appsec.fyi

Cross-Site Scripting (XSS) Resources

Post Share

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS occurs when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

XSS remains one of the most prevalent web vulnerabilities, appearing in everything from search bars to user profile fields. The three main variants — Reflected, Stored, and DOM-based — each have distinct attack surfaces. Reflected XSS executes via a crafted URL, Stored XSS persists in the application's database and fires for every visitor, and DOM-based XSS exploits client-side JavaScript that unsafely handles user input without any server round-trip.

The impact of XSS extends well beyond simple alert boxes. Attackers leverage it for session hijacking, credential theft, keylogging, phishing overlays, and as a pivot point for deeper exploitation. In bug bounty programs, Stored XSS on authenticated pages consistently pays well because it can be chained into account takeover.

Modern defenses include Content Security Policy (CSP), output encoding, and frameworks that auto-escape by default — but bypasses are discovered regularly, making XSS a constantly evolving attack surface.

This page collects research, bypass techniques, payloads, and real-world writeups covering all forms of cross-site scripting.

From OWASP

Read the XSS guideA long-form, source-cited deep dive synthesized from every resource below. The comprehensive XSS guide on chs.usA hand-written, in-depth practitioner guide — attacks, testing, and prevention.
Date Added Link Excerpt
2026-07-18 NEW 2026SAR 2,629 For Stored XSS via svg Image Leading to ATO intermediate 2 min readWriteup detailing a Stored XSS vulnerability found via profile picture uploads, enabling Account Takeover (ATO). Exploiting a missing Content Security Policy (CSP) and same-origin hosting of SVG images allowed for the execution of injected JavaScript. This script accessed and exfiltrated authentication tokens stored in `localStorage`, granting full control of the user account without needing credentials. Remediation involves SVG sanitization, strict CSP implementation, and enforcing `Content-Disposition: attachment`. → infosecwriteups.com
2026-07-14 NEW 2026Zimbra urges customers to patch critical web client XSS flaw news 2 min readVulnerability details Zimbra's critical stored XSS flaw in its Classic Web Client, which allows attackers to execute malicious code via crafted emails, potentially stealing session data and mailbox information. This zero-day was reported by Google's Threat Analysis Group and has been actively exploited in the past by Russian state-sponsored groups like Winter Vivern and APT29 against high-risk individuals and organizations. While a CVE ID is pending, this highlights the ongoing threat to Zimbra instances, following previous patches for similar XSS vulnerabilities like CVE-2025-66376 and CVE-2025-48700. → bleepingcomputer.com
2026-07-11 2026Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions news 1 min readLibrary update addressing stored XSS in Zimbra Classic Web Client. Exploitation of this vulnerability allows attackers to inject and execute malicious JavaScript within user sessions via crafted emails, potentially leading to mailbox access, session data compromise, and account setting manipulation. This flaw, though unassigned a CVE, follows a history of XSS vulnerabilities in Zimbra, including CVE-2025-27915, CVE-2023-37580, and CVE-2024-27443. Users are advised to update to Zimbra Collaboration Suite version 10.1.19. → thehackernews.com
2026-07-11 2026Zimbra 10.1.19 Fixes Stored XSS Flaw Triggered by Crafted Emails newsZimbra 10.1.19 addresses a stored cross-site scripting (XSS) vulnerability that could be exploited by sending specially crafted emails. This flaw allowed attackers to inject malicious scripts into the Zimbra web client, potentially leading to unauthorized actions or data theft by users who viewed the compromised email. The update rectifies this security weakness, enhancing the platform's safety. → cyberpress.org
2026-07-10 2026Roundcube Webmail Security Update Patches Critical Zero-Click XSS and SSRF Bypass Flaws newsRoundcube Webmail has released a security update addressing critical zero-click vulnerabilities. These flaws allowed for Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) bypasses, potentially enabling attackers to execute malicious code or access internal resources without user interaction. Users are strongly advised to update their Roundcube installations immediately to mitigate these risks. The update is crucial for protecting against potential exploitation of these severe security weaknesses. → gbhackers.com
