CVE-2026-5425: CWE-79 Improper Neutralization of Input During Web Page Generatio CVE-2026-5425 is a stored cross-site scripting vulnerability in the trustindex Widgets for Social Photo Feed WordPress plugin affecting all versions up to 1.7.9. The issue is due to improper neutralization of input in the 'feed_data' parame

HIGH severity XSS in trustindex Widgets for Social Photo Feed (≤1.7.9) lets unauthenticated attackers inject scripts via 'feed_data'. No patch yet — disable plugin ASAP. radar.offseq.com/threat/cve-2026-5425-cwe... #OffSeq #WordPress #XSS

CVE-2026-34564: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34564 is a stored DOM-based cross-site scripting vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The flaw exists in versions prior to 0.31.0.0 within the Menu Management functionality, where user-controll

ci4ms CMS < 0.31.0.0 faces CRITICAL stored XSS (CVE-2026-34564). Exploitable via Menu Management with low privileges. Update to 0.31.0.0+ & check for script injections ASAP! radar.offseq.com/threat/cve-2026-34564-cw... #OffSeq #XSS #infosec

CVE-2026-34565: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34565 is a stored DOM-based cross-site scripting vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input during web page generation,

Critical XSS found in ci4ms (<0.31.0.0): Low-priv users can inject persistent scripts in menus, risking admin & user data. Upgrade to 0.31.0.0+ immediately. radar.offseq.com/threat/cve-2026-34565-cw... #OffSeq #XSS #AppSec

CVE-2026-34566: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34566 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability stems from the application’s failure to properly neutralize user-supplied input within th

ci4ms < 0.31.0.0 hit by critical stored XSS (CVSS 9.1). Attackers can inject persistent JavaScript via Page Management. Patch to 0.31.0.0+ & review content now! radar.offseq.com/threat/cve-2026-34566-cw... #OffSeq #XSS #Security

CVE-2026-34567: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34567 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-supplied input during web page generation, sp

ci4ms < 0.31.0.0 hit by CRITICAL XSS (CVE-2026-34567) — attackers can inject persistent JavaScript via blog categories. Upgrade & audit now! radar.offseq.com/threat/cve-2026-34567-cw... #OffSeq #XSS #security

CVE-2026-34568: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34568 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a modular CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input during blog post cre

Critical XSS in ci4ms (<0.31.0.0): attackers can inject persistent JS via blog posts. Upgrade to 0.31.0.0 ASAP to block data theft & session hijacking. Details: radar.offseq.com/threat/cve-2026-34568-cw... #OffSeq #XSS #security

CVE-2026-34569: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34569 is a critical stored cross-site scripting (XSS) vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user input during web page generation, specif

ci4ms CMS <0.31.0.0 has CRITICAL XSS (CVE-2026-34569): attackers can inject JS in blog categories, risking total compromise. Patch now! radar.offseq.com/threat/cve-2026-34569-cw... #OffSeq #XSS #CMSecurity

CVE-2026-34571: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34571 is a critical Stored Cross-Site Scripting vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability exists in versions prior to 0.31.0.0 within the backend user management functionality,

CRITICAL: ci4ms (<0.31.0.0) has a stored XSS flaw (CVE-2026-34571) in backend user management — admin sessions at risk. Upgrade to 0.31.0.0+ now. More: radar.offseq.com/threat/cve-2026-34571-cw... #OffSeq #XSS #PatchNow

CVE-2026-34448: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34448 is a critical stored cross-site scripting vulnerability in the SiYuan personal knowledge management system, specifically affecting versions before 3.6.2. The vulnerability arises from improper input neutralization (CWE-79) du

SiYuan (<3.6.2) hit by CRITICAL XSS (CVSS 9.1) — attackers can escalate to OS command execution! Patch to 3.6.2+ & harden Electron configs now. Details: radar.offseq.com/threat/cve-2026-34448-cw... #OffSeq #SiYuan #XSS

CVE-2026-34558: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-34558 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability exists in versions prior to 0.31.0.0 within the Methods Management functionalit

Critical XSS in ci4ms (<0.31.0.0): attackers can store malicious JS in admin UI, exposing sensitive data. Upgrade to 0.31.0.0+ now! 🔒 radar.offseq.com/threat/cve-2026-34558-cw... #OffSeq #XSS #WebSecurity

