Scribd Logo
Upload

Welcome to Scribd!

  • 25 views

    2000+ Top XSS Reports From HackerOne

    Uploaded by

    setyahangga3

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    2000+ Top XSS Reports From HackerOne

    Uploaded by

    setyahangga3
    25 views91 pages

    Original Title

    2000+ Top XSS reports from HackerOne

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    25 views91 pages

    2000+ Top XSS Reports From HackerOne

    Uploaded by

    setyahangga3

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 91

    Top XSS reports from HackerOne (2000+)

    1. Bypass for #488147 enables stored XSS on https://paypal.com/signin again to PayPal - 2572 upvotes, $20000
    2. Stored XSS on https://paypal.com/signin via cache poisoning to PayPal - 654 upvotes, $18900
    3. Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ to Glassdoor - 636 upvotes, $0
    4. Stored XSS in Wiki pages to GitLab - 599 upvotes, $0
    5. Stored XSS on imgur profile to Imgur - 591 upvotes, $0
    6. Reflected XSS in OAUTH2 login flow to LY Corporation - 472 upvotes, $1989
    7. XSS in steam react chat client to Valve - 457 upvotes, $7500
    8. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 452 upvotes, $0
    9. XSS vulnerable parameter in a location hash to Slack - 442 upvotes, $0
    10. One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on
    www.redditmedia.com to Reddit - 441 upvotes, $10000
    11. Blind XSS on image upload to CS Money - 415 upvotes, $1000
    12. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 408 upvotes, $0
    13. Stored XSS Vulnerability to WordPress - 397 upvotes, $0
    14. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 371 upvotes, $4000
    15. Reflected XSS on www.hackerone.com and resources.hackerone.com to HackerOne - 360 upvotes, $500
    16. [accounts.reddit.com] Redirect parameter allows for XSS to Reddit - 352 upvotes, $5000
    17. Stored XSS in wordpress.com to Automattic - 348 upvotes, $0
    18. HEY.com email stored XSS to Basecamp - 347 upvotes, $5000
    19. Reflected XSS in TikTok endpoints to TikTok - 346 upvotes, $0
    20. Blind XSS on Twitter's internal Big Data panel at █████████████ to X (Formerly Twitter) - 344 upvotes, $0
    21. Stored XSS in Private Message component (BuddyPress) to WordPress - 331 upvotes, $0
    22. XSS while logging using Google to Shopify - 328 upvotes, $1750
    23. DOM XSS on duckduckgo.com search to DuckDuckGo - 317 upvotes, $0
    24. Stored XSS in my staff name fired in another your internal panel to Shopify - 317 upvotes, $0
    25. Reflected XSS to Bumble - 314 upvotes, $1000
    26. Reflected XSS at https://pay.gold.razer.com escalated to account takeover to Razer - 287 upvotes, $750
    27. yelp.com XSS ATO (via login keylogger, link Google account) to Yelp - 286 upvotes, $0
    28. Stored XSS in markdown via the DesignReferenceFilter to GitLab - 278 upvotes, $16000
    29. Cross-site Scripting (XSS) - Stored in RDoc wiki pages to GitLab - 276 upvotes, $3500
    30. Unrestricted file upload leads to Stored XSS to Visma Public - 268 upvotes, $250
    31. Persistent XSS on keybase.io via "payload" field in /user/sigchain_signature.toffee template to Keybase - 265 upvotes, $0
    32. Stored XSS via Kroki diagram to GitLab - 260 upvotes, $13950
    33. Account takeover through the combination of cookie manipulation and XSS to Grammarly - 259 upvotes, $0
    34. RichText parser vulnerability in scheduled posts allows XSS to Reddit - 252 upvotes, $5000
    35. Arbitrary File Upload to Stored XSS to Visma Public - 245 upvotes, $250
    36. Stored xss in address field in billing activity at https://shop.aaf.com/Order/step1/index.cfm to Alliance of American Football - 238 upvotes, $0
    37. XSS and Open Redirect on MoPub Login to X (Formerly Twitter) - 231 upvotes, $1540
    38. XSS via Direct Message deeplinks to X (Formerly Twitter) - 228 upvotes, $0
    39. Cross-site Scripting (XSS) on HackerOne careers page to HackerOne - 224 upvotes, $500
    40. Reflected XSS on www.hackerone.com via Wistia embed code to HackerOne - 224 upvotes, $500
    41. Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF to New Relic - 224 upvotes, $0
    42. XSS At "pages.et.uber.com" to Uber - 221 upvotes, $0
    43. [panel.city-mobil.ru/admin/] Blind XSS into username to Mail.ru - 219 upvotes, $0
    44. [www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 214 upvotes, $750
    45. Stored XSS in developer.uber.com to Uber - 213 upvotes, $7500
    46. Stored XSS on reports. to X (Formerly Twitter) - 213 upvotes, $700
    47. XSS at jamfpro.shopifycloud.com to Shopify - 206 upvotes, $9400
    48. Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state to Grammarly - 205
    upvotes, $3000
    49. XSS via Mod Log Removed Posts to Reddit - 203 upvotes, $6000
    50. Ability to create own account UUID leads to stored XSS to Upserve - 197 upvotes, $1500
    51. XSS and cache poisoning via upload.twitter.com on ton.twitter.com to X (Formerly Twitter) - 195 upvotes, $0
    52. Stored XSS on TikTok Ads to TikTok - 191 upvotes, $2500
    53. DOM Based XSS in www.hackerone.com via PostMessage to HackerOne - 189 upvotes, $500
    54. H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing to Shopify - 188 upvotes, $0
    55. Stored Xss Vulnerability on ████████ to U.S. Dept Of Defense - 187 upvotes, $0
    56. XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) to Rockstar Games - 187 upvotes, $0
    57. Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes,
    $1100
    58. XSS on Desktop Client to Keybase - 173 upvotes, $0
    59. Stored XSS & SSRF in Lark Docs to Lark Technologies - 171 upvotes, $3000
    60. Reflected Cross site Scripting (XSS) on www.starbucks.com to Starbucks - 167 upvotes, $0
    61. XSS at https://exchangemarketplace.com/blogsearch to Shopify - 166 upvotes, $0
    62. DOM Based XSS via postMessage at https://inventory.upserve.com/login/ to Upserve - 163 upvotes, $2500
    63. Cross-account stored XSS at embedded charts to New Relic - 157 upvotes, $0
    64. Stored-XSS with CSP-bypass via labels' color to GitLab - 156 upvotes, $0
    65. XSS in gist integration to Slack - 154 upvotes, $500
    66. xss on https://www.rockstargames.com/GTAOnline/jp/screens/ to Rockstar Games - 154 upvotes, $0
    67. IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier to HackerOne - 148 upvotes, $2500
    68. Stored XSS in notes (charts) because of insecure chart data JSON generation to New Relic - 146 upvotes, $0
    69. Prototype Pollution leads to XSS on https://blog.swiftype.com/#proto[asd]=alert(document.domain) to Elastic - 144 upvotes, $2000
    70. XSS in www.shopify.com/markets?utm_source= to Shopify - 144 upvotes, $700
    71. Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP to
    HackerOne - 143 upvotes, $1500
    72. CSRF leads to a stored self xss to Imgur - 142 upvotes, $0
    73. Stored XSS in IE11 on hackerone.com via custom fields to HackerOne - 141 upvotes, $0
    74. XSS Reflected on reddit.com via url path to Reddit - 141 upvotes, $0
    75. Reflected xss in https://sh.reddit.com to Reddit - 140 upvotes, $5000
    76. XSS via message subject - mobile application to Mail.ru - 139 upvotes, $1000
    77. Stored XSS in Notes (with CSP bypass for gitlab.com) to GitLab - 137 upvotes, $13950
    78. XSS - main page - search[user_id] parameter to OLX - 136 upvotes, $0
    79. XSS reflected on [https://www.pixiv.net] to pixiv - 135 upvotes, $500
    80. Persistent XSS in Note objects to GitLab - 134 upvotes, $4500
    81. Reflected XSS in twitterflightschool.com to X (Formerly Twitter) - 132 upvotes, $1120
    82. Stored XSS on byddypress Plug-in via groups name to WordPress - 131 upvotes, $0
    83. Stored XSS in 'Notes' to Visma Public - 130 upvotes, $250
    84. Reflected XSS at https://www.paypal.com/ppcreditapply/da/us to PayPal - 130 upvotes, $0
    85. Reflected/Stored XSS on duckduckgo.com to DuckDuckGo - 130 upvotes, $0
    86. Stored XSS when uploading files to an invoice to Visma Public - 128 upvotes, $250
    87. Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com to HackerOne - 123 upvotes, $0
    88. Stored XSS in localhost:* via integrated torrent downloader to Brave Software - 122 upvotes, $0
    89. Stored XSS in custom emoji to GitLab - 121 upvotes, $3000
    90. XSS via referrer parameter to X (Formerly Twitter) - 121 upvotes, $0
    91. Stored XSS in private message to Shopify - 120 upvotes, $1000
    92. Stored XSS in Document Title to Localize - 120 upvotes, $50
    93. [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter to Uber - 119 upvotes, $3000
    94. Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com to LinkedIn - 118 upvotes, $0
    95. " 😂 " + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ to Mail.ru - 117 upvotes, $0
    96. web.icq.com XSS in chat message via contact info to Mail.ru - 116 upvotes, $0
    97. Stored XSS in SVG file as data: url to Shopify - 115 upvotes, $5300
    98. A reflected XSS in python/Lib/DocXMLRPCServer.py to Internet Bug Bounty - 115 upvotes, $0
    99. Reflected XSS on https://inventory.upserve.com/ (affects IE users only) to Upserve - 114 upvotes, $0
    100. Stored XSS vulnerability in comments on *.wordpress.com to Automattic - 114 upvotes, $0
    101. Possible XSS vulnerability without a content security bypass to Stripe - 113 upvotes, $2000
    102. Stored XSS in backup scanning plan name to Acronis - 113 upvotes, $500
    103. XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" to Shopify -
    112 upvotes, $3000
    104. Stored XSS in Snapmatic + R★Editor comments to Rockstar Games - 112 upvotes, $0
    105. Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ to TikTok - 112 upvotes, $0
    106. Reflected XSS on https://www.uber.com to Uber - 111 upvotes, $0
    107. XSS via JavaScript evaluation of an attacker controlled resource at www.pornhub.com to Pornhub - 109 upvotes, $250
    108. Reflected xss on ads.tiktok.com using from parameter. to TikTok - 109 upvotes, $0
    109. Insecure file upload in xiaoai.mi.com Lead to Stored XSS to Xiaomi - 107 upvotes, $0
    110. Stored XSS on www.hackerone.com due to deleted S3-bucket from old page_widget to HackerOne - 105 upvotes, $500
    111. XSS: Group search terms to Vanilla - 105 upvotes, $0
    112. Web Cache Poisoning leads to Stored XSS to Glassdoor - 105 upvotes, $0
    113. DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054) to HackerOne - 104 upvotes, $0
    114. Stored XSS on any page in most Uber domains to Uber - 103 upvotes, $6000
    115. Reflected XSS in VPN Appliance to New Relic - 103 upvotes, $0
    116. DOM XSS at https://www.thx.com in IE/Edge browser to Razer - 102 upvotes, $250