2026-07-09 2026Roundcube 0-Click Vulnerability Enables Stored XSS Attack via MIME Type Attachment intermediateA critical 0-click vulnerability in Roundcube allows stored XSS attacks through specially crafted MIME type attachments. Attackers can exploit this by sending an email with an attachment having a malicious MIME type. When Roundcube processes this attachment, it renders the malicious content, leading to cross-site scripting execution within the victim's browser without any user interaction. This means sensitive data could be compromised or actions taken on behalf of the user. → cybersecuritynews.com
2026-07-08 2026Chaining a DOM XSS Sink, WAF Bypass, Cross-Origin Smuggling, and SDK Abuse into One Click Account… advanced 8 min read API Sec AuthNLibrary for chaining DOM XSS, WAF bypass via `window.name` cross-origin smuggling, and SDK abuse to achieve one-click account takeover. The technique exploits a `javascript:` URL sink, bypasses Akamai's WAF by inserting characters between keywords and parentheses, leverages `window.name` persistence across navigations, and abuses a first-party authentication SDK to retrieve signed JWTs and live AWS STS credentials. → infosecwriteups.com
2026-07-06 2026Multiple IBM WebSphere Vulnerabilities Enable XSS and Path Traversal Attacks intermediateMultiple vulnerabilities have been discovered in IBM WebSphere that could allow attackers to perform cross-site scripting (XSS) and path traversal attacks. These flaws impact various versions of the software, potentially exposing sensitive data and enabling malicious code execution. Organizations using IBM WebSphere should prioritize applying the latest security patches and updates to mitigate these risks. → cybersecuritynews.com
2026-07-06 2026IBM WebSphere Application Server Hit by Critical XSS and Path Traversal Vulnerabilities newsIBM WebSphere Application Server is affected by critical vulnerabilities. These include Cross-Site Scripting (XSS) and path traversal flaws. The XSS vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The path traversal vulnerability could enable unauthorized access to sensitive files and directories on the server. Organizations using IBM WebSphere Application Server should update to the latest secure versions to mitigate these risks. → gbhackers.com
2026-07-06 2026Critical IBM WebSphere Flaws Expose Servers to XSS and Path Traversal Attacks newsCritical vulnerabilities have been discovered in IBM WebSphere Application Server, enabling attackers to execute Cross-Site Scripting (XSS) and path traversal attacks. These flaws could allow for unauthorized access to sensitive data and the execution of malicious code on vulnerable servers. Organizations utilizing IBM WebSphere are strongly advised to apply available security patches and updates to mitigate these risks and protect their environments. Further details on the specific vulnerabilities and remediation steps can be found at the provided link. → cyberpress.org
2026-07-05 2026Attackers Can Inject Malicious Scripts Through VMware XSS Flaws beginnerVMware products are vulnerable to Cross-Site Scripting (XSS) attacks, allowing attackers to inject malicious scripts. This means unauthorized users could potentially execute harmful code within a user's browser session, leading to various security risks like data theft or account compromise. Further details and the specific impact are outlined in the provided link. → cyberpress.org
2026-07-01 2026Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User newsCritical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User https://ift.tt/J5oKeT4 → cybersecuritynews.com
2026-06-29 2026CVE-2026-13536: Reflected XSS Vulnerability in GotoHTTP Remote Access Platform (reg.12x Endpoint) Analysis and Mitigation intermediate 3 min readAnalysis of CVE-2026-13536 details a reflected XSS vulnerability in the GotoHTTP remote access platform's /reg.12x endpoint, stemming from improper sanitization of the sn parameter. This allows unauthenticated attackers to inject JavaScript via crafted URLs, with a public PoC available on GitHub. While no active exploitation by APT groups is reported, and it's not on the CISA KEV catalog, opportunistic attacks are a risk due to the low complexity and user interaction requirement. The vendor has acknowledged the issue and will remove the vulnerable parameter in their next release. → rescana.com