CVE-2026-33976: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-33976 is a critical security vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) affecting the Notesnook note-taking application. T

CRITICAL: CVE-2026-33976 in Notesnook Web/Desktop <3.3.11 — stored XSS via Web Clipper leads to potential RCE. Upgrade now! Details: radar.offseq.com/threat/cve-2026-33976-cw... #OffSeq #Vulnerability #XSS

Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website Cybersecurity researchers have disclosed a vulnerability in Anthropic's Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page. The flaw "allowed any website to silently inject prompts into that assistant as if the user wrote them," Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. "No clicks, no

iT4iNT SERVER Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website VDS VPS Cloud #Cybersecurity #XSS #Vulnerability #ClaudeExtension #PromptInjection

CVE-2026-2072: CWE-79 Improper neutralization of input during web page generatio CVE-2026-2072 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Analytics probe component of Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer products. This vulnerability affects ver

High-severity XSS flaw in Hitachi Infrastructure Analytics Advisor (CVSS 8.2) lets authenticated users inject scripts. Patch ASAP, restrict access & monitor for threats. radar.offseq.com/threat/cve-2026-2072-cwe... #OffSeq #XSS #SecurityAlert

Why location.href Isn’t Just a Redirect: Understanding Navigation-Based XSS

Most XSS explanations focus on HTML sinks like innerHTML. But not all execution comes from parsing markup.
Nav sinks like location.href don’t parse HTML. They execute destinations via javascript: URIs.
I wrote a breakdown of how this works and how to exploit it:
#xss #tip

medium.com/@marduk.i.am...

Du hast sicher schon erlebt, dass eine Variable „weg“ ist, sobald eine Methode fertig ist. Gleichzeitig...

magicmarcy.de/heap-stack-und-metaspace...

#Heap #Stack #Metaspace #Lebensdauer #Speicher #Xms #Xmx #Xss #Programming #Java #JVM #Coding

The Invisible Breach: 'Operation GhostMail' Uses Zero-Click XSS to Hijack Ukrainian Webmail Seqrite Labs uncovers Operation GhostMail, an APT28-linked campaign using a zero-click XSS flaw in Zimbra to silently hijack Ukrainian government webmail.

Operation GhostMailは、Zimbraのstored XSSを使って、メール本文だけでウクライナ政府系組織のメール環境を静かに乗っ取る攻撃。重要なのは、添付ファイルも不審リンクも不要で、受信者が脆弱なZimbra Classic UIでメールを開くだけで、資格情報、セッショントークン、2FAバックアップコード、過去90日分のメールまで抜かれる点。 

#CyberSecurity #ThreatIntel #Zimbra #Ukraine #XSS #GhostMail
securityonline.info/invisible-br...

Russian hackers exploit Zimbra flaw in Ukrainian govt attacks Hackers part of APT28, a state-backed threat group linked to Russia's military intelligence service (GRU), are exploiting a Zimbra Collaboration Suite (ZCS) vulnerability in attacks targeting Ukrainia...

APT28は、Zimbraのstored XSS脆弱性 CVE-2025-66376 を使って、ウクライナ政府系組織のメール環境を狙っている。重要なのは、添付ファイルも不審リンクも使わず、HTMLメール本文だけで資格情報、セッショントークン、2FAバックアップコード、保存済みパスワード、過去90日分のメールを抜ける点。 

#CyberSecurity #ThreatIntel #APT28 #Zimbra #Ukraine #XSS
www.bleepingcomputer.com/news/securit...

CISA orders feds to patch Zimbra XSS flaw exploited in attacks CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS).

#CISA orders feds to patch #Zimbra #XSS flaw exploited in attacks

www.bleepingcomputer.com/news/security/cisa-order...

#cybersecurity

Alert: Critical #XSS vulnerability (CVE-2026-32635) in #Angular exposes web apps to attacks. Update to patched versions immediately to secure your applications. #CyberSecurity #WebDevelopment Link: thedailytechfeed.com/critical-ang...

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized sec…

Goodbye “innerHTML”, Hello “setHTML”: Stronger XSS Protection in Firefox 148, by @mozilla.org:

hacks.mozilla.org/2026/02/goodbye-innerhtm...

#javascript #methods #xss #security #firefox

CVE-2026-31938: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-31938 is a critical cross-site scripting (XSS) vulnerability identified in the parallax jsPDF library, a widely used JavaScript tool for generating PDF documents in browsers. The flaw exists in versions prior to 4.2.1, where the 'o

CRITICAL XSS in parallax jsPDF (<4.2.1): Exploitable via crafted PDF options — scripts run in victim's browser on open. Upgrade to 4.2.1+ now! radar.offseq.com/threat/cve-2026-31938-cw... #OffSeq #XSS #Vuln

Fantastic Demos of Web Hacking featuring bug bounty hunter Justin Gardner!

Learn about IDOR, XSS and more.

YouTube video: youtu.be/KBIQE9fo8mU

Big thanks to ThreatLocker for sponsoring my trip to ZTW26 and also for sponsoring this video.

#xss #bug #bounty #idor #hack #hacking #hacker #career

XSS in i18n attribute bindings A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor...

Critical XSS Vulnerability in Angular Patched Now (v19/v20/v21)
A High-severity security vulnerability has been disclosed in Angular CVE-2026-32635
Affects: compiler/core
When you use an i18n-prefix
github.com/angular/angu...
#Angular #WebSecurity #XSS #Frontend #AngularSecurity #CVE

CVE-2026-4169: Cross Site Scripting in Tecnick TCExam CVE-2026-4169 is a cross-site scripting vulnerability identified in the Tecnick TCExam application, affecting versions 16.0 through 16.6.0. The vulnerability resides in the F_xml_export_users function of the admin/code/tce_xml_users.php fil

Tecnick TCExam (16.0 – 16.6.0) hit by MEDIUM XSS (CVE-2026-4169) in XML export. Admins: upgrade to 16.6.1, restrict admin access, & audit logs. Details: radar.offseq.com/threat/cve-2026-4169-cro... #OffSeq #XSS #PatchNow

Sec-Context: exhaustive anti-pattern reference for LLM-generated code (breadth ~65K tokens, depth ~100K tokens). Highlights dependency squatting, XSS, hardcoded secrets and proposes a review agent approach. #XSS #LLM #dependency_squatting https://bit.ly/3PmM9WR

CVE-2026-32626: CWE-79: Improper Neutralization of Input During Web Page Generat CVE-2026-32626 is a critical security vulnerability affecting AnythingLLM Desktop versions 1.11.1 and earlier, developed by Mintplex-Labs. The vulnerability is classified as CWE-79, an improper neutralization of input during web page genera

Critical XSS in AnythingLLM Desktop ≤1.11.1 (CVSS 9.7) enables remote code execution via chat input. Patch ASAP or restrict chat & secure Electron configs. Stay protected! radar.offseq.com/threat/cve-2026-32626-cw... #OffSeq #Security #XSS

GitHub - spmedia/Threat-Actor-Usernames-Scrape: A collection of intel and usernames scraped from various cybercrime sources & forums. DarkForums, HackForums, Patched, Cracked, BreachForums, LeakBase, ... A collection of intel and usernames scraped from various cybercrime sources &amp; forums. DarkForums, HackForums, Patched, Cracked, BreachForums, LeakBase, XSS, Dread, &amp; more - spmedia/Threat-A...

500k+ threat actor usernames atm and quickly growing.

Should be able to hit 1M+ in 2026 :)

#cti #threatintel #osint #infosec #cybersecurity #hacking #threatactors #usernames #darkforums #hackforums #dread #oguser #xss #darknetarmy #ogu #leakbase #breachstars

github.com/spmedia/Thre...

GitLab releases critical security updates addressing XSS and DoS vulnerabilities. Admins urged to update to versions 18.9.2, 18.8.6, or 18.7.6 immediately. #GitLab #CyberSecurity #XSS #DoS Link: thedailytechfeed.com/gitlab-issue...

Original post on danq.me

[Article: Why Security Engineering needs a Hacker Mentality]

Security engineering is about a lot of things, but the best security engineers show the 'hacker mindset' characteristics of curiosity and imagination. Here's an example of how I found an XSS vulnerability in a forum, mostly by […]

Found Reflected XSS on a bug bounty target 🎯

Payload:

<img src=x onerror=prompt(/XSS/)>

Reported responsibly ✅

#BugBounty #XSS #InfoSec