute:
data-formid="<?php echo strip_tags($_GET['id']); ?>"
strip_tags() is not an output-encoding function. It removes HTML tags, but it does not escape characters such as double quotes, so an attacker can terminate the data-formid attribute and inject new attacker-controlled attributes.
The route is served by tools/bazar/handlers/__WidgetHandler.php around lines 14-26, which only checks whether $_GET['id'] is present:
if (!isset($_GET['id'])) {
return null;
}
No HasAccess('read'), HasAccess('write'), or authentication check is performed before the vulnerable template is rendered.
There is also a second reflection path in the same handler. The handler builds:
$urlParams = 'id=' . strip_tags($_GET['id']) . ...
and then places the resulting value into the widget template's data-iframeUrl attribute:
data-iframeUrl="<?php echo $GLOBALS['wiki']->href('bazariframe', '', $urlparams, false); ?>"
During validation, a single payload injected into id was reflected into both data-formid and data-iframeUrl, which confirms that the handler exposes multiple attribute-level sinks from the same unsafely handled input.
This issue maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
PoC
- Set up a vulnerable YesWiki instance with the bundled Bazar extension enabled. This was validated locally on the official
doryphore 4.6.5release. - Confirm the minimum access requirements:
- No account is required.
- No
readorwritepermission on a specific page is required. - No valid existing page tag is required.
- No valid Bazar form identifier is required.
- The only observed requirements were that the Bazar widget handler is present and the request includes an
idparameter. - Request the widget handler with an attribute-breaking payload in
id, for example:
http://127.0.0.1:8085/NoSuchPage/widget?id=%22%20onmouseover=%22alert(1)%22%20x=%22
- Open the URL in a browser as an unauthenticated visitor.
- Observe that the server returns HTTP
200and renders the Bazar widget page even though the page tag is arbitrary. - Inspect the returned HTML. The response contains attacker-controlled attributes in the widget root element:
<div id="widgetapp" v-cloak
data-formid="" onmouseover="alert(1)" x=""
...
data-iframeUrl="http://127.0.0.1:8085/NoSuchPage/bazariframe&id=" onmouseover="alert(1)" x=""
>
- Move the mouse over the
widgetappelement or otherwise trigger the injected event handler. - The browser executes the injected JavaScript in the YesWiki origin.
Impact
This is a reflected XSS vulnerability in the Bazar widget handler with very low attacker prerequisites.
The practical access model is:
- The attacker only needs to send a crafted public URL.
- The victim does not need to authenticate.
- The attacker does not need edit rights, ownership, or a valid page tag.
- The route only needs to be reachable on a YesWiki instance with Bazar enabled.
An attacker may be able to:
- Execute arbitrary JavaScript in the victim's browser.
- Steal browser-accessible sensitive data.
- Perform actions in the victim's session if the victim is logged in.
