CVE-2026-33976: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-33976 is a critical security vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) affecting the Notesnook note-taking application. T

CRITICAL: CVE-2026-33976 in Notesnook Web/Desktop <3.3.11 — stored XSS via Web Clipper leads to potential RCE. Upgrade now! Details: radar.offseq.com/threat/cve-2026-33976-cw... #OffSeq #Vulnerability #XSS

Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website Cybersecurity researchers have disclosed a vulnerability in Anthropic's Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page. The flaw "allowed any website to silently inject prompts into that assistant as if the user wrote them," Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. "No clicks, no

iT4iNT SERVER Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website VDS VPS Cloud #Cybersecurity #XSS #Vulnerability #ClaudeExtension #PromptInjection

CVE-2026-2072: CWE-79 Improper neutralization of input during web page generatio CVE-2026-2072 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Analytics probe component of Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer products. This vulnerability affects ver

High-severity XSS flaw in Hitachi Infrastructure Analytics Advisor (CVSS 8.2) lets authenticated users inject scripts. Patch ASAP, restrict access & monitor for threats. radar.offseq.com/threat/cve-2026-2072-cwe... #OffSeq #XSS #SecurityAlert

Why location.href Isn’t Just a Redirect: Understanding Navigation-Based XSS

Most XSS explanations focus on HTML sinks like innerHTML. But not all execution comes from parsing markup.
Nav sinks like location.href don’t parse HTML. They execute destinations via javascript: URIs.
I wrote a breakdown of how this works and how to exploit it:
#xss #tip

medium.com/@marduk.i.am...

Du hast sicher schon erlebt, dass eine Variable „weg“ ist, sobald eine Methode fertig ist. Gleichzeitig...

magicmarcy.de/heap-stack-und-metaspace...

#Heap #Stack #Metaspace #Lebensdauer #Speicher #Xms #Xmx #Xss #Programming #Java #JVM #Coding

The Invisible Breach: 'Operation GhostMail' Uses Zero-Click XSS to Hijack Ukrainian Webmail Seqrite Labs uncovers Operation GhostMail, an APT28-linked campaign using a zero-click XSS flaw in Zimbra to silently hijack Ukrainian government webmail.

Operation GhostMailは、Zimbraのstored XSSを使って、メール本文だけでウクライナ政府系組織のメール環境を静かに乗っ取る攻撃。重要なのは、添付ファイルも不審リンクも不要で、受信者が脆弱なZimbra Classic UIでメールを開くだけで、資格情報、セッショントークン、2FAバックアップコード、過去90日分のメールまで抜かれる点。 

#CyberSecurity #ThreatIntel #Zimbra #Ukraine #XSS #GhostMail
securityonline.info/invisible-br...

Russian hackers exploit Zimbra flaw in Ukrainian govt attacks Hackers part of APT28, a state-backed threat group linked to Russia's military intelligence service (GRU), are exploiting a Zimbra Collaboration Suite (ZCS) vulnerability in attacks targeting Ukrainia...

APT28は、Zimbraのstored XSS脆弱性 CVE-2025-66376 を使って、ウクライナ政府系組織のメール環境を狙っている。重要なのは、添付ファイルも不審リンクも使わず、HTMLメール本文だけで資格情報、セッショントークン、2FAバックアップコード、保存済みパスワード、過去90日分のメールを抜ける点。 

#CyberSecurity #ThreatIntel #APT28 #Zimbra #Ukraine #XSS
www.bleepingcomputer.com/news/securit...

CISA orders feds to patch Zimbra XSS flaw exploited in attacks CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS).

#CISA orders feds to patch #Zimbra #XSS flaw exploited in attacks

www.bleepingcomputer.com/news/security/cisa-order...

#cybersecurity

Alert: Critical #XSS vulnerability (CVE-2026-32635) in #Angular exposes web apps to attacks. Update to patched versions immediately to secure your applications. #CyberSecurity #WebDevelopment Link: thedailytechfeed.com/critical-ang...

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized sec…

Goodbye “innerHTML”, Hello “setHTML”: Stronger XSS Protection in Firefox 148, by @mozilla.org:

hacks.mozilla.org/2026/02/goodbye-innerhtm...

