Security news aggregator

Latest coverage for XSS

XSS lets attackers run scripts in a victim's browser, enabling data theft or account abuse; contextual output encoding and CSP reduce risk.

30 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Cross-site scripting (XSS) is a web-application flaw in which attacker-controlled input is interpreted as script in another user’s browser. It can be stored in application data, reflected in an immediate response, or introduced by unsafe client-side code (DOM-based XSS). The script runs in the affected site’s origin, so it may read page content, alter requests, or perform actions available to the victim; impact depends on the victim’s privileges and the application’s defenses.

The primary mitigation is context-aware output encoding: treat untrusted data as text when inserting it into HTML, attributes, URLs, JavaScript, or CSS, and use safe DOM APIs such as textContent rather than unsafe HTML insertion. If user-authored HTML is required, apply a well-tested HTML sanitizer. A restrictive Content Security Policy can limit exploitability but is defense in depth, not a substitute for correct encoding. HttpOnly cookies can reduce direct cookie theft, but do not prevent XSS from performing in-session actions.

Volume over time

Weekly headline count for the current query.

Showing 20 most recent headlines of 30 Filtered view

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild

React conquered XSS? Think again. That's the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure

A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET

Loading more headlines...