2026-06-25 2026CVE-2026-10086: High-Severity XSS Vulnerability in GitLab Enterprise Edition Analytics Dashboard Analysis Impact and Mitigation Steps news 3 min readAnalysis of CVE-2026-10086, a high-severity XSS vulnerability in GitLab Enterprise Edition's Analytics Dashboard, details how authenticated attackers can inject JavaScript. This vulnerability, CWE-79, allows for session hijacking and privilege escalation by executing code in user contexts. Patched versions include 19.1.1, 19.0.3, and 18.11.6. While not yet observed in the wild, prompt patching and log review are advised, with potential mitigation by restricting dashboard access. → rescana.com
2026-06-24 2026Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users newsA stored cross-site scripting (XSS) vulnerability has been discovered in Webmin, a web-based system administration tool. This flaw allows attackers to inject malicious scripts into the application, which can then be executed by other users, including those with root privileges. Successful exploitation could lead to unauthorized actions on the server, data theft, or complete system compromise. Users are strongly advised to update their Webmin installations to patch this critical security issue. → gbhackers.com
2026-06-24 2026Critical Webmin Stored XSS Vulnerability Lets Untrusted Users Exploit Root Accounts intermediateCritical Webmin Stored XSS Vulnerability Lets Untrusted Users Exploit Root Accounts https://ift.tt/8gMoQkc → cyberpress.org
2026-06-23 2026CVE-2026-25860 turn XSS to RCE intermediateCVE-2026-25860 turn XSS to RCE
2026-06-23 2026Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtools intermediate 5 min read Bug BountyWriteup detailing WebExtension security vulnerabilities, including unverified external messages in React Developer Tools (CVE-2023-5654) allowing arbitrary URL fetching and unauthorized access to page capture APIs in Vue.js devtools (CVE-2023-5718) leading to screenshot data leakage. This research highlights risks inherent in the WebExtension architecture and its components, affecting cross-browser compatibility and user data. → snyk.io
2026-06-22 2026Exploiting Auth0 Defaults in XSS Attacks - elttam intermediate 8 min read AuthNWriteup detailing how XSS vulnerabilities in applications using Auth0 can be exploited. The article highlights the insecure implicit grant flow, enabled by default in Auth0, and demonstrates how it can be combined with other misconfigurations to pivot across tenant applications. Specifically, it shows how an attacker can leverage XSS to steal access tokens intended for a protected API, facilitating lateral movement within an Auth0 tenant.
2026-06-21 2026Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) intermediate 3 min read PythonReference detailing CVE-2024-22195, a cross-site scripting vulnerability in Jinja2 versions prior to 3.1.3. The vulnerability arises from the `xmlattr` filter when processing user input with spaces in keys, allowing attackers to inject arbitrary HTML attributes and potentially execute untrusted scripts. Mitigation involves upgrading to Jinja2 3.1.3 and utilizing tools like Snyk for continuous monitoring and detection of vulnerable dependencies in Python projects and Docker containers. → snyk.io
2026-06-20 2026“Bug Bounty Bootcamp #48: OAuth + XSS ” intermediate AuthN Bug BountyThis "Bug Bounty Bootcamp #48" article, titled "OAuth + XSS," explores a potent combination of vulnerabilities: OAuth and Cross-Site Scripting (XSS). The content suggests that by leveraging these two, attackers can achieve account takeovers, effectively describing it as an "ultimate account takeover one-two punch." The article is part of a series and can be found on InfoSec Write-ups. No specific bounty payout amount is mentioned. → infosecwriteups.com
2026-06-19 2026Microsoft's Exchange Server Updates Fix OWA XSS Flaw news 2 min readLibrary update for Microsoft Exchange Server addresses CVE‑2026‑42897, a cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA). This flaw allows remote attackers to execute malicious JavaScript by sending specially crafted emails. Updates are available for Exchange Server Subscription Edition, 2019, and 2016, with support requirements for older versions. Administrators should use the Exchange Health Checker script and install the latest cumulative and security updates. → petri.com