    117. XSS at https://www.glassdoor.com/Salary/* via filter.jobTitleExact to Glassdoor - 102 upvotes, $0
    118. Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs to Slack - 101 upvotes,
    $1000
    119. Stored XSS in Shopify Chat to Shopify - 101 upvotes, $500
    120. XSS in SocialIcon Link to Linktree - 100 upvotes, $0
    121. DOM XSS on ads.tiktok.com to TikTok - 99 upvotes, $2500
    122. XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction) to PayPal - 98 upvotes, $0
    123. Reflected XSS in *.myshopify.com/account/register to Shopify - 97 upvotes, $1500
    124. [www.zomato.com] Blind XSS in one of the admin dashboard to Zomato - 97 upvotes, $500
    125. RXSS to Stored XSS - forums.pubg.com | URL parameter to PUBG - 97 upvotes, $0
    126. Reflected XSS on https://make.wordpress.org via 'channel' parameter to WordPress - 95 upvotes, $0
    127. Stored XSS via Create a Fetish section. to FetLife - 94 upvotes, $0
    128. Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid} to HackerOne - 94 upvotes, $0
    129. XSS in request approvals to GitLab - 93 upvotes, $3000
    130. Stored XSS on TikTok Live Form to TikTok - 93 upvotes, $1500
    131. Reflected XSS in pubg.com to PUBG - 93 upvotes, $0
    132. DOM XSS at www.forescout.com in Microsoft Edge and IE Browser to ForeScout Technologies - 93 upvotes, $0
    133. Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media to Automattic - 93 upvotes, $0
    134. DOM-based XSS on mobile.line.me to LY Corporation - 92 upvotes, $0
    135. XSS in Email Input [intensedebate.com] to Automattic - 92 upvotes, $0
    136. Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data to X (Formerly Twitter) - 92
    upvotes, $0
    137. Bypass: Stored-XSS with CSP-bypass via scoped labels' color to GitLab - 92 upvotes, $0
    138. Reflected XSS online-store-git.shopifycloud.com to Shopify - 91 upvotes, $3500
    139. CSTI at Plugin page leading to active stored XSS (Publisher name) to New Relic - 91 upvotes, $0
    140. CSP-bypass XSS in project settings page to GitLab - 91 upvotes, $0
    141. DOM-Based XSS in tumblr.com to Automattic - 90 upvotes, $0
    142. Stored xss at https://█.8x8.com/api/█/ID to 8x8 Bounty - 90 upvotes, $0
    143. Stored XSS in vanilla to Vanilla - 89 upvotes, $300
    144. Stored XSS to Mail.ru - 89 upvotes, $0
    145. Stored XSS in vanilla to Vanilla - 88 upvotes, $300
    146. DOM based XSS on *.██████.com via document.domain sink in Safari to ██████ - 87 upvotes, $0
    147. Stored XSS in "Create Groups" to GitLab - 86 upvotes, $2500
    148. capsula.mail.ru - Admin blind stored XSS to Mail.ru - 86 upvotes, $1500
    149. Reflected XSS on transact.playstation.com using postMessage from the opening window to PlayStation - 86 upvotes, $1000
    150. Cache Poisoning Allows Stored XSS Via hav Cookie Parameter (To Account Takeover) to Expedia Group Bug Bounty - 86 upvotes, $750
    151. CRLF injection leads to internal XSS on PangleGlobal to TikTok - 86 upvotes, $0
    152. Reflected XSS on TikTok Website to TikTok - 85 upvotes, $3000
    153. Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled to New Relic - 85
    upvotes, $2123
    154. CRLF to XSS & Open Redirection to TikTok - 85 upvotes, $0
    155. xss to Pornhub - 84 upvotes, $0
    156. Flash Based Reflected XSS on www.grouplogic.com/jwplayer/player.swf to Acronis - 84 upvotes, $0
    157. Reflected XSS in https://light.mail.ru/login via page to Mail.ru - 83 upvotes, $0
    158. Blind XSS in operator's interface for 33slona.ru to Mail.ru - 83 upvotes, $0
    159. Persistent DOM-based XSS in https://help.twitter.com via localStorage to X (Formerly Twitter) - 82 upvotes, $0
    160. Unrestricted file upload leads to Stored XSS to GitLab - 82 upvotes, $0
    161. XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications to Shopify - 81
    upvotes, $5000
    162. [pay.gold.razer.com] Stored XSS - Order payment to Razer - 81 upvotes, $1500
    163. Html Injection and Possible XSS in sms-be-vip.twitter.com to X (Formerly Twitter) - 81 upvotes, $0
    164. DOMXSS in redirect param to Semmle - 81 upvotes, $0
    165. Potential unprivileged Stored XSS through wp_targeted_link_rel to WordPress - 80 upvotes, $0
    166. Reflected XSS on http://www.grouplogic.com/files/glidownload/verify.asp to Acronis - 80 upvotes, $0
    167. Reflected XSS в /video to VK.com - 79 upvotes, $500
    168. Reflect XSS on Mobile Search page to Pornhub - 79 upvotes, $250
    169. Urgent! Stored XSS at plugin's violations leading to account takeover to New Relic - 79 upvotes, $0
    170. New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields to GitLab - 78
    upvotes, $13950
    171. Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS to GSA Bounty - 77 upvotes, $750
    172. Stored XSS in Email Templates via link to Judge.me - 77 upvotes, $500
    173. stored XSS in hey.com message content to Basecamp - 77 upvotes, $0
    174. Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com) to HackerOne - 77 upvotes, $0
    175. Stored XSS via Angular Expression injection via Subject while starting conversation with other users. to FetLife - 77 upvotes, $0
    176. Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" to GitLab - 76 upvotes, $3000
    177. ██████ DOM XSS via Shopify.API.remoteRedirect to Shopify - 76 upvotes, $0
    178. XSS Payload on TikTok Seller Center endpoint to TikTok - 75 upvotes, $1000
    179. Stored XSS in email to Mail.ru - 75 upvotes, $0
    180. Stored XSS on https://app.crowdsignal.com/surveys/[Survey-Id]/question - Bypass to Automattic - 75 upvotes, $0
    181. [https://city-mobil.ru/taxiserv] Blind XSS into username to Mail.ru - 74 upvotes, $0
    182. DOM XSS on duckduckgo.com search to DuckDuckGo - 74 upvotes, $0
    183. XSS from arbitrary attachment upload. to Qulture.Rocks - 74 upvotes, $0
    184. Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php to Automattic - 74 upvotes, $0
    185. Stored XSS in Discounts section to Shopify - 73 upvotes, $1000
    186. XSS via POST request to https://account.mail.ru/signup/ to Mail.ru - 73 upvotes, $1000
    187. Passive stored XSS at broadcast room to Chaturbate - 73 upvotes, $0
    188. xss stored to Shopify - 73 upvotes, $0
    189. Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field to TikTok - 73 upvotes, $0
    190. XSS in ZenTao integration affecting self hosted instances without strict CSP to GitLab - 72 upvotes, $13950
    191. Reflective Cross-site Scripting via Newsletter Form to Shopify - 72 upvotes, $2000
    192. Blind XSS in redtube administering site my.reflected.net to Pornhub - 72 upvotes, $1000
    193. Reflected XSS in https://www.starbucks.co.jp/store/search/ to Starbucks - 72 upvotes, $0
    194. Reflected cross-site scripting on multiple Starbucks assets. to Starbucks - 72 upvotes, $0
    195. XSS on tiktok.com to TikTok - 72 upvotes, $0
    196. XSS via Cookie in Mail.ru to Mail.ru - 71 upvotes, $1000
    197. Reflected XSS on www.pornhub.com and www.pornhubpremium.com to Pornhub - 71 upvotes, $750
    198. Multiple XSS on account settings that can hijack any users in the company. to X (Formerly Twitter) - 71 upvotes, $700
    199. RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 71 upvotes, $0
    200. Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application to Mail.ru - 71 upvotes, $0
    201. XSS on https://partners.acronis.com/ to Acronis - 71 upvotes, $0
    202. Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage to LocalTapiola - 70 upvotes, $5000
    203. [account.mail.ru] XSS-уязвимость в форме авторизации to Mail.ru - 70 upvotes, $1000
    204. New XSS vector in ReaderMode with %READER-TITLE-NONCE% to Brave Software - 69 upvotes, $1000
    205. Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage to LocalTapiola - 69 upvotes, $0
    206. Reflected XSS in <any>.myshopify.com through theme preview to Shopify - 69 upvotes, $0
    207. help.shopify.com Cross Site Scripting to Shopify - 69 upvotes, $0
    208. Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv to Vimeo - 69 upvotes,
    $0
    209. stripo.email reflected xss to Stripo Inc - 69 upvotes, $0
    210. Potential stored Cross-Site Scripting vulnerability in Support Backend to HackerOne - 69 upvotes, $0
    211. Reflected XSS & Open Redirect at mcs main domain to Mail.ru - 68 upvotes, $0
    212. [dev.twitter.com] XSS and Open Redirect to X (Formerly Twitter) - 67 upvotes, $1120
    213. reflected xss in e.mail.ru to Mail.ru - 67 upvotes, $1000
    214. Reflected XSS on secure.chaturbate.com to Chaturbate - 67 upvotes, $800
    215. POST-based XSS on apps.shopify.com to Shopify - 67 upvotes, $500
    216. WordPress Flash XSS in flashmediaelement.swf to Automattic - 67 upvotes, $0
    217. Stored XSS в личных сообщениях to VK.com - 67 upvotes, $0
    218. Stored Self XSS on https://app.crowdsignal.com (in Photo Insert App) + Stored XSS on https://your-subdomain.survey.fm to Automattic - 67
    upvotes, $0
    219. XSS on Videos IA to DuckDuckGo - 67 upvotes, $0
    220. Stored XSS through PDF viewer to Slack - 66 upvotes, $4875
    221. Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru to Mail.ru - 66 upvotes, $1000
    222. Multiple DOMXSS on Amplify Web Player to X (Formerly Twitter) - 66 upvotes, $0
    223. Possible DOM XSS on app.hey.com to Basecamp - 66 upvotes, $0
    224. xss is triggered on your web to Shopify - 66 upvotes, $0
    225. web.icq.com XSS in chat message via contact info to Mail.ru - 65 upvotes, $0
    226. URL Advisor component in KIS products family is vulnerable to Universal XSS to Kaspersky - 65 upvotes, $0
    227. Stored XSS through Facebook Page Connection to Shopify - 65 upvotes, $0
    228. Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages to Starbucks - 65 upvotes, $0
    229. DOM XSS triggered in secure support desk to QIWI - 65 upvotes, $0
    230. XSS in linktr.ee - on link thumbnail adding to Linktree - 64 upvotes, $600
    231. XSS on rockstargames.com to Rockstar Games - 64 upvotes, $500
    232. xss in https://www.uber.com to Uber - 64 upvotes, $0
    233. Cross Site Scripting using Email parameter in Ads endpoint 1 to TikTok - 64 upvotes, $0
    234. Reflected XSS on www.grouplogic.com/video.asp to Acronis - 64 upvotes, $0
    235. Stored Cross-site Scripting on devicelock.com/forum/ to Acronis - 64 upvotes, $0
    236. Stored XSS in /admin/product and /admin/collections to Shopify - 63 upvotes, $5300
    237. Reflected XSS and Server Side Template Injection in all HubSpot CMSes to HubSpot - 63 upvotes, $0
    238. Stored XSS in Post title (PoC) to Imgur - 63 upvotes, $0
    239. Wormable stored XSS in www.evernote.com to Evernote - 62 upvotes, $0