#javascript #methods #xss #security #firefox

CVE-2026-31938: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-31938 is a critical cross-site scripting (XSS) vulnerability identified in the parallax jsPDF library, a widely used JavaScript tool for generating PDF documents in browsers. The flaw exists in versions prior to 4.2.1, where the 'o

CRITICAL XSS in parallax jsPDF (<4.2.1): Exploitable via crafted PDF options — scripts run in victim's browser on open. Upgrade to 4.2.1+ now! radar.offseq.com/threat/cve-2026-31938-cw... #OffSeq #XSS #Vuln

Fantastic Demos of Web Hacking featuring bug bounty hunter Justin Gardner!

Learn about IDOR, XSS and more.

YouTube video: youtu.be/KBIQE9fo8mU

Big thanks to ThreatLocker for sponsoring my trip to ZTW26 and also for sponsoring this video.

#xss #bug #bounty #idor #hack #hacking #hacker #career

XSS in i18n attribute bindings A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor...

Critical XSS Vulnerability in Angular Patched Now (v19/v20/v21)
A High-severity security vulnerability has been disclosed in Angular CVE-2026-32635
Affects: compiler/core
When you use an i18n-prefix
github.com/angular/angu...
#Angular #WebSecurity #XSS #Frontend #AngularSecurity #CVE

CVE-2026-4169: Cross Site Scripting in Tecnick TCExam CVE-2026-4169 is a cross-site scripting vulnerability identified in the Tecnick TCExam application, affecting versions 16.0 through 16.6.0. The vulnerability resides in the F_xml_export_users function of the admin/code/tce_xml_users.php fil

Tecnick TCExam (16.0 – 16.6.0) hit by MEDIUM XSS (CVE-2026-4169) in XML export. Admins: upgrade to 16.6.1, restrict admin access, & audit logs. Details: radar.offseq.com/threat/cve-2026-4169-cro... #OffSeq #XSS #PatchNow

Sec-Context: exhaustive anti-pattern reference for LLM-generated code (breadth ~65K tokens, depth ~100K tokens). Highlights dependency squatting, XSS, hardcoded secrets and proposes a review agent approach. #XSS #LLM #dependency_squatting https://bit.ly/3PmM9WR

CVE-2026-32626: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-32626 is a critical security vulnerability affecting AnythingLLM Desktop versions 1.11.1 and earlier, developed by Mintplex-Labs. The vulnerability is classified as CWE-79, an improper neutralization of input during web page genera

Critical XSS in AnythingLLM Desktop ≤1.11.1 (CVSS 9.7) enables remote code execution via chat input. Patch ASAP or restrict chat & secure Electron configs. Stay protected! radar.offseq.com/threat/cve-2026-32626-cw... #OffSeq #Security #XSS

GitHub - spmedia/Threat-Actor-Usernames-Scrape: A collection of intel and usernames scraped from various cybercrime sources & forums. DarkForums, HackForums, Patched, Cracked, BreachForums, LeakBase, ... A collection of intel and usernames scraped from various cybercrime sources &amp; forums. DarkForums, HackForums, Patched, Cracked, BreachForums, LeakBase, XSS, Dread, &amp; more - spmedia/Threat-A...

500k+ threat actor usernames atm and quickly growing.

Should be able to hit 1M+ in 2026 :)

#cti #threatintel #osint #infosec #cybersecurity #hacking #threatactors #usernames #darkforums #hackforums #dread #oguser #xss #darknetarmy #ogu #leakbase #breachstars

github.com/spmedia/Thre...

GitLab releases critical security updates addressing XSS and DoS vulnerabilities. Admins urged to update to versions 18.9.2, 18.8.6, or 18.7.6 immediately. #GitLab #CyberSecurity #XSS #DoS Link: thedailytechfeed.com/gitlab-issue...

Original post on danq.me

[Article: Why Security Engineering needs a Hacker Mentality]

Security engineering is about a lot of things, but the best security engineers show the 'hacker mindset' characteristics of curiosity and imagination. Here's an example of how I found an XSS vulnerability in a forum, mostly by […]

Found Reflected XSS on a bug bounty target 🎯

Payload:

<img src=x onerror=prompt(/XSS/)>

Reported responsibly ✅

#BugBounty #XSS #InfoSec

Goodbye innerHTML, Hello setHTML The new .setHTML() method in JavaScript, part of the Sanitizer API, can be a one-to-one replacement for .innerHTML(), making sites more secure from XSS attacks. I t...