2026-06-17 2026How to prevent log injection vulnerability in JavaScript and Node.js applications intermediate 6 min readLibrary for preventing log injection vulnerabilities in JavaScript and Node.js applications, specifically detailing how attackers can manipulate input to inject malicious code into logs. It offers methods for sanitizing user inputs, using regex and libraries like validator.js, suggests careful consideration of what data to log, and recommends structured logging and specialized libraries such as pino over basic console.log. The entry also mentions the Snyk IDE extension for VS Code as a tool for detecting such vulnerabilities. → snyk.io
2026-06-16 2026Automatically fix code vulnerabilities with AI intermediate 4 min read AILibrary for automatically fixing common security vulnerabilities, such as Cross-site Scripting (XSS) in Java applications, by leveraging a hybrid AI model. This tool, integrated into IDEs, goes beyond providing remediation advice by directly applying secure code fixes, exemplified in a Spring Boot application using the Thymeleaf template engine and the faker library. Unlike generative AI assistants that may introduce insecure code, this library uses a combination of generative AI, symbolic AI, and machine learning, trained on curated security research data, to ensure secure code generation. → snyk.io
2026-06-14 2026MeshCentral: From XSS to RCE intermediate 8 min read RCEWriteup detailing the exploitation of MeshCentral, moving from Cross-Site Scripting (XSS) to Remote Code Execution (RCE). The author demonstrates how an LLM, Claude Opus, was utilized to identify vulnerabilities and generate proof-of-concept exploits by analyzing the MeshCentral agent and server interactions. The process involved extracting agent credentials from local files to impersonate existing agents and ultimately achieve RCE, showcasing a practical application of AI in vulnerability research.
2026-06-13 2026Six levels, one lesson: LLMs cannot keep a secret intermediate AIGitHub's Secure Code Game Season 3, a six-level challenge, demonstrates that Large Language Models (LLMs) cannot keep secrets. The game involves prompt injection attacks against vulnerable AI assistants designed to hide information. Players craft attacks to extract these secrets, highlighting that system prompts are not a security measure. The content focuses on hands-on learning of AI security principles through this open-source, browser-based game. No bounty payout amounts are mentioned. → infosecwriteups.com
2026-06-12 2026Chaining Stored XSS and CSRF in Typemill CMS: A Deep Dive into Attribute Injection intermediate CSRFA security assessment of Typemill CMS uncovered a critical vulnerability chain combining Stored XSS and CSRF (CVE-2026–53468). An attacker can bypass frontend validation to inject malicious scripts into page metadata. This allows for the theft of admin sessions by exploiting attribute injection. This vulnerability impacts Typemill, a popular flat-file CMS built on PHP and the Slim framework, and poses a significant risk to its users. → infosecwriteups.com
2026-06-10 2026Microsoft patches Exchange Server zero-day exploited in attacks news 2 min readPatching advisory for CVE-2026-42897 details a critical spoofing vulnerability in Microsoft Exchange Server 2016, 2019, and SE. Exploitable remotely without privileges, it allows arbitrary JavaScript execution via specially crafted emails opened in Outlook Web Access. Microsoft urges immediate deployment of June 2026 Security Updates. CISA has added this actively exploited flaw to its known exploited vulnerabilities catalog, mandating swift patching for U.S. government agencies. → bleepingcomputer.com
2026-06-08 2026Multiple VMware Stored XSS Flaw Enable Attackers to Inject Malicious Scripts newsVMware products are affected by multiple stored cross-site scripting (XSS) vulnerabilities. These flaws allow attackers to inject and execute malicious scripts within the affected applications. Successful exploitation could lead to various security risks, including session hijacking, data theft, and unauthorized actions on behalf of users. Users are advised to consult VMware's security advisories for specific product and version information and to apply any available patches or workarounds promptly to mitigate these risks. → gbhackers.com