- Target public visitors and authenticated users alike because the route is reachable without access-control checks.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52774"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T21:01:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nYesWiki\u0027s Bazar widget handler reflects the `id` `GET` parameter into HTML attributes using `strip_tags()` only. Because `strip_tags()` does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as `onmouseover`, and execute arbitrary JavaScript in the victim\u0027s browser.\n\nThis issue is reachable without authentication. During validation, the vulnerable `widget` route returned the injected HTML for both `/HomePage/widget?id=...` and `/NoSuchPage/widget?id=...`, which shows that no login, no page ownership, no edit rights, and not even a valid page tag were required. The only routing prerequisite observed was that the Bazar extension is enabled and the request includes an `id` parameter.\n\n### Details\nThe primary sink is in `tools/bazar/presentation/templates/widget.tpl.html` around lines `4-7`, where `$_GET[\u0027id\u0027]` is inserted into the `data-formid` attribute:\n\n```php\ndata-formid=\"\u003c?php echo strip_tags($_GET[\u0027id\u0027]); ?\u003e\"\n```\n\n`strip_tags()` is not an output-encoding function. It removes HTML tags, but it does not escape characters such as double quotes, so an attacker can terminate the `data-formid` attribute and inject new attacker-controlled attributes.\n\nThe route is served by `tools/bazar/handlers/__WidgetHandler.php` around lines `14-26`, which only checks whether `$_GET[\u0027id\u0027]` is present:\n\n```php\nif (!isset($_GET[\u0027id\u0027])) {\n return null;\n}\n```\n\nNo `HasAccess(\u0027read\u0027)`, `HasAccess(\u0027write\u0027)`, or authentication check is performed before the vulnerable template is rendered.\n\nThere is also a second reflection path in the same handler. The handler builds:\n\n```php\n$urlParams = \u0027id=\u0027 . strip_tags($_GET[\u0027id\u0027]) . ...\n```\n\nand then places the resulting value into the widget template\u0027s `data-iframeUrl` attribute:\n\n```php\ndata-iframeUrl=\"\u003c?php echo $GLOBALS[\u0027wiki\u0027]-\u003ehref(\u0027bazariframe\u0027, \u0027\u0027, $urlparams, false); ?\u003e\"\n```\n\nDuring validation, a single payload injected into `id` was reflected into both `data-formid` and `data-iframeUrl`, which confirms that the handler exposes multiple attribute-level sinks from the same unsafely handled input.\n\nThis issue maps to **CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)**.\n\n### PoC\n1. Set up a vulnerable YesWiki instance with the bundled Bazar extension enabled. This was validated locally on the official `doryphore 4.6.5` release.\n2. Confirm the minimum access requirements:\n - No account is required.\n - No `read` or `write` permission on a specific page is required.\n - No valid existing page tag is required.\n - No valid Bazar form identifier is required.\n - The only observed requirements were that the Bazar widget handler is present and the request includes an `id` parameter.\n3. Request the widget handler with an attribute-breaking payload in `id`, for example:\n\n```text\nhttp://127.0.0.1:8085/NoSuchPage/widget?id=%22%20onmouseover=%22alert(1)%22%20x=%22\n```\n\n4. Open the URL in a browser as an unauthenticated visitor.\n5. Observe that the server returns HTTP `200` and renders the Bazar widget page even though the page tag is arbitrary.\n6. Inspect the returned HTML. The response contains attacker-controlled attributes in the widget root element:\n\n```html\n\u003cdiv id=\"widgetapp\" v-cloak\n data-formid=\"\" onmouseover=\"alert(1)\" x=\"\"\n ...\n data-iframeUrl=\"http://127.0.0.1:8085/NoSuchPage/bazariframe\u0026id=\" onmouseover=\"alert(1)\" x=\"\"\n\u003e\n```\n\n7. Move the mouse over the `widgetapp` element or otherwise trigger the injected event handler.\n8. The browser executes the injected JavaScript in the YesWiki origin.\n\n\u003cimg width=\"1600\" height=\"838\" alt=\"image\" src=\"https://github.com/user-attachments/assets/de592586-a6ee-48f4-bbde-137ab07aaa71\" /\u003e\n\n### Impact\nThis is a **reflected XSS** vulnerability in the Bazar widget handler with very low attacker prerequisites.\n\nThe practical access model is:\n\n- The attacker only needs to send a crafted public URL.\n- The victim does not need to authenticate.\n- The attacker does not need edit rights, ownership, or a valid page tag.\n- The route only needs to be reachable on a YesWiki instance with Bazar enabled.\n\nAn attacker may be able to:\n\n- Execute arbitrary JavaScript in the victim\u0027s browser.\n- Steal browser-accessible sensitive data.\n- Perform actions in the victim\u0027s session if the victim is logged in.\n- Target public visitors and authenticated users alike because the route is reachable without access-control checks.",
"id": "GHSA-r5xw-gcgw-hwp5",
"modified": "2026-07-09T21:01:10Z",
"published": "2026-07-09T21:01:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-r5xw-gcgw-hwp5"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/1aa2710c7505630b858f2142a65f9441bfaba2b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes"
}
GHSA-R6F4-5657-3FP7
Vulnerability from github – Published: 2024-07-22 15:32 – Updated: 2024-07-22 15:32An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-32484"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-22T15:15:03Z",
"severity": "HIGH"
},
"details": "An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.",
"id": "GHSA-r6f4-5657-3fp7",
"modified": "2024-07-22T15:32:41Z",
"published": "2024-07-22T15:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32484"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6WX-627V-GH2F
Vulnerability from github – Published: 2024-12-05 22:37 – Updated: 2025-11-19 17:50Summary
The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.