    240. Stored XSS | api.mapbox.com | IE 11 | Styles name to Mapbox - 62 upvotes, $0
    241. Stored XSS in [https://streamlabs.com/dashboard#/*goal] pages to Logitech - 62 upvotes, $0
    242. Authenticated path traversal to Stored XSS and Denial-of-Service to phpBB - 62 upvotes, $0
    243. Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/**** to Shopify - 61 upvotes, $2900
    244. Stored XSS in Acronis Cyber Protect Console to Acronis - 61 upvotes, $500
    245. Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) to X (Formerly Twitter) - 61 upvotes, $0
    246. [http_server] Stored XSS in the filename when directories listing to Node.js third-party modules - 61 upvotes, $0
    247. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 60 upvotes, $500
    248. DOM based CSS Injection on grammarly.com to Grammarly - 60 upvotes, $250
    249. [www.zomato.com] Blind XSS in one of the Admin Dashboard to Zomato - 60 upvotes, $0
    250. reflected XSS on panther.com to Panther Labs - 60 upvotes, $0
    251. Reflected XSS on $Any$.myshopify.com/admin to Shopify - 58 upvotes, $1500
    252. XSS via X-Forwarded-Host header to Omise - 58 upvotes, $200
    253. Stored XSS on https://events.hackerone.com to HackerOne - 58 upvotes, $0
    254. [web.icq.com] Stored XSS in Account Name to Mail.ru - 57 upvotes, $1000
    255. Unrestricted file upload when creating quotes allows for Stored XSS to Visma Public - 57 upvotes, $250
    256. Persistent Cross-Site Scripting in default Laravel installation to Laravel - 57 upvotes, $0
    257. Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload to Starbucks - 57 upvotes, $0
    258. Stored-XSS on wiki pages to GitLab - 57 upvotes, $0
    259. XSS Reflected at https://sketch.pixiv.net/ Via next_url to pixiv - 56 upvotes, $500
    260. XSS from Mastodon embeds to IRCCloud - 56 upvotes, $500
    261. WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass) to
    Starbucks - 56 upvotes, $0
    262. Stored XSS on upload files leads to steal cookie to Palo Alto Software - 56 upvotes, $0
    263. DOM-Based XSS in tumblr.com to Automattic - 56 upvotes, $0
    264. Web Cache Poisoning leads to XSS and DoS to Glassdoor - 56 upvotes, $0
    265. Stored XSS on wordpress.com to Automattic - 56 upvotes, $0
    266. Stored XSS on activity to Shopify - 55 upvotes, $2000
    267. Reflected XSS at http://promotion.molthailand.com/index.php via promotion_id parameter to Razer - 55 upvotes, $250
    268. The Custom Emoji Page has a Reflected XSS to Slack - 55 upvotes, $0
    269. XSS at TikTok Ads Endpoint to TikTok - 55 upvotes, $0
    270. XSS account.mail.ru to Mail.ru - 54 upvotes, $1000
    271. HTML Injection with XSS possible to Imgur - 54 upvotes, $0
    272. Reflected XSS on https://www.glassdoor.com/job-listing/spotlight to Glassdoor - 54 upvotes, $0
    273. Self XSS to Shopify - 53 upvotes, $500
    274. [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name to Uber - 53 upvotes, $0
    275. Unrestricted File Upload Results in Cross-Site Scripting Attacks to Uber - 53 upvotes, $0
    276. Blind XSS via Feedback form. to Judge.me - 53 upvotes, $0
    277. Reflected XSS Via origCity Parameter (UPPER Case + WAF Protection Bypass) to Expedia Group Bug Bounty - 52 upvotes, $300
    278. Stored XSS in Intense Debate comment system to Automattic - 52 upvotes, $0
    279. CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman to U.S. Dept Of Defense - 52 upvotes, $0
    280. Reflected XSS on marketsandresearch.td.com to TD Bank - 51 upvotes, $0
    281. Stored XSS via Mermaid Prototype Pollution vulnerability to GitLab - 50 upvotes, $3000
    282. DOMXSS in Tweetdeck to X (Formerly Twitter) - 50 upvotes, $0
    283. Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/ to PayPal - 50 upvotes, $0
    284. XSS and HTML Injection on the pressable.com search box to Automattic - 50 upvotes, $0
    285. CSRF + XSS REFLECT to Daimler Truck - 50 upvotes, $0
    286. Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains to Uber
    - 49 upvotes, $6000
    287. Stored XSS in photos_user_map.gne to Flickr - 49 upvotes, $3263
    288. Stored XSS on the job page to GitLab - 49 upvotes, $3000
    289. Stored XSS on support.rockstargames.com to Rockstar Games - 49 upvotes, $1000
    290. Stored xss to Shopify - 49 upvotes, $1000
    291. XSS в сюжетах. to VK.com - 49 upvotes, $500
    292. XSS through __e2e_action_id delivered by JSONP to Quora - 49 upvotes, $0
    293. Reflected XSS in m.imgur.com to Imgur - 49 upvotes, $0
    294. (Prerelease UI) Stored XSS via role name in JSON chart to New Relic - 48 upvotes, $2500
    295. OX (Guard): Stored Cross-Site Scripting via Incoming Email to Open-Xchange - 48 upvotes, $1000
    296. [careers.informatica.com] Reflected Cross Site Scripting to XSS Shell Possible to Informatica - 48 upvotes, $0
    297. XSS within Shopify Email App - Admin to Shopify - 48 upvotes, $0
    298. Stored XSS in collabora via user name to Nextcloud - 48 upvotes, $0
    299. XSS Reflected in m.vk.com to VK.com - 48 upvotes, $0
    300. XSS on Issue reference numbers to GitLab - 48 upvotes, $0
    301. Stored XSS at https://linkpop.com to Shopify - 48 upvotes, $0
    302. Stored XSS in markdown when redacting references to GitLab - 47 upvotes, $5000
    303. [my.games, lootdog.io] XSS via MCS Bucket to Mail.ru - 47 upvotes, $1333
    304. Email templates XSS by filterXSS bypass to Judge.me - 47 upvotes, $1250
    305. XSS in Desktop Client in the notifications to Nextcloud - 47 upvotes, $750
    306. Stored XSS on store.my.games to Mail.ru - 47 upvotes, $200
    307. Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution) to IRCCloud - 47 upvotes, $0
    308. [Android] XSS via start ContentActivity to Quora - 47 upvotes, $0
    309. csp bypass + xss to X (Formerly Twitter) - 47 upvotes, $0
    310. Reflected XSS to Shopify - 47 upvotes, $0
    311. Stored XSS in wordpress.com to Automattic - 47 upvotes, $0
    312. Reflected xss and open redirect on larksuite.com using /?back_uri= parameter. to Lark Technologies - 47 upvotes, $0
    313. Stored XSS in merge request pages to GitLab - 46 upvotes, $3500
    314. Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover to Uber - 46 upvotes, $3000
    315. XSS on link and window.opener to Slack - 46 upvotes, $1000
    316. [auth2.zomato.com] Reflected XSS at oauth2/fallbacks/error | ORY Hydra an OAuth 2.0 and OpenID Connect Provider to Zomato - 46 upvotes,
    $0
    317. Blind XSS via Suspended Ticket Recovery to Zendesk - 46 upvotes, $0
    318. Reflected XSS through multiple inputs in the issue collector on Jira to Roblox - 46 upvotes, $0
    319. Cross-site scripting on api.collabs.shopify.com to Shopify - 45 upvotes, $1600
    320. xss stored in https://your store.myshopify.com/admin/ to Shopify - 45 upvotes, $1000
    321. Blind stored xss [parcel.grab.com] > name parameter to Grab - 45 upvotes, $750
    322. H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps to Shopify - 45 upvotes, $500
    323. Cross-site scripting (reflected) to X (Formerly Twitter) - 45 upvotes, $0
    324. XSS in HTML Content Generated by Flash Slideshow Maker (All Versions) to Socusoft - 45 upvotes, $0
    325. Reflected XSS in https://lite.pubg.com to PUBG - 45 upvotes, $0
    326. DOM based XSS on /GTAOnline/tw/starterpack/ to Rockstar Games - 45 upvotes, $0
    327. [dev.twitter.com] XSS and Open Redirect Protection Bypass to X (Formerly Twitter) - 44 upvotes, $1120
    328. Stored XSS when you read eamils. <style> to Mail.ru - 44 upvotes, $1000
    329. Stored XSS in photo comment functionality to Pornhub - 44 upvotes, $0
    330. Reflected XSS in https://blocked.myndr.net to Myndr - 44 upvotes, $0
    331. DOM XSS on https://www.rockstargames.com/GTAOnline/feedback to Rockstar Games - 44 upvotes, $0
    332. XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com to Shopify - 44 upvotes, $0
    333. Cross-site Scripting (XSS) - Stored to Mail.ru - 44 upvotes, $0
    334. Stored XSS via Mermaid Prototype Pollution vulnerability to GitLab - 43 upvotes, $3000
    335. Stored XSS in the ticketing system to TikTok - 43 upvotes, $1000
    336. Stored XSS in profile page to Acronis - 43 upvotes, $50
    337. Store XSS to Slack - 43 upvotes, $0
    338. Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF to Glassdoor - 43 upvotes, $0
    339. XSS vulnerability without a content security bypass in a CUSTOM App through Button tag to Stripe - 42 upvotes, $2000
    340. [e.mail.ru] XSS в поиске to Mail.ru - 42 upvotes, $750
    341. XSS on services.shopify.com to Shopify - 42 upvotes, $500
    342. Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages to Doppler - 42 upvotes, $0
    343. [intensedebate.com] XSS Reflected POST-Based to Automattic - 42 upvotes, $0
    344. DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution to Mail.ru - 42 upvotes, $0
    345. Stored XSS in Mermaid when viewing Markdown files to GitLab - 42 upvotes, $0
    346. wp-embed XSS on Safari to WordPress - 42 upvotes, $0
    347. Stored XSS in profile activity feed messages to Rockstar Games - 41 upvotes, $1000
    348. IE 11 Self-XSS on Jira Integration Preview Base Link to HackerOne - 41 upvotes, $750
    349. Stored XSS Payload when sending videos to TikTok - 41 upvotes, $500
    350. Stored xss to Algolia - 41 upvotes, $100
    351. (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation to HackerOne - 41 upvotes, $0
    352. Stored XSS in blog comments through Shopify API to Shopify - 41 upvotes, $0
    353. [IRCCloud Android] XSS in ImageViewerActivity to IRCCloud - 41 upvotes, $0
    354. Stored XSS in Jetpack's Simple Payment Module by Contributors / Authors to Automattic - 41 upvotes, $0
    355. Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/] to Mail.ru - 41 upvotes, $0
    356. Reflected xss on 8x8.com subdomain to 8x8 - 41 upvotes, $0
    357. Reflected Cross site Scripting (XSS) on https://one.newrelic.com to New Relic - 41 upvotes, $0
    358. XSS vulnerabilities due to missing checks in tag helpers to Ruby on Rails - 41 upvotes, $0
    359. Stored xss on message reply to Mail.ru - 40 upvotes, $500
    360. XSS в личных сообщениях to ok.ru - 40 upvotes, $0
    361. DOM Based XSS in mycrypto.com to MyCrypto - 40 upvotes, $0
    362. Stored XSS (client-side, using cookie poisoning) on the pornhubpremium.com to Pornhub - 40 upvotes, $0
    363. Очень жесткая XSS в личных сообщениях m.ok.ru to ok.ru - 40 upvotes, $0
    364. WooCommerce: Persistent XSS via customer address (state/county) to Automattic - 40 upvotes, $0
    365. Reflected XSS in https://www.starbucks.com/account/create/redeem/MCP131XSR via xtl_amount, xtl_coupon_code, xtl_amount_type parameters
