Shiba markdown live preview app version 1.1.0 is vulnerable to XSS which leads to code execution due to enabled node integration.

Leanote version <= 2.5 is vulnerable to XSS due to not sanitized input in markdown notes

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. steal authentication credentials.

Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability in the bank transactions component resulting in arbitrary code execution in the browser.

Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace

The ILLID Share This Image plugin before 1.04 for WordPress has XSS via the sharer.php url parameter.

The Z-URL Preview plugin 1.6.1 for WordPress has XSS via the class.zlinkpreview.php url parameter.

The MyCBGenie Affiliate Ads for Clickbank Products plugin through 1.6 for WordPress has XSS via the text_ads_ajax.php border_color parameter.

The E-goi Smart Marketing SMS and Newsletters Forms plugin before 2.0.0 for WordPress has XSS via the admin/partials/custom/egoi-for-wp-form_egoi.php url parameter.

netpub/server.np in Extensis Portfolio NetPublish has XSS in the quickfind parameter, aka Open Bug Bounty ID OBB-290447.

Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.

Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503.

custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.

PHPJabbers File Sharing Script 1.0 has stored XSS in the comments section.

PHPJabbers Night Club Booking Software has stored XSS in the name parameter in the reservations tab.

PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item.

PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the admin panel.

Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.

Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.