Details
The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.
Example Request:
PATCH /activity/comment/3 HTTP/2
Host: directus.local
{
"comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>"
}
Example Response:
{
"data": {
"id": 3,
"action": "comment",
"user": "288fdccc-399a-40a1-ac63-811bf62e6a18",
"timestamp": "2023-09-06T02:23:40.740Z",
"ip": "10.42.0.1",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
"collection": "directus_files",
"item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a",
"comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>",
"origin": "https://directus.local",
"revisions": []
}
}
Example Result:

Impact
With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@directus/app"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "13.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "10.10.0"
},
{
"fixed": "10.13.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-rc.1"
},
{
"fixed": "11.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-54128"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-05T22:37:32Z",
"nvd_published_at": "2024-12-05T17:15:15Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.\n\n### Details\nThe Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.\n\nExample Request:\n\n```\nPATCH /activity/comment/3 HTTP/2\nHost: directus.local\n\n{\n \"comment\": \"\u003ch1\u003eTEST \u003cp style=\\\"color:red\\\"\u003eHTML INJECTION\u003c/p\u003e \u003ca href=\\\"//evil.com\\\"\u003eTest Link\u003c/a\u003e\u003c/h1\u003e\"\n}\n```\n\nExample Response:\n\n```json\n{\n \"data\": {\n \"id\": 3,\n \"action\": \"comment\",\n \"user\": \"288fdccc-399a-40a1-ac63-811bf62e6a18\",\n \"timestamp\": \"2023-09-06T02:23:40.740Z\",\n \"ip\": \"10.42.0.1\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\n \"collection\": \"directus_files\",\n \"item\": \"7247dda1-c386-4e7a-8121-7e9c1a42c15a\",\n \"comment\": \"\u003ch1\u003eTEST \u003cp style=\\\"color:red\\\"\u003eHTML INJECTION\u003c/p\u003e \u003ca href=\\\"//evil.com\\\"\u003eTest Link\u003c/a\u003e\u003c/h1\u003e\",\n \"origin\": \"https://directus.local\",\n \"revisions\": []\n }\n}\n```\n\nExample Result:\n\n\n\n## Impact\n\nWith the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.",
"id": "GHSA-r6wx-627v-gh2f",
"modified": "2025-11-19T17:50:43Z",
"published": "2024-12-05T22:37:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54128"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/4487fb18d5cb09e071b111d2dc0c9d6bcb437633"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/c89dbb233fbad2fd0cf41eb99d50c6de4e84195d"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus has an HTML Injection in Comment"
}
GHSA-R77J-8275-G6JM
Vulnerability from github – Published: 2026-04-07 21:32 – Updated: 2026-04-16 00:54Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
{
"affected": [],
"aliases": [
"CVE-2026-39839"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T20:16:33Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.",
"id": "GHSA-r77j-8275-g6jm",
"modified": "2026-04-16T00:54:04Z",
"published": "2026-04-07T21:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39839"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237957"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237977"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T416271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R7QR-W3M7-GJWM
Vulnerability from github – Published: 2025-01-16 21:31 – Updated: 2026-04-01 18:33Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella van Durpe Slides & Presentations allows Code Injection.This issue affects Slides & Presentations: from n/a through 0.0.39.