    to Starbucks - 40 upvotes, $0
    366. Moodle XSS on evolve.glovoapp.com to Glovo - 40 upvotes, $0
    367. Self XSS in Create New Workspace Screen to Mattermost - 40 upvotes, $0
    368. XSS and iframe injection on tiktok ads portal using redirect params to TikTok - 40 upvotes, $0
    369. Stored XSS in Brower name field reflected in two pages to New Relic - 39 upvotes, $3000
    370. Blind XSS - Report review - Admin panel to Zomato - 39 upvotes, $350
    371. [https://app.recordedfuture.com] - Reflected XSS via username parameter to Recorded Future - 39 upvotes, $300
    372. Stored XSS in '' Section and WAF Bypass to Semrush - 39 upvotes, $0
    373. Cross Site Scripting via CVE-2018-5230 on https://apps.topcoder.com to Topcoder - 39 upvotes, $0
    374. XSS: v-safe-html is not safe enough to GitLab - 39 upvotes, $0
    375. reflected XSS in [www.equifax.com] to Equifax-vdp - 39 upvotes, $0
    376. XSS on about:tbupdate to Tor - 39 upvotes, $0
    377. Reflected XSS on multiple uberinternal.com domains to Uber - 38 upvotes, $2000
    378. XSS в upload.php to VK.com - 38 upvotes, $1500
    379. Mattermost Server OAuth Flow Cross-Site Scripting to Mattermost - 38 upvotes, $900
    380. Stored XSS on buy button to Shopify - 38 upvotes, $500
    381. Reflected Xss On https://vk.com/search to VK.com - 38 upvotes, $500
    382. XSS through chat messages to Vanilla - 38 upvotes, $300
    383. Reflected XSS via "Error" parameter on https://admin.acronis.com/admin/su/ to Acronis - 38 upvotes, $50
    384. HTML injection (with XSS possible) on the https://www.data.gov/issue/ using media_url attribute to GSA Bounty - 38 upvotes, $0
    385. CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS to Chaturbate - 38 upvotes, $0
    386. Reflected XSS in lert.uber.com to Uber - 38 upvotes, $0
    387. CSTI on https://www.ecobee.com leads to XSS to ecobee - 38 upvotes, $0
    388. XSS on https://app.mopub.com/reports/custom/add/ [new-d1] to X (Formerly Twitter) - 38 upvotes, $0
    389. Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com to IBM - 38 upvotes, $0
    390. Reflected XSS on https://www.uber.com to Uber - 37 upvotes, $1000
    391. CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' to Rockstar Games -
    37 upvotes, $0
    392. Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-* to Starbucks - 37 upvotes, $0
    393. DOM based XSS in the WooCommerce plugin to Automattic - 37 upvotes, $0
    394. Stored XSS on demo app link to Shopify - 37 upvotes, $0
    395. [qiwi.me] Stored XSS to QIWI - 37 upvotes, $0
    396. Cross-Site Scripting through search form on mtnplay.co.zm to MTN Group - 37 upvotes, $0
    397. dom based xss on [hello.merchant.razer.com] to Razer - 36 upvotes, $500
    398. Self XSS on Acronis Cyber Cloud to Acronis - 36 upvotes, $100
    399. (BYPASS) Open redirect and XSS in supporthiring.shopify.com to Shopify - 36 upvotes, $0
    400. Stored XSS on the https://www.redtube.com/users/[profile]/collections to Pornhub - 36 upvotes, $0
    401. Хранимый XSS в Business-аккаунте, на странице компании to DRIVE.NET, Inc. - 36 upvotes, $0
    402. Reflected xss в m.vk.com/chatjoin to VK.com - 36 upvotes, $0
    403. reflected xss in https://wordpress.com/start/account/user to Automattic - 36 upvotes, $0
    404. Blind Stored XSS Via Staff Name to Shopify - 35 upvotes, $3000
    405. Rails ActionView sanitize helper bypass leading to XSS using SVG tag. to Internet Bug Bounty - 35 upvotes, $2400
    406. [stored xss, pornhub.com] stream post function to Pornhub - 35 upvotes, $1500
    407. XSS on product comments in transfers to Shopify - 35 upvotes, $500
    408. www.starbucks.co.uk Reflected XSS via utm_source parameter to Starbucks - 35 upvotes, $0
    409. Persistent XSS in www.starbucks.com to Starbucks - 35 upvotes, $0
    410. Stored XSS in [shop].myshopify.com/admin/orders/[id] to Shopify - 35 upvotes, $0
    411. Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
    412. Persistent XSS in https://sandbox.reverb.com/item/ to Reverb.com - 35 upvotes, $0
    413. Stored XSS in galleries - https://www.redtube.com/gallery/[id] path to Pornhub - 35 upvotes, $0
    414. Multiple stored XSS in WordPress to WordPress - 35 upvotes, $0
    415. Reflected XSS on https://www.olx.co.id/iklan/*.html via "ad_type" parameter to OLX - 35 upvotes, $0
    416. CSS Injection to disable app & potential message exfil to Slack - 35 upvotes, $0
    417. Stored XSS in blob viewer to GitLab - 35 upvotes, $0
    418. Store-XSS in error message of build-dependencies to GitLab - 35 upvotes, $0
    419. Account takeover via XSS to Rocket.Chat - 35 upvotes, $0
    420. Reflected XSS in photogallery component on [https://market.av.ru] to Azbuka Vkusa - 35 upvotes, $0
    421. One Click XSS in [www.shopify.com] to Shopify - 35 upvotes, $0
    422. Stored XSS on developer.uber.com via admin account compromise to Uber - 34 upvotes, $5000
    423. DOM XSS via Shopify.API.Modal.initialize to Shopify - 34 upvotes, $500
    424. Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) to Shopify - 34 upvotes, $500
    425. Cookie exfiltration through XSS on the main search request of www.lahitapiola.fi to LocalTapiola - 34 upvotes, $500
    426. XSS *.myshopify.com/collections/vendors?q= to Shopify - 34 upvotes, $0
    427. XSS found on Snapchat website to Snapchat - 34 upvotes, $0
    428. Stored XSS in the guide's GameplayVersion (www.dota2.com) to Valve - 34 upvotes, $0
    429. [allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS to Mail.ru - 34 upvotes, $0
    430. XSS in biz.mail.ru/error to Mail.ru - 33 upvotes, $500
    431. Stored XSS to Open-Xchange - 33 upvotes, $500
    432. XSS in IE11 on portswigger.net via Flash to PortSwigger Web Security - 33 upvotes, $0
    433. Stored XSS Deleting Menu Links in the Shopify Admin to Shopify - 33 upvotes, $0
    434. DOM Based xss on https://www.rockstargames.com/ ( 1 ) to Rockstar Games - 33 upvotes, $0
    435. Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH to Glassdoor - 33
    upvotes, $0
    436. POST BASED REFLECTED XSS IN dailydeals.mtn.co.za to MTN Group - 33 upvotes, $0
    437. Bypass Filter and get Stored Xss to Shopify - 32 upvotes, $3000
    438. Stored XSS on issue comments and other pages which contain notes to GitLab - 32 upvotes, $3000
    439. Cross-site scripting on algorithm collaborator to Quantopian - 32 upvotes, $2100
    440. DOM based XSS via insecure parameter on [ https://uberpay-mock-psp.uber.com ] to Uber - 32 upvotes, $1420
    441. Stored XSS при удалении группы из беседы (m.vk.com) to VK.com - 32 upvotes, $500
    442. XSS For Profile Name to Vanilla - 32 upvotes, $300
    443. BlIND XSS on https://open.vanillaforums.com to Vanilla - 32 upvotes, $300
    444. Blind Stored XSS in https://partners.acronis.com/admin which lead to sensitive information/PII leakage to Acronis - 32 upvotes, $150
    445. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
    446. Blind Stored XSS Payload fired at the backend on https://█████████/ to U.S. Dept Of Defense - 32 upvotes, $0
    447. [XSS] Reflected XSS via POST request in (editJobAlert.htm) file to Glassdoor - 32 upvotes, $0
    448. Stored-XSS in merge requests to GitLab - 32 upvotes, $0
    449. Bypassing Content-Security-Policy leads to open-redirect and iframe xss to Stripo Inc - 32 upvotes, $0
    450. Reflected XSS on delivery.glovoapp.com to Glovo - 32 upvotes, $0
    451. Clipboard DOM-based XSS to GitLab - 32 upvotes, $0
    452. Reflected XSS on Partners Subdomain to Uber - 31 upvotes, $2000
    453. [Java] CWE-079: Query to detect XSS with JavaServer Faces (JSF) to GitHub Security Lab - 31 upvotes, $1800
    454. XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app to Shopify -
    31 upvotes, $1000
    455. XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter to Shopify - 31 upvotes, $1000
    456. XSS in message e.mail.ru to Mail.ru - 31 upvotes, $1000
    457. Stored XSS in chat topic due to insecure emoticon parsing on any message type to Chaturbate - 31 upvotes, $450
    458. Cookie based XSS on http://ftp1.thx.com to Razer - 31 upvotes, $375
    459. Reflected XSS on partners.cloudflare.com to Cloudflare Vulnerability Disclosure - 31 upvotes, $0
    460. XSS risk reduction with X-XSS-Protection: 1; mode=block header to Radancy - 31 upvotes, $0
    461. XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации to QIWI - 31 upvotes, $0
    462. XSS leads to RCE on the RocketChat desktop client. to Rocket.Chat - 31 upvotes, $0
    463. Reflected Cross-Site scripting in : mtn.bj to MTN Group - 31 upvotes, $0
    464. Xss At Shopify Email App to Shopify - 31 upvotes, $0
    465. SSRF & Blind XSS in Gravatar email to Automattic - 31 upvotes, $0
    466. DOM XSS at https://adobedocs.github.io/OAE_PartnerAPI/?configUrl={site} due to outdated Swagger UI to Adobe - 31 upvotes, $0
    467. Stored XSS on app.crowdsignal.com your-subdomain.crowdsignal.net via Thank You Header to Automattic - 31 upvotes, $0
    468. XSS in Cisco Endpoint to U.S. Dept Of Defense - 31 upvotes, $0
    469. Reflected XSS on developer.uber.com via Angular template injection to Uber - 30 upvotes, $3000
    470. Reflected XSS POST method at partners.uber.com to Uber - 30 upvotes, $3000
    471. Xss was found by exploiting the URL markdown on http://store.steampowered.com to Valve - 30 upvotes, $1000
    472. Self-Stored XSS - Chained with login/logout CSRF to Zomato - 30 upvotes, $300
    473. Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 30 upvotes, $250
    474. Cross-site scripting in "Contact customer" form to Shopify - 30 upvotes, $0
    475. XSS-уязвимость, связанная с загрузкой файлов to VK.com - 30 upvotes, $0
    476. [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification to Automattic - 30 upvotes, $0
    477. XSS inside HTML Link Tag to OLX - 30 upvotes, $0
    478. Stored XSS in https://productreviews.shopifyapps.com/proxy/v4/reviews/product to Shopify - 30 upvotes, $0
    479. DOM XSS on duckduckgo.com search to DuckDuckGo - 30 upvotes, $0
    480. [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS to Automattic - 30 upvotes, $0
    481. Reflected XSS and possible SSRF/XXE on https://events.hackerone.com/conferences/get_recording_slides_xml.xml?url=myserver/xss.xml to
    HackerOne - 30 upvotes, $0
    482. Stored XSS on top.mail.ru to Mail.ru - 30 upvotes, $0
    483. Reflected XSS on av.ru via q parameter at https://av.ru/collections/* to Azbuka Vkusa - 30 upvotes, $0
    484. Cross-site Scripting (XSS) - Reflected to MTN Group - 30 upvotes, $0
    485. Stored XSS in merge request creation page through payload in approval rule name to GitLab - 29 upvotes, $3000
