All CosmicBytez Labs articles tagged #XSS, across news, security advisories, how-to guides, and projects.
A critical stored XSS vulnerability in Zimbra's Classic Web Client allows attackers to deliver specially crafted emails that execute arbitrary code within...
A critical stored XSS vulnerability in OpenReplay's session replay SDK allows unauthenticated attackers to inject malicious scripts via the public...
CVE-2025-27915, a stored XSS vulnerability in Zimbra's Classic Web Client, was exploited as a zero-day before public disclosure. Attackers used malicious...
A critical stored XSS vulnerability in OceanicSoft's ValeApp allows attackers to inject persistent JavaScript payloads that execute in every victim's...
WordPress CP Polls plugin version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through...
The Bookly scheduling plugin for WordPress contains a stored cross-site scripting vulnerability in versions up to 27.2, allowing unauthenticated attackers...
sanitize-html versions prior to 2.17.4 allow attacker-controlled content inside a disallowed xmp element to render as live HTML, enabling stored XSS.
GitLab EE versions 17.1 through 19.x are affected by a stored cross-site scripting vulnerability (CVSS 8.7) that allows an authenticated developer to...
RockRMS versions up to v16.13 are vulnerable to a CVSS 9.0 stored cross-site scripting flaw that allows attackers to inject malicious scripts through social…
A critical cross-site scripting vulnerability in authentik's Simple Flow Executor AutosubmitStage allows attackers to execute arbitrary JavaScript via a…
A zero-day XSS vulnerability in Microsoft Exchange Server (CVE-2026-42897) is being actively exploited in the wild, allowing attackers to compromise...
A stored Cross-Site Scripting vulnerability (CVSS 9.3) in PrestaShop's back-office Customer Service view allows unauthenticated attackers to inject...
A reflected cross-site scripting vulnerability in the dfm-menu_alerts.php component of GmbH Mecury docuForm v11.11c allows attackers to execute arbitrary...
The Brizy Page Builder plugin for WordPress contains a critical unauthenticated Stored Cross-Site Scripting flaw in versions up to 2.8.11, enabling...
CISA has confirmed that a cross-site scripting vulnerability in Zimbra Collaboration Suite is being actively exploited in the wild, with over 10,000...
A critical stored XSS vulnerability in hackage-server allows HTML and JavaScript files uploaded via source packages or documentation to execute in...
SiYuan knowledge management versions 3.6.3 and below render Mermaid diagrams with loose security, allowing attacker-controlled javascript: URLs to execute...
Rukovoditel CRM versions 3.6.4 and earlier contain a critical reflected XSS vulnerability in the Zadarma telephony API endpoint. The application reflects...
A stored cross-site scripting vulnerability in RealtyScript 4.0.2 allows attackers to inject malicious JavaScript via the location_name parameter in the...
CVE-2015-20115 is a stored cross-site scripting vulnerability in RealtyScript 4.0.2 that allows authenticated attackers to upload malicious script files...
A critical cross-site scripting vulnerability in ZITADEL's login V2 /saml-post endpoint allows unauthenticated attackers to execute arbitrary JavaScript...