{
"affected": [],
"aliases": [
"CVE-2025-23919"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-16T21:15:33Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella van Durpe Slides \u0026 Presentations allows Code Injection.This issue affects Slides \u0026 Presentations: from n/a through 0.0.39.",
"id": "GHSA-r7qr-w3m7-gjwm",
"modified": "2026-04-01T18:33:16Z",
"published": "2025-01-16T21:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23919"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/slide/vulnerability/wordpress-slides-presentations-plugin-0-0-39-content-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R84C-C4FR-6449
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-01 18:32Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Contact Form - Repute InfoSystems ARForms Form Builder allows Code Injection.This issue affects ARForms Form Builder: from n/a through 1.7.1.
{
"affected": [],
"aliases": [
"CVE-2024-54223"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T13:15:42Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Contact Form - Repute InfoSystems ARForms Form Builder allows Code Injection.This issue affects ARForms Form Builder: from n/a through 1.7.1.",
"id": "GHSA-r84c-c4fr-6449",
"modified": "2026-04-01T18:32:42Z",
"published": "2024-12-09T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54223"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/arforms-form-builder/vulnerability/wordpress-arforms-plugin-1-7-1-html-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8F4-HV23-6QP6
Vulnerability from github – Published: 2024-02-08 18:45 – Updated: 2024-10-16 17:25Impact
A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely.
The attack vector was identified as a Reflected XSS.
Norman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.
The changes addressed by this fix are:
- Encode input that comes from the request URL before adding it to the response.
- The request input is escaped by changing the URL construction that is used for links to use url.URL.
- The request input is escaped by escaping the JavaScript and CSS variables with attribute encoding as defined by OWASP.
Patches
Patched versions include the following commits:
| Branch | Commit |
|---|---|
| master | 3bb70b7 |
| release/v2.8 | a6a6cf5 |
| release/v2.7 | cb54924 |
| release/v2.7.s3 | 7b2b467 |
| release/v2.6 | bd13c65 |
Workarounds
There is no direct mitigation besides updating Norman API to a patched version.
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security-related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/norman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240207153100-3bb70b772b52"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32193"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-08T18:45:49Z",
"nvd_published_at": "2024-10-16T13:15:12Z",
"severity": "HIGH"
},
"details": "### Impact\nA vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman\u0027s public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. \n\nThe attack vector was identified as a Reflected XSS.\n\nNorman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.\n\nThe changes addressed by this fix are:\n- Encode input that comes from the request URL before adding it to the response.\n- The request input is escaped by changing the URL construction that is used for links to use `url.URL`.\n- The request input is escaped by escaping the JavaScript and CSS variables with attribute encoding as defined by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary).\n\n### Patches\nPatched versions include the following commits:\n\n| Branch | Commit |\n| -------- | ------- |\n| master | 3bb70b7 |\n| release/v2.8 | a6a6cf5 |\n| release/v2.7 | cb54924 |\n| release/v2.7.s3 | 7b2b467 |\n| release/v2.6 | bd13c65 |\n\n### Workarounds\nThere is no direct mitigation besides updating Norman API to a patched version.\n\n### References\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security-related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n",
"id": "GHSA-r8f4-hv23-6qp6",
"modified": "2024-10-16T17:25:49Z",
"published": "2024-02-08T18:45:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/norman/security/advisories/GHSA-r8f4-hv23-6qp6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32193"
},
{
"type": "WEB",
"url": "https://github.com/rancher/norman/commit/3bb70b772b52297feac64f5fdeb1b13c06c37e39"
},
{
"type": "WEB",
"url": "https://github.com/rancher/norman/commit/7b2b467995e6dfab6d4a5dee8dffc15033ae8269"
},
{
"type": "WEB",
"url": "https://github.com/rancher/norman/commit/a6a6cf5696088c32002953d36b75bdcc84f2399e"
},
{
"type": "WEB",
"url": "https://github.com/rancher/norman/commit/bd13c653293b9b5e0b37e8a6ccd1c3277f4623ed"
},
{
"type": "WEB",
"url": "https://github.com/rancher/norman/commit/cb54924f25c7666511a913cd41834299ef22dba4"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32193"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/norman"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Norman API Cross-site Scripting Vulnerability"
}
GHSA-R8HG-9X2X-9W8F
Vulnerability from github – Published: 2022-12-15 12:30 – Updated: 2022-12-19 15:30A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-28703"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-15T10:15:00Z",
"severity": "MODERATE"
},
"details": "A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.",
"id": "GHSA-r8hg-9x2x-9w8f",
"modified": "2022-12-19T15:30:29Z",
"published": "2022-12-15T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28703"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1532"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9XJ-MVQF-JM7W
Vulnerability from github – Published: 2025-10-16 20:48 – Updated: 2025-10-16 21:54Summary
In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions.