    486. Stored XSS on profile page via Steam display name to Rockstar Games - 29 upvotes, $1250
    487. stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter to Rockstar Games - 29 upvotes,
    $1000
    488. XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app to Shopify - 29 upvotes, $800
    489. Self-XSS in password reset functionality to Shopify - 29 upvotes, $500
    490. XSS в колбек апи в сообществах to VK.com - 29 upvotes, $500
    491. Stored XSS on promo.indrive.com to inDrive - 29 upvotes, $284
    492. DOM Based XSS in Discourse Search to Discourse - 29 upvotes, $256
    493. XSS in (Support Requests) : User Cases to Acronis - 29 upvotes, $50
    494. Reflected XSS in www.dota2.com to Valve - 29 upvotes, $0
    495. Reflected XSS in www.olx.co.id to OLX - 29 upvotes, $0
    496. Stored XSS at https://app.smtp2go.com/settings/users/ to SMTP2GO - 29 upvotes, $0
    497. HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites to QIWI - 29 upvotes, $0
    498. xss due to incorrect handling of postmessages to Khan Academy - 29 upvotes, $0
    499. Stored XSS on wordpress.com to Automattic - 29 upvotes, $0
    500. CRLF and XSS stored on ton.twitter.com to X (Formerly Twitter) - 28 upvotes, $1680
    501. Stored XSS in Dovetale by application of creator to Shopify - 28 upvotes, $1600
    502. Stored XSS(Cross Site Scripting) In Slack App Name to Slack - 28 upvotes, $1000
    503. o2.mail.ru XSS to Mail.ru - 28 upvotes, $1000
    504. Reflected XSS in error pages (NC-SA-2017-008) to Nextcloud - 28 upvotes, $450
    505. Persistent XSS via Signatures to Vanilla - 28 upvotes, $300
    506. [allhiphop.vanillacommunities.com] XSS Request-URI to Vanilla - 28 upvotes, $100
    507. XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js to Rockstar Games - 28 upvotes, $0
    508. Reflected XSS on the data.gov (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers) to GSA Bounty - 28 upvotes, $0
    509. [mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection to WordPress - 28 upvotes, $0
    510. [qiwi.com] XSS on payment form to QIWI - 28 upvotes, $0
    511. XSS Stored to Coursera - 28 upvotes, $0
    512. DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property. to Ed - 28 upvotes, $0
    513. Stored Cross Site Scripting on Zendesk agent dashboard to Zendesk - 28 upvotes, $0
    514. Reflected Xss to U.S. Dept Of Defense - 28 upvotes, $0
    515. Self xss in product reviews to Shopify - 28 upvotes, $0
    516. Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter to Glassdoor - 28 upvotes, $0
    517. Stored XSS in Satisfaction Surveys via "Ask Reason for Dissatisfaction" option to Lark Technologies - 28 upvotes, $0
    518. Stored XSS in "product type" field executed via product filters to Judge.me - 28 upvotes, $0
    519. XSS in http://www.glassdoor.com/Search/results.htm via Parameter Pollution to Glassdoor - 28 upvotes, $0
    520. Stored XSS in group issue list to GitLab - 27 upvotes, $2000
    521. Stored XSS in snapmatic comments to Rockstar Games - 27 upvotes, $1000
    522. [web.icq.com] Stored XSS in "О Контакте" to Mail.ru - 27 upvotes, $500
    523. Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3 to LocalTapiola - 27 upvotes, $300
    524. Reflected XSS at city-mobil.ru to Mail.ru - 27 upvotes, $300
    525. XSS in vk.link to VK.com - 27 upvotes, $300
    526. CSS injection via BB code tag "█████" to phpBB - 27 upvotes, $0
    527. Search input is vulnerable for XSS in qa.td.com and dev.td.com to TD Bank - 27 upvotes, $0
    528. Basic XSS [WAF Bypasses] to Cloudflare Public Bug Bounty - 26 upvotes, $50
    529. DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request to Rockstar Games - 26 upvotes, $0
    530. [GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com to Algolia - 26 upvotes, $0
    531. Cloudflare based XSS for IE11 to Cloudflare Vulnerability Disclosure - 26 upvotes, $0
    532. Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= to Rockstar Games - 26 upvotes, $0
    533. Preview bar: Incomplete message origin validation results in XSS to Shopify - 26 upvotes, $0
    534. Stored - XSS to Shopify - 26 upvotes, $0
    535. Stored XSS in Macro Editing - Introduced by Admins to affect Admins to Zendesk - 26 upvotes, $0
    536. DOM XSS on app.starbucks.com via ReturnUrl to Starbucks - 26 upvotes, $0
    537. Cross-site Scripting (XSS) - DOM - iqcard.informatica.com to Informatica - 26 upvotes, $0
    538. Bypass extension check leads to stored XSS at https://s2.booth.pm to pixiv - 26 upvotes, $0
    539. CSRF + XSS leads to ATO to Mail.ru - 26 upvotes, $0
    540. XSS Stored in Cacheable response to Acronis - 26 upvotes, $0
    541. Stored DOM XSS via Mermaid chart to GitLab - 25 upvotes, $3000
    542. Reflected cross-site scripting (XSS) on api.tiles.mapbox.com to Mapbox - 25 upvotes, $1000
    543. Stored XSS on member post feed to Rockstar Games - 25 upvotes, $1000
    544. cross site scripting bypass session to Mail.ru - 25 upvotes, $1000
    545. Stored XSS in history on [corporate.city-mobil.ru] to Mail.ru - 25 upvotes, $300
    546. XSS reflected on [https://www.youporn.com] to Pornhub - 25 upvotes, $150
    547. Cross Site Scripting (Reflected) on https://www.acronis.cz/ to Acronis - 25 upvotes, $50
    548. WordPress core stored XSS via attachment file name to Automattic - 25 upvotes, $0
    549. Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire to Rockstar Games - 25 upvotes, $0
    550. XSS on https://www.starbucks.co.uk (can lead to credit card theft) (/shop/paymentmethod) to Starbucks - 25 upvotes, $0
    551. Stored xss в пересланном сообщении. to Mail.ru - 25 upvotes, $0
    552. Self-XSS to Good-XSS - pornhub.com to Pornhub - 25 upvotes, $0
    553. stored xss in app.lemlist.com to lemlist - 25 upvotes, $0
    554. Cross Site Scripting using Email parameter in Ads endpoint 2 to TikTok - 25 upvotes, $0
    555. [intensedebate.com] XSS Reflected POST-Based on update/tumblr2/{$id} to Automattic - 25 upvotes, $0
    556. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 25 upvotes, $0
    557. Reflected XSS to U.S. Dept Of Defense - 25 upvotes, $0
    558. Stored XSS in repository file viewer to GitLab - 24 upvotes, $2000
    559. Universal XSS with Playlist feature to Brave Software - 24 upvotes, $750
    560. [e.mail.ru] Stored xss in Mpop cookie to Mail.ru - 24 upvotes, $600
    561. Blind stored xss in demo form to Upserve - 24 upvotes, $500
    562. XSS via the lang parameter in a POST request on light.mail.ru to Mail.ru - 24 upvotes, $500
    563. Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities to Uber - 24 upvotes, $500
    564. Stored XSS in api.icq.net to Mail.ru - 24 upvotes, $150
    565. HTML injection leads to reflected XSS to Zomato - 24 upvotes, $150
    566. Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 24 upvotes, $100
    567. Stored Cross-Site-Scripting in CMS Airship's authors profiles to Paragon Initiative Enterprises - 24 upvotes, $0
    568. [stagecafrstore.starbucks.com] CRLF Injection, XSS to Starbucks - 24 upvotes, $0
    569. [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite to Grab - 24 upvotes, $0
    570. Reflected XSS в /al_audio.php to VK.com - 24 upvotes, $0
    571. XSS in touch.mail.ru to Mail.ru - 24 upvotes, $0
    572. Persistent XSS via e-mail when creating merge requests to GitLab - 24 upvotes, $0
    573. Stored XSS in Review Section https://games.mail.ru/ to Mail.ru - 24 upvotes, $0
    574. Authenticated Stored Cross-site Scripting in bbPress to WordPress - 24 upvotes, $0
    575. [tumblr.com] 69< Firefox Only XSS Reflected to Automattic - 24 upvotes, $0
    576. Reflected XSS on /admin/stats.php to Revive Adserver - 24 upvotes, $0
    577. Stored XSS in the banner block description to Stripo Inc - 24 upvotes, $0
    578. Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement to HackerOne - 24 upvotes, $0
    579. Stored XSS on PyPi simple API endpoint to GitLab - 23 upvotes, $3000
    580. Universal Cross-Site Scripting in Keybase Chrome extension to Keybase - 23 upvotes, $500
    581. DOM Based XSS charting_library to Gatecoin - 23 upvotes, $500
    582. Persistent XSS via filename in projects to Nextcloud - 23 upvotes, $150
    583. Reflected XSS in the IE 11 / Edge (latest versions) on the stage-go.wepay.com to WePay - 23 upvotes, $100
    584. Reflected XSS on developers.zomato.com to Zomato - 23 upvotes, $100
    585. Reflected XSS on my.acronis.com to Acronis - 23 upvotes, $50
    586. Wordpress 4.7.2 - Two XSS in Media Upload when file too large. to WordPress - 23 upvotes, $0
    587. XSS в личных сообщениях to VK.com - 23 upvotes, $0
    588. XSS Reflected on my_report to Semrush - 23 upvotes, $0
    589. Camo Image Proxy Bypass with CSS Escape Sequences to Chaturbate - 23 upvotes, $0
    590. Stored XSS on Broken Themes via filename to WordPress - 23 upvotes, $0
    591. Reflected XSS in https://www.█████/ to U.S. Dept Of Defense - 23 upvotes, $0
    592. Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app) to Rocket.Chat - 23 upvotes, $0
    593. Stored XSS at Module Name to Stripo Inc - 23 upvotes, $0
    594. XSS seems to work again after change to linkpop at https://linkpop.com/testnaglinagli to Shopify - 23 upvotes, $0
    595. Dom-Based XSS on parameter ?vsid= to JetBlue - 23 upvotes, $0
    596. Reflected xss on https://█████████ to U.S. Dept Of Defense - 23 upvotes, $0
    597. Reflected XSS on https://e.mail.ru/compose/ via Body parameter to Mail.ru - 22 upvotes, $1000
    598. Stored XSS on Share-popup of a directory's Gallery-view to Nextcloud - 22 upvotes, $750
    599. File Upload XSS in image uploading of App in mopub to X (Formerly Twitter) - 22 upvotes, $560
    600. Stored XSS on apps.shopify.com to Shopify - 22 upvotes, $500
    601. XSS on Brave Today through custom RSS feed to Brave Software - 22 upvotes, $500
    602. Stored XSS in Public Profile Reviews to Judge.me - 22 upvotes, $250
    603. XSS in PDF Viewer to Nextcloud - 22 upvotes, $100
    604. Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) to Starbucks - 22 upvotes, $0
    605. [newscdn.starbucks.com] CRLF Injection, XSS to Starbucks - 22 upvotes, $0
    606. Possibility to insert stored XSS inside <img> tag to Pornhub - 22 upvotes, $0
    607. Admin bar: Incomplete message origin validation results in XSS to Shopify - 22 upvotes, $0
    608. Self DOM-Based XSS in www.hackerone.com to HackerOne - 22 upvotes, $0
    609. [kb.informatica.com] Dom Based xss to Informatica - 22 upvotes, $0
    610. XSS via unicode characters in upload filename to WordPress - 22 upvotes, $0
    611. xss triggered in "myshopify.com/admin/product" to Shopify - 22 upvotes, $0
    612. Stored XSS on oslo.io in notifications via project name change to Logitech - 22 upvotes, $0