2026-06-08 2026Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts newsVMware has addressed several stored cross-site scripting (XSS) vulnerabilities across its products. These flaws could enable attackers to inject malicious scripts into web applications, potentially leading to unauthorized access, data theft, or other harmful actions. The vulnerabilities were found in specific components of VMware's offerings, allowing for persistent script execution. Users are advised to update their VMware products to the latest versions to mitigate these security risks. The provided link offers detailed information on the affected products and the specific CVEs associated with these vulnerabilities. → cybersecuritynews.com
2026-06-08 2026JavaScript Prototype Pollution Deep Dive : — Reconnaissance, Exploitation & Bug Bounty Guideline advanced RCEThis article provides a deep dive into JavaScript Prototype Pollution vulnerabilities, explaining the underlying prototype chain and its attack vectors. It covers reconnaissance methodologies, exploitation techniques ranging from XSS to Remote Code Execution (RCE), and real-world bug bounty case studies. The guide also delves into advanced exploit chains, tooling, automation, and defense strategies, offering a production-ready Python scanner. The content focuses on understanding and mitigating this complex JavaScript vulnerability. → infosecwriteups.com
2026-06-08 2026From XSS to RCE (dompdf 0day) intermediate 10 min read RCELibrary for Remote Code Execution (RCE) in dompdf, a popular PHP library used for rendering PDFs from HTML. The vulnerability, identified as a 0-day by Positive Security, allows an attacker to inject CSS that tricks dompdf into caching a malicious font file with a `.php` extension. This file can then be executed remotely by accessing it from the web server. The exploit leverages the `$isRemoteEnabled` setting and the font caching mechanism within dompdf.
2026-06-04 2026Cisco Webex Meetings Cross-Site Scripting Vulnerability (CVE-2026-20233) newsWriteup of CVE-2026-20233, a cross-site scripting (XSS) vulnerability in Cisco Webex Meetings. The flaw stemmed from insufficient user input validation, allowing an unauthenticated remote attacker to execute arbitrary script code or access sensitive browser information by tricking a user into clicking a malicious link. Cisco has resolved this issue in their cloud-based Webex Meetings service, requiring no customer action. → systemtek.co.uk
2026-06-03 2026Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts intermediate 2 min readLibrary for detecting stored XSS vulnerabilities, exemplified by CVE-2026-41241 in pretalx, which allows zero-click account hijacking. This flaw, exploitable with low privileges, bypasses Content Security Policies by leveraging chained exploits involving JavaScript payloads disguised as presentation materials and iframe `srcdoc` attributes. A secondary JavaScript-free technique demotes administrators via image tags in submission titles, triggering a superuser-demotion endpoint. Automated AI agents can weaponize this for mass exploitation across numerous conferences. → hackread.com
2026-06-03 2026https://github.com/Armur-Ai/Pentest-Swarm-AI beginner 6 min read AI ReconLibrary for advanced penetration testing utilizing a real swarm intelligence architecture. It coordinates independent agents via stigmergy and emergence, allowing them to coordinate by writing to and reading from a shared blackboard, rather than through a central planner. This approach enables emergent attack chains and dynamic agent interaction, supporting tools like nmap, sqlmap, Burp, ZAP, and Metasploit, and is compatible with LLMs such as Claude and Llama.
2026-06-03 2026House committee chair calls on Instructure to testify in Canvas hack news 3 min readWriteup on the Shiny Hunters attack on Instructure's Canvas platform, highlighting cross-site scripting (XSS) vulnerabilities exploited to hijack admin sessions and exfiltrate student data. The incident prompted a US House committee inquiry, emphasizing the continued relevance of foundational security flaws like input validation and output encoding in critical educational technology infrastructure, despite focus on novel AI threats. → scworld.com
2026-05-28 2026CVE-2026-41241: Critical Stored XSS in Pretalx Conference Platform Allows Attackers 100% Talk Acceptance (Patched in 2026.1.0) news 5 min readWriteup of CVE-2026-41241, a critical stored XSS vulnerability in Pretalx versions prior to 2026.1.0, allowing any registered user to compromise organizer accounts and force talk acceptance. Exploitation involves submitting a talk proposal with a crafted XSS payload in fields like title, speaker display name, or email, which executes when an organizer uses the backend search. The vulnerability stems from improper sanitization and unsafe `innerHTML` usage. Immediate upgrade to version 2026.1.0 is recommended. → rescana.com
