In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page

Cross-site scripting (XSS) vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to inject arbitrary web script or HTML via the cameFromUrl parameter to feed/generateFeedUrl.html.

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.

In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration

JetBrains Space through 2020-04-22 allows stored XSS in Chats.

In JetBrains TeamCity before 2022.10.3 stored XSS on “Pending changes” and “Changes” tabs was possible

In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible

In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible

In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection page was possible

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible

In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection page was possible

In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings

In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages.

In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment.

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible

In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible

The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users

Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability.

Rukovoditel before 2.4.1 allows XSS.

Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0.

Microsoft Exchange Server 2016 allows an elevation of privilege vulnerability when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Cross-Site Scripting Vulnerability."

A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.

A Cross Site Scripting vulnerability in CloudClassroom-PHP Project v1.0 allows a remote attacker to execute arbitrary code via the exid parameter of the assessment function.

PHPJabbers Cinema Booking System v2.0 is vulnerable to reflected cross-site scripting (XSS). Multiple endpoints improperly handle user input, allowing malicious scripts to execute in a victim’s browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks.

Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.

TawkTo Widget Version <= 1.3.7 is vulnerable to Cross Site Scripting (XSS) due to processing user input in a way that allows JavaScript execution.

Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.

ZenTao Biz version 4.1.3 and before has a Cross Site Scripting (XSS) vulnerability in the Version Library.

A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.

Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote attackers to inject arbitrary web script or html via the easyxdm.swf file.

Cross Site Scripting vulnerability in sunnygkp10 Online Exam System master version allows a remote attacker to obtain sensitive information via the w parameter.

The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app browser. The in-app browser is usually opened by tapping on URLs contained in chat messages, and for the attack to be successful, the victim must trigger a click event on a malicious iframe. If an iframe embedded in any website can be controlled by an attacker, this vulnerability could be exploited to capture or alter content displayed in the top frame, as well as user session information. This vulnerability affects LINE client for iOS versions below 14.9.0 and does not affect other LINE clients such as LINE client for Android. Please update LINE client for iOS to version 14.9.0 or higher.

Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php.

In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.

Cross Site Scripting vulnerability in nbubna store v.2.14.2 and before allows a remote attacker to execute arbitrary code via the store.deep.js component

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a wp-admin dashboard.

Cross Site Scripting (XSS) in xiunobbs 4.0.4 allows remote attackers to execute arbitrary web script or HTML via the attachment upload function.

The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin