ZCyberNews
中文

#xss

9 articles

Government and healthcare sectors were the primary targets in a series of XSS attacks documented across nine articles from May 9 to May 16, 2026. The coverage highlighted vulnerabilities including CVE-2026-44567, CVE-2026-45303, CVE-2026-45314, CVE-2026-44579, and CVE-2026-44580, with severity scores ranging from 7.5 to 7.7. The affected regions were global, spanning business services, e-commerce, and education alongside the leading sectors. The severity mix comprised four high, four medium, and one low severity incident.

Open WebUI Patches Three Flaws: XSS, SVG Injection, Auth BypassHIGH
Vulnerabilities

Open WebUI Patches Three Flaws: XSS, SVG Injection, Auth Bypass

Open WebUI fixes CVE-2026-45314 (SVG XSS), CVE-2026-45303 (iframe script injection), and CVE-2026-44567 (pending role auth bypass) — all in self-hosted AI platform.

CVE-2026-45314CVE-2026-45303CVE-2026-44567
5 min read
Microsoft Warns of Exchange Zero-Day CVE-2026-42897 Exploited inHIGH
Vulnerabilities

Microsoft Warns of Exchange Zero-Day CVE-2026-42897 Exploited in

CVE-2026-42897 is a high-severity Exchange Server spoofing flaw exploited in the wild, enabling XSS-based code execution via Outlook on the web.

CVE-2026-42897
4 min read
Next.js Patches XSS and DoS Flaws in Cache ComponentsHIGH
Vulnerabilities

Next.js Patches XSS and DoS Flaws in Cache Components

CVE-2026-44580 (CVSS 6.1) enables XSS via beforeInteractive scripts; CVE-2026-44579 (CVSS 7.5) triggers connection exhaustion in Partial Prerendering.

CVE-2026-44580CVE-2026-44579
3 min read
CVE-2025-61314: Reflected XSS in Mecury Managed Print ServicesHIGH
Vulnerabilities

CVE-2025-61314: Reflected XSS in Mecury Managed Print Services

CVE-2025-61314: Reflected XSS in GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary JS via crafted payload in dfm-menu_orderopt.php.

CVE-2025-61314
3 min read
Devs Palace ERP Online XSS Flaws Allow Remote Script InjectionMEDIUM
Vulnerabilities

Devs Palace ERP Online XSS Flaws Allow Remote Script Injection

Two stored XSS vulnerabilities in Devs Palace ERP Online up to 4.0.0 let remote attackers inject scripts via /inventory/addnewcustomer and /inventory/sales_save.

CVE-2026-8255CVE-2026-8254
3 min read
CMDBuild 3.3.2 Stored XSS Flaw Allows Persistent Script InjectionMEDIUM
Vulnerabilities

CMDBuild 3.3.2 Stored XSS Flaw Allows Persistent Script Injection

CVE-2021-47925 (CVSS 6.4): Authenticated attackers can inject persistent XSS payloads via Employee card parameters or SVG file attachments in CMDBuild 3.3.2, affecting all users...

CVE-2021-47925
4 min read
WordPress GetPaid Plugin HTML Injection Flaw CVE-2021-47948MEDIUM
Vulnerabilities

WordPress GetPaid Plugin HTML Injection Flaw CVE-2021-47948

CVE-2021-47948 (CVSS 5.4): Authenticated attackers can inject arbitrary HTML via the Help Text field in GetPaid 2.4.6, enabling stored XSS attacks on payment forms.

CVE-2021-47948
3 min read
SourceCodester Pharmacy System XSS Flaw CVE-2026-8136 PublishedLOW
Vulnerabilities

SourceCodester Pharmacy System XSS Flaw CVE-2026-8136 Published

CVE-2026-8136 (CVSS 3.3) enables remote stored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0 via the Name parameter in /index.php?page=users.

CVE-2026-8136
3 min read
Thruk Monitoring XSS Flaw CVE-2022-23961 Lets Attackers HijackMEDIUM
Vulnerabilities

Thruk Monitoring XSS Flaw CVE-2022-23961 Lets Attackers Hijack

CVE-2022-23961 (CVSS 6.1) in Thruk Monitoring through 2.46.3 enables unauthenticated reflected XSS via the login field, risking session theft for admins.

CVE-2022-23961
3 min read

Stay Updated

Get the latest cybersecurity news delivered to your inbox.