2026-05-20 2026CVE-2026-42897 Zero-Day Analysis: Microsoft Exchange Server OWA XSS Vulnerability Exploited in the Wild news 5 min readAnalysis of CVE-2026-42897 details a zero-day cross-site scripting (XSS) vulnerability affecting on-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition. Actively exploited in the wild, this flaw in Outlook Web Access (OWA) allows attackers to execute arbitrary JavaScript, leading to session hijacking and credential theft. The analysis covers threat actor TTPs, exploitation evidence, and actionable mitigations like the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT), noting potential side effects such as the loss of OWA Print Calendar functionality. → rescana.com
2026-05-19 2026Microsoft Exchange Zero-Day Under Attack No Patch Available newsMicrosoft Exchange Zero-Day Under Attack, No Patch Available https://ift.tt/HM5e6fY → darkreading.com
2026-05-18 2026Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks news 2 min readWriteup detailing CVE-2026-42897, a critical spoofing vulnerability in Microsoft Exchange Server exploited in the wild, impacting on-premises Outlook Web Access. Threat actors leverage this network-based flaw, characterized by improper input neutralization, to execute arbitrary JavaScript by sending specially crafted emails. This affects Exchange Server 2016, 2019, and Subscription Edition, enabling network-level spoofing and session hijacking. Temporary mitigations, including the Exchange Emergency Mitigation Service or manual tool execution, are advised despite minor functional side effects like calendar printing issues and inline image display problems, pending a permanent patch. → cybersecuritynews.com
2026-05-17 2026Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) newsMicrosoft Exchange Server is vulnerable to exploitation due to an unpatched security flaw, identified as CVE-2026-42897. Attackers can leverage this vulnerability, impacting systems that have not been updated. This poses a significant risk to organizations using Microsoft Exchange Server. Further details on the exploitation and its potential impact can be found via the provided link. → helpnetsecurity.com
2026-05-15 2026Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks news 2 min readLibrary of emergency security updates for GitLab addresses multiple high-severity flaws including Cross-Site Scripting (XSS) via CVE-2026-7481 and CVE-2026-5297, and unauthenticated Denial-of-Service (DoS) via CVE-2026-1659 and CVE-2025-14870. These vulnerabilities, impacting self-hosted Community Edition and Enterprise Edition servers, allow for session hijacking, code repository manipulation, and disruption of CI/CD pipelines. Administrators must upgrade to versions 18.11.3, 18.10.6, or 18.9.7 to mitigate these risks. → cybersecuritynews.com
2026-05-14 2026GitLab Security Flaw Allows Cross-Site Scripting and Unauthenticated DoS news 2 min readLibrary update addressing 25 vulnerabilities in GitLab CE/EE, including four critical XSS flaws (CVSS 8.7) affecting Analytics, global search, and Duo Agent output, allowing authenticated attackers to hijack sessions. Three severe DoS vulnerabilities (CVSS 7.5) are also patched, enabling unauthenticated attacks via crafted requests to CI/CD, Duo Workflows, or internal APIs to crash servers. Additional fixes include CVE-2026-1322 (GraphQL authorization flaw), CSRF in JiraConnect, and bypasses for package protection rules. → gbhackers.com
2026-05-12 2026Instructure confirms hackers used Canvas flaw to deface portals news 2 min readWriteup on ShinyHunters exploiting cross-site scripting (XSS) vulnerabilities in Instructure's Canvas LMS. Attackers used these flaws to gain authenticated admin sessions, deface login portals with extortion messages, and exfiltrate over 3.6 terabytes of data. The attacks targeted the Free-for-Teacher environment, leading to temporary downtime and account closures. → bleepingcomputer.com
2026-05-11 2026Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities newsWriteup on Cisco Identity Services Engine (ISE) stored cross-site scripting vulnerabilities, CVE-2025-20204 and CVE-2025-20205. These flaws stem from insufficient input validation in the web-based management interface, allowing authenticated attackers to inject malicious script code. Exploitation enables arbitrary script execution within the interface context or access to sensitive browser data, requiring administrative credentials. Cisco has released updates to address these issues. → systemtek.co.uk
2026-05-09 2026Every Old Vulnerability Is Now an AI Vulnerability beginnerThis article argues that as Artificial Intelligence (AI) systems become more integrated, traditional cybersecurity vulnerabilities are now also AI vulnerabilities. Existing exploits and weaknesses in software, hardware, and network infrastructure can be leveraged to target or compromise AI models. This means that the vast landscape of known security flaws presents a significant risk to AI systems, requiring a re-evaluation of security strategies to account for this expanded threat surface. → darkreading.com
2026-05-03 2026Jenkins Patches High-Severity Plugin Flaws Including Path Traversal and Stored XSS news 2 min readLibrary updates address seven Jenkins plugin vulnerabilities, including critical path traversal (CVE-2026-42520 in Credentials Binding Plugin) enabling arbitrary file writes and remote code execution, and two stored XSS flaws (CVE-2026-42523 in GitHub Plugin, CVE-2026-42524 in HTML Publisher Plugin) allowing JavaScript injection. Medium-severity issues in Script Security, Matrix Authorization Strategy, GitHub Branch Source, and Microsoft Entra ID plugins are also patched. → cybersecuritynews.com
2026-05-03 2026'Chaining vulnerabilities is the hallmark of a sophisticated attack': 750000 websites must be patched as Microsoft's popular open source Dotnetnuke CMS hit by an XSS flaw that allows attackers to hijack admin sessions and take over entire web servers news 2 min readLibrary for securing DotNetNuke CMS, addressing CVE-2026-40321, a cross-site scripting (XSS) flaw. This vulnerability allows attackers to upload malicious SVG files, which, when clicked by an authenticated administrator, execute JavaScript, hijack sessions, and enable arbitrary file writes to the server via the `/API/personaBar/ConfigConsole/UpdateConfigFile` endpoint. This enables the creation of ASPX web shells for full server compromise, impacting over 750,000 websites built on the Microsoft-backed platform.
2026-05-01 2026Jenkins Plugin Updates Fix Path Traversal and Stored XSS Bugs news 2 min readLibrary updates for Jenkins address seven vulnerabilities, including critical path traversal (CVE-2026-42520) in the Credentials Binding Plugin, enabling arbitrary file writes and potential RCE. Stored XSS flaws are patched in the GitHub Plugin (CVE-2026-42523) and HTML Publisher Plugin (CVE-2026-42524), allowing script injection. Medium-severity issues like information disclosure via Script Security Plugin (CVE-2026-42519) and unsafe deserialization in Matrix Authorization Strategy Plugin (CVE-2026-42521) are also resolved, alongside unauthorized connection tests in GitHub Branch Source Plugin (CVE-2026-42522) and open redirects in Microsoft Entra ID Plugin (CVE-2026-42525). → gbhackers.com
2026-04-30 2026Jenkins Patches High-Severity Plugin Vulnerability Including Path Traversal and Stored XSS news 2 min readLibrary update patches Jenkins plugins for critical vulnerabilities including CVE-2026-42520 (path traversal leading to RCE in Credentials Binding Plugin), CVE-2026-42523 (stored XSS in GitHub Plugin), and CVE-2026-42524 (stored XSS in HTML Publisher Plugin). Patched versions and mitigation strategies are detailed for these high-severity flaws. → cyberpress.org

Frequently Asked Questions

What are the three types of XSS?
The three main types are Reflected XSS (payload delivered via a URL and immediately reflected in the response), Stored XSS (payload persisted in the application database and served to other users), and DOM-based XSS (payload executed entirely in the browser via client-side JavaScript without a server round-trip).
How do you prevent cross-site scripting?
Key defenses include output encoding (HTML, JavaScript, URL, and CSS contexts), Content Security Policy (CSP) headers, using frameworks that auto-escape by default (React, Angular), input validation, and the HttpOnly flag on session cookies to limit the impact of successful attacks.
Why is XSS still so common?
XSS persists because web applications have many injection points (URL parameters, form fields, headers, file uploads), developers must encode output correctly for every context, and modern JavaScript frameworks can be bypassed through dangerouslySetInnerHTML, template injection, or prototype pollution.

Weekly AppSec Digest

Get new resources delivered every Monday.