    613. CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style) to Internet Bug Bounty -
    21 upvotes, $2400
    614. [Web ICQ Client] XSS уязвимость в имени пользователя to Mail.ru - 21 upvotes, $1000
    615. Stored XSS in e.mail.ru (payload affect multiple users) to Mail.ru - 21 upvotes, $750
    616. XSS on manually entering Postal codes to Shopify - 21 upvotes, $500
    617. Reflected XSS via Double Encoding to Rockstar Games - 21 upvotes, $500
    618. [render.bitstrips.com] Stored XSS via an incorrect avatar property value to Snapchat - 21 upvotes, $400
    619. XSS Challenge to BugPoC - 21 upvotes, $300
    620. Stored blind xss on showmax support team to Showmax - 21 upvotes, $256
    621. CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud to Acronis - 21 upvotes, $250
    622. XSS in OAuth Redirect Url to Dropbox - 21 upvotes, $0
    623. XSS in zendesk.com/product/ to Zendesk - 21 upvotes, $0
    624. Stored XSS in community.ubnt.com to Ubiquiti Inc. - 21 upvotes, $0
    625. DOM Based XSS In mercantile.wordpress.org to WordPress - 21 upvotes, $0
    626. xss filter bypass [polldaddy] to Automattic - 21 upvotes, $0
    627. Potential XSS vulnerability to HTML minification to Cloudflare Vulnerability Disclosure - 21 upvotes, $0
    628. Stored XSS in learnboost.com via the lesson[goals] parameter. to Automattic - 21 upvotes, $0
    629. Reflected Swf XSS In ( plugins.svn.wordpress.org ) to WordPress - 21 upvotes, $0
    630. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 21 upvotes, $0
    631. [contact-sys.com] XSS /ajax/transfer/status trn param to QIWI - 21 upvotes, $0
    632. [takeapeek] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 21 upvotes, $0
    633. XSS web.icq.com double linkify to Mail.ru - 21 upvotes, $0
    634. XSS in messages on geekbrains.ru to Mail.ru - 21 upvotes, $0
    635. Xss Reflected On spgw.terrhq.ru [ url ] to Mail.ru - 21 upvotes, $0
    636. Stored XSS on Zeit.co user profile to Vercel - 21 upvotes, $0
    637. H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage to Shopify - 21 upvotes, $0
    638. H1514 Stored XSS in Return Magic App portal content to Shopify - 21 upvotes, $0
    639. Reflected XSS on https://go.mail.ru/search?fr=mn&q=<payload> to Mail.ru - 21 upvotes, $0
    640. Cross-site Scripting (XSS) - Reflected vseapteki.ru to Mail.ru - 21 upvotes, $0
    641. Stored XSS in https://app.mopub.com to X (Formerly Twitter) - 21 upvotes, $0
    642. Solution for XSS challenge calc.buggywebsite.com to BugPoC - 21 upvotes, $0
    643. XSS / SELF XSS to Shopify - 21 upvotes, $0
    644. [icq.im] Reflected XSS via chat invite link to Mail.ru - 21 upvotes, $0
    645. Reflected XSS in https://www.██████/ to U.S. Dept Of Defense - 21 upvotes, $0
    646. XSS :D to BugPoC - 21 upvotes, $0
    647. Reflected XSS in https://www.topcoder.com/blog/category/community-stories/ to Topcoder - 21 upvotes, $0
    648. CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru to Mail.ru - 21 upvotes, $0
    649. Reflected XSS в m.vk.com to VK.com - 21 upvotes, $0
    650. add class vulnerable Stored XSS to Mail.ru - 21 upvotes, $0
    651. слепая XSS в админ панели torg.mail.ru через отзыв to Mail.ru - 20 upvotes, $500
    652. Blind Stored XSS In "Report a Problem" on www.data.gov/issue/ to GSA Bounty - 20 upvotes, $300
    653. Data URI Stored XSS on Donations Page to Mail.ru - 20 upvotes, $200
    654. [Markdown] Stored XSS via character encoding parser bypass to GitLab - 20 upvotes, $0
    655. Reflected xss on theacademy.upserve.com to Upserve - 20 upvotes, $0
    656. reflected XSS avito.ru to Avito - 20 upvotes, $0
    657. Stored XSS in infogram.com via language to Infogram - 20 upvotes, $0
    658. Xss on community.imgur.com to Imgur - 20 upvotes, $0
    659. [FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II to WordPress - 20 upvotes, $0
    660. Reflected XSS to OWOX, Inc. - 20 upvotes, $0
    661. XSS in select attribute options to Concrete CMS - 20 upvotes, $0
    662. Stored Cross Site Scripting. to 8x8 - 20 upvotes, $0
    663. Stored XSS In mlbootcamp.ru to Mail.ru - 20 upvotes, $0
    664. XSS through image upload of contacts using svg file with png extension to Nextcloud - 20 upvotes, $0
    665. Reflected XSS on /admin/userlog-index.php to Revive Adserver - 20 upvotes, $0
    666. Stored XSS on 1.4.0 to ImpressCMS - 20 upvotes, $0
    667. XSS in www.glassdoor.com to Glassdoor - 20 upvotes, $0
    668. XSS @ love.uber.com to Uber - 19 upvotes, $3000
    669. Stored XSS in dropboxforum.com to Dropbox - 19 upvotes, $512
    670. XSS in e.mail.ru to Mail.ru - 19 upvotes, $500
    671. Stored XSS in "post last edited" option to Discourse - 19 upvotes, $256
    672. [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/ to Grab - 19 upvotes, $200
    673. Solution to the XSS Challenge to BugPoC - 19 upvotes, $200
    674. XSS through image upload of contacts using svg file to Nextcloud - 19 upvotes, $100
    675. Cross-Site Scripting Reflected On Main Domain to Instacart - 19 upvotes, $0
    676. XSS vulnerability using GIF tags to Pornhub - 19 upvotes, $0
    677. XSS in the search bar of mercantile.wordpress.org to WordPress - 19 upvotes, $0
    678. Stored XSS in comments on https://www.starbucks.co.uk/blog/* to Starbucks - 19 upvotes, $0
    679. Stored XSS with CRLF injection via post message to user feed to Rockstar Games - 19 upvotes, $0
    680. Admin Macro Description Stored XSS to Zendesk - 19 upvotes, $0
    681. Search Page Reflected XSS on sharjah.dubizzle.com through unencoded output of GET parameter in JavaScript to OLX - 19 upvotes, $0
    682. [seeftl] Stored XSS when directory listing via filename. to Node.js third-party modules - 19 upvotes, $0
    683. XSS at go.mail.ru to Mail.ru - 19 upvotes, $0
    684. Stored XSS in Application menu via Home Page Url to Ping Identity - 19 upvotes, $0
    685. Reflected XSS on a Atavist theme to Automattic - 19 upvotes, $0
    686. Reflected XSS via IE to Nord Security - 19 upvotes, $0
    687. Stored XSS in calendar via UID parameter to Mail.ru - 19 upvotes, $0
    688. Stealing app credentials by reflected xss on Lark Suite to Lark Technologies - 19 upvotes, $0
    689. Reflected XSS on ███ to U.S. Dept Of Defense - 19 upvotes, $0
    690. Reflected XSS on mtnhottseat.mtn.com.gh to MTN Group - 19 upvotes, $0
    691. Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru to Mail.ru - 19 upvotes, $0
    692. Reflected xss в m.vk.com/chatjoin to VK.com - 19 upvotes, $0
    693. Cross-site Scripting (XSS) - Stored | forum.acronis.com to Acronis - 19 upvotes, $0
    694. Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage to Glassdoor - 19 upvotes, $0
    695. Reflected Cross site scripting via Swagger UI to Adobe - 19 upvotes, $0
    696. Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 18 upvotes, $5000
    697. XSS в выборе товара. to VK.com - 18 upvotes, $500
    698. XSS on opening a malicious OpenOffice text document to Open-Xchange - 18 upvotes, $400
    699. [com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies to EXNESS - 18 upvotes, $400
    700. stored xss in comments : driver exam to Grab - 18 upvotes, $250
    701. XSS on OAuth authorize/authenticate endpoint to X (Formerly Twitter) - 18 upvotes, $0
    702. Stored xss in ALBUM DESCRIPTION to Imgur - 18 upvotes, $0
    703. XSS at in instacart.com/store/partner_recipe to Instacart - 18 upvotes, $0
    704. XSS on vimeo.com/home after other user follows you to Vimeo - 18 upvotes, $0
    705. Stored xss в /lead_forms_app.php to VK.com - 18 upvotes, $0
    706. XSS on https://account.mail.ru/login via postMessage to Mail.ru - 18 upvotes, $0
    707. Reflected XSS using Header Injection to Semrush - 18 upvotes, $0
    708. XSS vulnerability in sanitize-method when parsing link's href to Ruby on Rails - 18 upvotes, $0
    709. DOM XSS on 1.1.1.1(one.one.one.one) to Cloudflare Vulnerability Disclosure - 18 upvotes, $0
    710. XSS Reflected at SEARCH >> to OLX - 18 upvotes, $0
    711. BUG XSS IN "ADD IMAGES" to Imgur - 18 upvotes, $0
    712. Reflected XSS on https://apps.topcoder.com/wiki/page/ to Topcoder - 18 upvotes, $0
    713. XSS Reflect to POST █████ to U.S. Dept Of Defense - 18 upvotes, $0
    714. XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) to Mail.ru - 18 upvotes, $0
    715. Self stored Xss + Login Csrf to U.S. Dept Of Defense - 18 upvotes, $0
    716. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
    717. Stored XSS for Grafana dashboard URL to GitLab - 18 upvotes, $0
    718. HTML injection that may lead to XSS on HackerOne.com through H1 Triage Wizard Chrome Extension to HackerOne - 18 upvotes, $0
    719. Reflected XSS in ████████████ to U.S. Dept Of Defense - 18 upvotes, $0
    720. XSS on partners.uber.com due to no user input sanitisation to Uber - 17 upvotes, $1000
    721. [Web ICQ Client] XSS-inj in polls to Mail.ru - 17 upvotes, $1000
    722. [IMP] - Blind XSS in the admin panel for reviewing comments to Rockstar Games - 17 upvotes, $650
    723. Хранимая XSS в группе VK to VK.com - 17 upvotes, $500
    724. Reflected XSS on molpay.com with cloudflare bypass to Razer - 17 upvotes, $375
    725. OX (Guard): Stored Cross-Site Scripting via Email Attachment to Open-Xchange - 17 upvotes, $300
    726. Reflected XSS on https://www.easytopup.in.th/store/product/return on parameter mref_id to Razer - 17 upvotes, $250
    727. Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv] to Mail.ru - 17 upvotes, $150
    728. Stored XSS on chaturbate.com (wish list) to Chaturbate - 17 upvotes, $100
    729. [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only to Nextcloud - 17 upvotes, $100
    730. Stored XSS Via Filename On https://partners.line.me/ to LY Corporation - 17 upvotes, $100
    731. DOM based XSS in store.acronis.com/<id>/purl-corporate-standard-IT [cfg parameter] to Acronis - 17 upvotes, $50
    732. Cross-site scripting on the main page of flickr by tagging a user. to Yahoo! - 17 upvotes, $0
    733. Stored XSS to Instacart - 17 upvotes, $0
    734. [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html to Ubiquiti Inc. - 17 upvotes, $0
    735. XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth to Mapbox - 17 upvotes, $0
    736. Store XSS on Informatica University via transcript (informatica.csod.com) to Informatica - 17 upvotes, $0
    737. Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption to Rockstar Games - 17 upvotes, $0
    738. Persistent XSS found on bin.pinion.gg due to outdated FlowPlayer SWF file with Remote File Inclusion vulnerability. to Unikrn - 17 upvotes, $0
    739. DOM-based XSS in store.starbucks.co.uk on IE 11 to Starbucks - 17 upvotes, $0