Details
The vulnerability arises because certain input fields are not properly sanitized or escaped when rendering customer data in the admin UI. The form data is stored in the database (i.e. it is stored XSS), and later when customer records are displayed (e.g. in a grid, detail view, or listing), the input is interpolated into HTML without encoding or filtering.
PoC
Navigate to sales orders, and create a new customer.
Enter the payload
"><svg/onload=prompt(document.domain)> to the first_name and last_name.
Scripts were triggered.
Impact
Stored XSS vulnerability — malicious script persisted in database and executed when viewing the data. An attacker (with limited privilege) could inject JavaScript that runs in the browser of an admin or user who views injected customer records. The script can steal session cookies, perform actions on behalf of admin, escalate privileges, or pivot into further attacks. In an e-commerce admin system, this is high severity due to potential access to customer data, order management, or site configuration.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.7"
},
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62414"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T20:48:48Z",
"nvd_published_at": "2025-10-16T19:15:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nIn Bagisto v2.3.7, the \u201cCreate New Customer\u201d feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin\u2019s browser or another user viewing the customer data, enabling session theft or admin-level actions.\n\n### Details\nThe vulnerability arises because certain input fields are not properly sanitized or escaped when rendering customer data in the admin UI. The form data is stored in the database (i.e. it is stored XSS), and later when customer records are displayed (e.g. in a grid, detail view, or listing), the input is interpolated into HTML without encoding or filtering. \n\n### PoC\nNavigate to sales orders, and create a new customer.\n\u003cimg width=\"643\" height=\"567\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e3a7c5a2-f53b-4db6-ac23-3451bca58956\" /\u003e\nEnter the payload `\"\u003e\u003csvg/onload=prompt(document.domain)\u003e` to the first_name and last_name.\n\u003cimg width=\"1527\" height=\"767\" alt=\"image\" src=\"https://github.com/user-attachments/assets/86ac325e-7700-477d-a13d-be2d4885f510\" /\u003e\nScripts were triggered.\n\u003cimg width=\"1267\" height=\"321\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ce673b44-13cc-4e88-a89e-03bf0bd7e244\" /\u003e\n\u003cimg width=\"1336\" height=\"404\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d45913ea-b177-4926-8612-92518e12f11e\" /\u003e\n\n\n### Impact\nStored XSS vulnerability \u2014 malicious script persisted in database and executed when viewing the data. An attacker (with limited privilege) could inject JavaScript that runs in the browser of an admin or user who views injected customer records. The script can steal session cookies, perform actions on behalf of admin, escalate privileges, or pivot into further attacks. In an e-commerce admin system, this is high severity due to potential access to customer data, order management, or site configuration.",
"id": "GHSA-r9xj-mvqf-jm7w",
"modified": "2025-10-16T21:54:57Z",
"published": "2025-10-16T20:48:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62414"
},
{
"type": "PACKAGE",
"url": "https://github.com/bagisto/bagisto"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "bagisto has Cross Site Scripting (XSS) in Create New Customer"
}
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.