#The #Beat #JavaScript #Sanitizer #API #XSS

Origin | Interest | Match

CVE-2026-1261: CWE-79 Improper Neutralization of Input During Web Page Generatio CVE-2026-1261 is a stored Cross-Site Scripting (XSS) vulnerability identified in the MetForm Pro plugin for WordPress, specifically affecting the Quiz feature in all versions up to 3.9.6. The root cause is insufficient sanitization of user

MetForm Pro for WordPress hit by HIGH-severity stored XSS (all versions, Quiz feature). Unauthenticated attackers can inject scripts. Disable Quiz & monitor for patches now. radar.offseq.com/threat/cve-2026-1261-cwe... #OffSeq #WordPress #XSS

CVE-2026-30862: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-30862 is a critical stored Cross-Site Scripting (XSS) vulnerability identified in the Appsmith platform, a tool used for building admin panels, internal tools, and dashboards. The vulnerability exists in the Table Widget (TableWidg

CRITICAL: Appsmith <1.96 has a stored XSS flaw (CVE-2026-30862) in TableWidgetV2. Admin account takeover possible via 'Invite Users'. Upgrade to 1.96+ now! radar.offseq.com/threat/cve-2026-30862-cw... #OffSeq #XSS #Appsmith

Guía de DalFox: Domina el Escáner XSS para Pentesting Descubre DalFox, la herramienta de pentesting esencial para encontrar vulnerabilidades XSS. Una guía paso a paso en su instalación y uso.

¿Listo para cazar vulnerabilidades XSS? 🦊 Te guiamos paso a paso para dominar DalFox, el escáner XSS que necesitas en tu arsenal de pentesting. #DalFox #XSS #Pentesting #Ciberseguridad

CVE-2026-1074: CWE-79 Improper Neutralization of Input During Web Page Generatio CVE-2026-1074 is a stored cross-site scripting (XSS) vulnerability identified in the WP App Bar plugin for WordPress, affecting all versions up to and including 1.5. The root cause is insufficient input sanitization and output escaping of t

🚨 High-severity XSS in WP App Bar plugin (all versions). Unauthenticated attackers can inject scripts, risking admin credentials. Disable or patch ASAP! radar.offseq.com/threat/cve-2026-1074-cwe... #OffSeq #WordPress #XSS

Critical XSS vulnerability (CVE-2026-27970) found in Angular i18n! Developers must update immediately to prevent malicious code execution. #Angular #CyberSecurity #XSS #WebDevelopment Link: thedailytechfeed.com/high-severit...

Context Is Everything: A Practical Guide to XSS Understanding XSS Using Five Portwigger Labs.

A breakdown of how execution context determines whether your payload fails or fires — using hands-on PortSwigger labs.

#xss #BugBounty #ethicalhacking #CyberSecurityAwareness

I just published Context Is Everything: A Practical Guide to XSS medium.com/p/context-is...

CVE-2026-3412: Cross Site Scripting in itsourcecode University Management System CVE-2026-3412 is a cross-site scripting (XSS) vulnerability identified in the itsourcecode University Management System version 1.0. The flaw resides in the /att_single_view.php script, specifically in the handling of the 'dt' parameter. Th

itsourcecode University Management System v1.0 hit by MEDIUM XSS (CVE-2026-3412). Public exploit out — patch or sanitize input to prevent session hijack & info theft. Details: radar.offseq.com/threat/cve-2026-3412-cro... #OffSeq #XSS #EdTech

My First XSS Vulnerability. The Day I Started My Bug Bounty Journey Introduction:

Just got my first XSS vulnerability accepted on OpenBugBounty! 🎉

Found a Stored XSS and reported it responsibly.

Full write-up here: medium.com/@moohammaduz...

Starting my bug bounty journey! 🚀

#BugBounty #XSS #CyberSecurity #EthicalHacking #StoredXSS #CyberSecurityStudent

CVE-2026-3010: CWE-79 Improper Neutralization of Input During Web Page Generatio CVE-2026-3010 is a critical vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-site Scripting (XSS), affecting Microchip's TimePictra software versions 11.0 through 1

CRITICAL XSS in Microchip TimePictra (v11.0 – 11.3 SP2) lets remote attackers inject scripts. No patch yet — restrict web access, set WAF rules, and monitor activity. Details: radar.offseq.com/threat/cve-2026-3010-cwe... #OffSeq #XSS #ICS