    740. XSS when clicking "Share to Twitter" at quora.com/widgets/embed_iframe?path=... to Quora - 17 upvotes, $0
    741. Reflected XSS vulnerability in Database name field on installation screen to Concrete CMS - 17 upvotes, $0
    742. Cross Site Scripting -> Reflected XSS to OLX - 17 upvotes, $0
    743. Reflected XSS to Informatica - 17 upvotes, $0
    744. [wallet.rapida.ru] XSS Cookie flashcookie to QIWI - 17 upvotes, $0
    745. Stored XSS in merge request pages to GitLab - 17 upvotes, $0
    746. Reflected XSS / Markup Injection in index.php/svg/core/logo/logo parameter color to Nextcloud - 17 upvotes, $0
    747. Self XSS combine CSRF at https://████████/index.php to U.S. Dept Of Defense - 17 upvotes, $0
    748. Stored XSS firing at the "Add chart to note" popup to New Relic - 17 upvotes, $0
    749. Stored XSS firing at transaction map (applicationName field) to New Relic - 17 upvotes, $0
    750. Probably unexploitable XSS via Header Injection to WHO COVID-19 Mobile App - 17 upvotes, $0
    751. Reflected XSS on dailydeals.mtn.co.za to MTN Group - 17 upvotes, $0
    752. Self XSS in attachments name to Acronis - 17 upvotes, $0
    753. [hta3] Chain of ESI Injection & Reflected XSS leading to Account Takeover on [███] to U.S. Dept Of Defense - 17 upvotes, $0
    754. xss and html injection on ( https://labs.history.state.gov) to U.S. Department of State - 17 upvotes, $0
    755. reflected XSS in [www.equifax.com] to Equifax-vdp - 17 upvotes, $0
    756. XSS в товарах to VK.com - 16 upvotes, $1000
    757. XSS в теле письма. to Mail.ru - 16 upvotes, $1000
    758. Blind Stored XSS to Mail.ru - 16 upvotes, $550
    759. stored xss in invited team member via email parameter to Shopify - 16 upvotes, $500
    760. Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ to Uber - 16 upvotes, $500
    761. DOM XSS vulnerability in search dialogue (NC-SA-2017-007) to Nextcloud - 16 upvotes, $250
    762. Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv] to Mail.ru - 16 upvotes, $150
    763. Reflected XSS at https://stories.showmax.com/wp-content/themes/theme-internal_ss/blocks/ajax/a.php via ss_country_filter param to
    Showmax - 16 upvotes, $150
    764. XSS on https://www.delivery-club.ru to Mail.ru - 16 upvotes, $100
    765. Reflected XSS when renaming a file with a vulnerable name which results in an error to Nextcloud - 16 upvotes, $100
    766. Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event to Imgur - 16 upvotes, $0
    767. Stored XSS at https://finance.owox.com/customer/accountList to OWOX, Inc. - 16 upvotes, $0
    768. [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS to Quora - 16 upvotes, $0
    769. Stored XSS on Files overview by abusing git submodule URL to GitLab - 16 upvotes, $0
    770. Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter to WordPress - 16 upvotes, $0
    771. [app.simplenote.com] Stored XSS via Markdown SVG filter bypass to Automattic - 16 upvotes, $0
    772. Stored XSS via Send crew invite to Rockstar Games - 16 upvotes, $0
    773. Stored XSS in dev-ucrm-billing-demo.ubnt.com In Client Custom Attribute to Ubiquiti Inc. - 16 upvotes, $0
    774. [airbnb.com] XSS via Cookie flash to Airbnb - 16 upvotes, $0
    775. Stored XSS in www.learnboost.com via ZIP codes. to Automattic - 16 upvotes, $0
    776. Authenticated reflected XSS on liberapay.com via the back_to parameter when leaving a team. to Liberapay - 16 upvotes, $0
    777. Reflective XSS at olx.ph to OLX - 16 upvotes, $0
    778. Reflected XSS to Ubiquiti Inc. - 16 upvotes, $0
    779. Blind XSS in the rocket.chat registration email to Rocket.Chat - 16 upvotes, $0
    780. DOM XSS on 50x.html page to DuckDuckGo - 16 upvotes, $0
    781. XSS in e.mail.ru to Mail.ru - 16 upvotes, $0
    782. [sms.qiwi.ru] XSS via Request-URI to QIWI - 16 upvotes, $0
    783. Cross Site Scripting at https://app.oberlo.com/ to Shopify - 16 upvotes, $0
    784. Dom based xss on https://www.rockstargames.com/ via returnUrl parameter to Rockstar Games - 16 upvotes, $0
    785. Stored XSS at [ https://app.lemlist.com/campaigns/cam_QRS5caF2ca7MJtiLS/leads ] in " LINKEDIN URL" Field. to lemlist - 16 upvotes, $0
    786. XSS in desktop client via invalid server address on login form to Nextcloud - 16 upvotes, $0
    787. Multiple Cross-Site Scripting vulnerability via the language parameter to TikTok - 16 upvotes, $0
    788. Reflected XSS on /www/delivery/afr.php (bypass of report #775693) to Revive Adserver - 16 upvotes, $0
    789. Reflected XSS on https://█████████/ to U.S. Dept Of Defense - 16 upvotes, $0
    790. Stored XSS on {https://calendar.mail.ru/} to Mail.ru - 16 upvotes, $0
    791. Reflected XSS at https://www.glassdoor.com/Interview/Accenturme-Interview-Questions-E9931.htm via filter.jobTitleFTS parameter to Glassdoor
    - 16 upvotes, $0
    792. New experimental query: Clipboard-based XSS to GitHub Security Lab - 16 upvotes, $0
    793. Stored XSS in files.slack.com to Slack - 16 upvotes, $0
    794. Stored xss on helpdesk using user's city to Lark Technologies - 16 upvotes, $0
    795. DOM XSS through ads to Urban Dictionary - 16 upvotes, $0
    796. DOM XSS on www.adobe.com to Adobe - 16 upvotes, $0
    797. Reflected XSS on ██████.mil to U.S. Dept Of Defense - 16 upvotes, $0
    798. ActionView sanitize helper bypass leading to XSS using SVG tag. to Ruby on Rails - 16 upvotes, $0
    799. XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) to Ruby - 16 upvotes, $0
    800. Self XSS when pasting HTML into Text app with Ctrl+Shift+V to Nextcloud - 16 upvotes, $0
    801. Stored XSS via "my recent queries" selector in NRQL dashboard builder to New Relic - 15 upvotes, $2500
    802. Another Stored XSS in mail app using Drive app to Open-Xchange - 15 upvotes, $500
    803. Reflected XSS at https://sea-web.gold.razer.com/cash-card/verify via channel parameter to Razer - 15 upvotes, $500
    804. XSS - Search - Unescaped contact job to Open-Xchange - 15 upvotes, $450
    805. Stored XSS on invoice, executing on any subdomain to Harvest - 15 upvotes, $350
    806. xss in Theme http://bztfashion.booztx.com to Boozt Fashion AB - 15 upvotes, $250
    807. Mobile Reflect XSS / CSRF at Advertisement Section on Search page to Pornhub - 15 upvotes, $200
    808. Stored XSS на странице "Изменить клиента" [city-mobil.ru/taxiserv] to Mail.ru - 15 upvotes, $150
    809. XSS in instacart.com/store/partner_recipe to Instacart - 15 upvotes, $100
    810. XSS Yahoo Messenger Via Calendar.Yahoo.Com to Yahoo! - 15 upvotes, $0
    811. Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer to Paragon Initiative Enterprises - 15 upvotes, $0
    812. XSS using javascript:alert(8007) to X (Formerly Twitter) - 15 upvotes, $0
    813. XSS on postal codes to Shopify - 15 upvotes, $0
    814. Dom Based Xss DIV.innerHTML parameters store.starbucks* to Starbucks - 15 upvotes, $0
    815. Stored XSS to Mail.ru - 15 upvotes, $0
    816. DOM XSS on teavana.com via "pr_zip_location" parameter to Starbucks - 15 upvotes, $0
    817. Cross-site Scripting (XSS) on [maximum.nl] to Radancy - 15 upvotes, $0
    818. Reflected XSS on teavana.com (Locale-Change) to Starbucks - 15 upvotes, $0
    819. XSS on pornhubselect.com to Pornhub - 15 upvotes, $0
    820. Stored self-XSS in mercantile.wordpress.org checkout to WordPress - 15 upvotes, $0
    821. Big XSS vulnerability! to Legal Robot - 15 upvotes, $0
    822. Double Stored Cross-Site scripting in the admin panel to GSA Bounty - 15 upvotes, $0
    823. Authenticated Cross-site Scripting in Template Name to WordPress - 15 upvotes, $0
    824. Stored CSS Injection to Coinbase - 15 upvotes, $0
    825. POST XSS in https://www.khanacademy.org.tr/ via page_search_query parameter to Khan Academy - 15 upvotes, $0
    826. Stored XSS on Issue details page to GitLab - 15 upvotes, $0
    827. [ibank.qiwi.ru] XSS via Request-URI to QIWI - 15 upvotes, $0
    828. Reflected XSS in the npm module express-cart. to Node.js third-party modules - 15 upvotes, $0
    829. Cross site scripting vulnerability in JW Player SWF to Mail.ru - 15 upvotes, $0
    830. DOM XSS via Shopify.API.remoteRedirect to Shopify - 15 upvotes, $0
    831. XSS на странице account.mail.ru/recovery to Mail.ru - 15 upvotes, $0
    832. Cross-site Scripting (XSS) - Stored in ru.mail.mailapp to Mail.ru - 15 upvotes, $0
    833. Reflected XSS: Taxonomy Converter via tax parameter to WordPress - 15 upvotes, $0
    834. Хранимая XSS в личных сообщениях новое место to ok.ru - 15 upvotes, $0
    835. [█████] — DOM-based XSS on endpoint /?s= to U.S. Dept Of Defense - 15 upvotes, $0
    836. Reflected xss on 8x8.vc to 8x8 Bounty - 15 upvotes, $0
    837. Reflected XSS on www/delivery/afr.php to Revive Adserver - 15 upvotes, $0
    838. Html Injection and Possible XSS in main nordvpn.com domain to Nord Security - 15 upvotes, $0
    839. Dom based xss on /reddeadredemption2/br/videos to Rockstar Games - 15 upvotes, $0
    840. Reflected XSS on http://info.ucs.ru/settings/check/ to Mail.ru - 15 upvotes, $0
    841. Self XSS in Timeline to Shopify - 15 upvotes, $0
    842. Cross Site Scripting (XSS) Stored - Private messaging to Concrete CMS - 15 upvotes, $0
    843. Reflected XSS at /category/ on a Atavis theme to Automattic - 15 upvotes, $0
    844. XSS in message attachment fileds. to Rocket.Chat - 15 upvotes, $0
    845. Blind stored XSS due to insecure contact form at https://█████.mil leads to leakage of session token and to U.S. Dept Of Defense - 15
    upvotes, $0
    846. Reflected XSS at https://www.glassdoor.co.in/Interview/BlackRock-Interview-Questions-E9331.htm via filter.jobTitleExact parameter to Glassdoor
    - 15 upvotes, $0
    847. XSS via X-Forwarded-Host header to U.S. Dept Of Defense - 15 upvotes, $0
    848. Reflected XSS on play.mtn.co.za to MTN Group - 15 upvotes, $0
    849. Reflected Xss in https://world.engelvoelkers.com/... to Engel & Völkers Technology GmbH - 15 upvotes, $0
    850. Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode to Acronis - 15 upvotes, $0
    851. Cross-site scripting via hardcoded front-end watched expression. to Quantopian - 14 upvotes, $1225
    852. Blind XSS in mapbox.com/contact to Mapbox - 14 upvotes, $750
    853. Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf) to Open-Xchange - 14 upvotes, $500
    854. XSS - Notes - Attribute injection through overlapping tags to Open-Xchange - 14 upvotes, $450
    855. xss reflected in littleguy.vanillastaging.com to Vanilla - 14 upvotes, $300
    856. XSS в нике при запросе в контакты. to Mail.ru - 14 upvotes, $250
    857. XSS при добавлении в чат пользователя to Mail.ru - 14 upvotes, $250
    858. XSS при Изменения машины на странице "Контроль" [city-mobil.ru/taxiserv] to Mail.ru - 14 upvotes, $150
    859. [github.algolia.com] DOM Based XSS github-btn.html to Algolia - 14 upvotes, $100
    860. Reflected XSS on https://www.delivery-club.ru/ to Mail.ru - 14 upvotes, $100
    861. xss vulnerability in http://ubermovement.com/community/daniel to Uber - 14 upvotes, $0
    862. Unauthenticated Stored xss to Nextcloud - 14 upvotes, $0
    863. Unauthenticated Stored XSS on <any>.myshopify.com via checkout page to Shopify - 14 upvotes, $0
    864. XSS vulnerability on Audio and Video parsers to Discourse - 14 upvotes, $0
    865. XSS Vulnerability on Image link parser to Discourse - 14 upvotes, $0
    866. XSS in topics because of bandcamp preview engine vulnerability to Discourse - 14 upvotes, $0
    867. Reflected XSS to Algolia - 14 upvotes, $0
    868. XSS @ *.letgo.com to OLX - 14 upvotes, $0
    869. DOM-based XSS on youporn.com (main page) to Pornhub - 14 upvotes, $0
    870. Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) to Starbucks - 14
    upvotes, $0
    871. Stored XSS in the any user profile using website link to Pornhub - 14 upvotes, $0
    872. XSS в приглашении в группу to VK.com - 14 upvotes, $0
    873. Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE. to WordPress - 14 upvotes, $0
    874. Reflected XSS on https://www.zomato.com to Zomato - 14 upvotes, $0
    875. Stored XSS in partners dashboard to Shopify - 14 upvotes, $0
    876. XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window to Reverb.com - 14 upvotes, $0
    877. [contact-sys.com] XSS via Request-URI to QIWI - 14 upvotes, $0
    878. Reflected XSS on help.steampowered.com to Valve - 14 upvotes, $0
    879. XSS on www.██████ alerts and a number of other pages to U.S. Dept Of Defense - 14 upvotes, $0
    880. Stored XSS in Name of Team Member Invitation to Localize - 14 upvotes, $0
    881. Reflected XSS on am.ru and subdomains to Mail.ru - 14 upvotes, $0
    882. Reflected XSS via XML Namespace URI on https://go.mapbox.com/index.php/soap/ to Mapbox - 14 upvotes, $0
    883. Reflected cross-site scripting vulnerability on a DoD website to U.S. Dept Of Defense - 14 upvotes, $0
    884. Blind stored XSS due to insecure contact form at https://www.topcoder.com leads to leakage of session token and other PII to Topcoder - 14
    upvotes, $0
    885. XSS Challenge #2 Solution to BugPoC - 14 upvotes, $0
    886. XSS In https://docs.gocd.org/current/ to GoCD - 14 upvotes, $0
    887. self-xss with ClickJacking can leads to account takeover in Firefox to Imgur - 14 upvotes, $0
    888. Reflected XSS on a Atavist theme at external_import.php to Automattic - 14 upvotes, $0
    889. Download full backup and Cross site scripting to ImpressCMS - 14 upvotes, $0
    890. Reflected XSS on https://deti.mail.ru to Mail.ru - 14 upvotes, $0
    891. Reflected XSS at https://www.glassdoor.co.in/Job/pratt-whitney-jobs-SRCH_KE0,13.htm?initiatedFromCountryPicker=true&countryRedirect=true
    to Glassdoor - 14 upvotes, $0
    892. Reflected XSS on gamesclub.mtn.com.g to MTN Group - 14 upvotes, $0
    893. Reflected XSS at dailydeals.mtn.co.za to MTN Group - 14 upvotes, $0
    894. xss reflected on imgur.com to Imgur - 14 upvotes, $0
    895. cross site scripting in : mtn.bj to MTN Group - 14 upvotes, $0
    896. XSS in Widget Review Form Preview in settings to Judge.me - 14 upvotes, $0
    897. Cross-Site Request Forgery (CSRF) to xss to MTN Group - 14 upvotes, $0
    898. reflected xss in www.████████.gov to U.S. Dept Of Defense - 14 upvotes, $0
    899. Incorrect handling of certain characters passed to the redirection functionality in Rails can lead to a single-click XSS vulnerability. to Ruby on
    Rails - 14 upvotes, $0
    900. XSS в теле письма, в новой версии почты. to Mail.ru - 13 upvotes, $1000
    901. [www.dropboxforum.com] - reflected XSS in search to Dropbox - 13 upvotes, $512
    902. [m.vk.com] XSS на страницах /artist/ to VK.com - 13 upvotes, $500
    903. Reflected XSS in the shared note view on https://evernote.com to Evernote - 13 upvotes, $500
    904. [chatws25.stream.highwebmedia.com] - Reflected XSS in c parameter to Chaturbate - 13 upvotes, $350
    905. XSS on expenses attachments to Harvest - 13 upvotes, $250
    906. XSS at af.attachmail.ru to Mail.ru - 13 upvotes, $150
    907. Stored XSS в профиле водителя [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
    908. Stored XSS на странице "Почты" [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
    909. XSS на странице "Создать водителя" [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
    910. Zomato.com Reflected Cross Site Scripting to Zomato - 13 upvotes, $100
    911. lootdog.io XSS to Mail.ru - 13 upvotes, $100
    912. Store XSS Flicker main page to Yahoo! - 13 upvotes, $0
    913. Stored XSS via AngularJS Injection to drchrono - 13 upvotes, $0
    914. xss in link items (mopub.com) to X (Formerly Twitter) - 13 upvotes, $0
    915. Persistent XSS on public wiki pages to GitLab - 13 upvotes, $0
    916. Stored XSS in topics because of whitelisted_generic engine vulnerability to Discourse - 13 upvotes, $0
    917. Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section to Pornhub - 13 upvotes, $0
    918. Stored XSS in *.myshopify.com to Shopify - 13 upvotes, $0
    919. XSS on www.mapbox.com/authorize to Mapbox - 13 upvotes, $0
    920. Dom based xss affecting all pages from https://www.grab.com/. to Grab - 13 upvotes, $0
    921. Unauthenticated Reflected XSS in admin dashboard to Deconf - 13 upvotes, $0
    922. XSS at https://app.goodhire.com/member/GH.aspx to Inflection - 13 upvotes, $0
    923. SocialClub's Facebook OAuth Theft through Warehouse XSS. to Rockstar Games - 13 upvotes, $0
    924. XSS on redirection page( Bypassed) to Semrush - 13 upvotes, $0
    925. [mercantile.wordpress.org] Reflected XSS to WordPress - 13 upvotes, $0
    926. XSS in buying and selling pages, can created spoofed content (false login message) to Reverb.com - 13 upvotes, $0
    927. 3rd party shop admin panel blind XSS to Mail.ru - 13 upvotes, $0
    928. Stored Cross-site scripting to Vercel - 13 upvotes, $0
    929. Stored XSS in Rich editor via Embed datetime to Vanilla - 13 upvotes, $0
    930. [okmedia.insideok.ru] Web Cache Poisoing & XSS to ok.ru - 13 upvotes, $0
    931. Unrestricted File Upload To Xss Stored [ https://ideas.browser.mail.ru/ ] to Mail.ru - 13 upvotes, $0
    932. Content Injection on api.semrush.com to Reflected XSS to Semrush - 13 upvotes, $0
    933. XSS due to incomplete JS escaping to Ruby on Rails - 13 upvotes, $0
    934. [geekbrains.ru] Reflected XSS via Angular Template Injection to Mail.ru - 13 upvotes, $0
    935. Stored XSS at APM applications listing to New Relic - 13 upvotes, $0
    936. Stored XSS at APM key transactions list to New Relic - 13 upvotes, $0
    937. Stored XSS in Post Preview as Contributor to WordPress - 13 upvotes, $0
    938. Stored XSS at "Conditions " through "My Custom Rule" Field at [https://my.stripo.email/cabinet/#/template-editor/] in Template Editor. to Stripo
    Inc - 13 upvotes, $0
    939. DOM Based XSS on https://████ via backURL param to U.S. Dept Of Defense - 13 upvotes, $0
    940. XSS DUE TO CVE-2020-3580 to U.S. Dept Of Defense - 13 upvotes, $0
    941. stored XSS on AliExpress Review Importer/Products when delete product to Judge.me - 13 upvotes, $0
    942. xss on [developers.mtn.com] to MTN Group - 13 upvotes, $0
    943. Stored XSS at https://█████ to U.S. Dept Of Defense - 13 upvotes, $0
    944. Self XSS in https://linkpop.com/dashboard/admin to Shopify - 13 upvotes, $0
    945. Stored XSS in intensedebate.com via the Comments RSS to Automattic - 13 upvotes, $0
    946. Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag to Internet Bug Bounty - 12 upvotes, $2400
    947. XSS в письме, в поле отправителя. to Mail.ru - 12 upvotes, $1000
    948. Universal XSS through FIDO U2F register from subframe to Brave Software - 12 upvotes, $1000
    949. XSS @ store.steampowered.com via agecheck path name to Valve - 12 upvotes, $750
    950. Stored XSS at 'Buy Button' page to Shopify - 12 upvotes, $500
    951. reflected XSS on healt.mail.ru to Mail.ru - 12 upvotes, $500
    952. OX Guard: DOM Based Cross-Site Scripting (#2) to Open-Xchange - 12 upvotes, $500
    953. Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) to LocalTapiola - 12 upvotes, $450
    954. Post Based Reflected XSS on [https://investor.razer.com/s/ir_contact.php] to Razer - 12 upvotes, $375
    955. Stored XSS in Restoring Archived Tasks to Harvest - 12 upvotes, $250
    956. XSS в названии лайвчата to Mail.ru - 12 upvotes, $250
    957. store xss in calendar via upload filename to Open-Xchange - 12 upvotes, $250
    958. stored xss путём загрузки вредоносного файла + обход загрузки файлов. to Mail.ru - 12 upvotes, $200
    959. Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage() to Mail.ru - 12 upvotes, $200
    960. [stage-go.wepay.com] XSS via Request URI to WePay - 12 upvotes, $100
    961. Stored XSS using SVG to Paragon Initiative Enterprises - 12 upvotes, $0
    962. [bbPress] Stored XSS in any forum post. to Automattic - 12 upvotes, $0
    963. Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline to Shopify - 12 upvotes, $0
    964. XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline to Shopify - 12 upvotes, $0
    965. Follow Button XSS to Automattic - 12 upvotes, $0
    966. stored XSS in olx.pl - ogloszenie TITLE element - moderator acc can be hacked to OLX - 12 upvotes, $0
    967. DOM Based XSS on an Army website to U.S. Dept Of Defense - 12 upvotes, $0
    968. WordPress <= 4.6.1 Stored XSS Via Theme File to Nextcloud - 12 upvotes, $0
    969. Stored XSS in posts because of absence of oembed variables values escaping to Discourse - 12 upvotes, $0
    970. dom xss in https://www.slackatwork.com to Slack - 12 upvotes, $0
    971. Reflected XSS on blockchain.info to Blockchain - 12 upvotes, $0
    972. Stored Cross Site Scripting in Customer Name to Moneybird - 12 upvotes, $0
    973. Blind Stored XSS against Pornhub employees using Amateur Model Program to Pornhub - 12 upvotes, $0
    974. [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS to QIWI - 12 upvotes, $0
    975. Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ] to Concrete CMS - 12 upvotes, $0
    976. Stored XSS at Moneybird to Moneybird - 12 upvotes, $0
    977. dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) to Rockstar Games - 12 upvotes, $0
    978. Lazy Load stored XSS to Automattic - 12 upvotes, $0
    979. Unfiltered input allows for XSS in "Playtime Item Grants" fields to Valve - 12 upvotes, $0
    980. Reflected XSS (myynti.lahitapiolarahoitus.fi) to LocalTapiola - 12 upvotes, $0
    981. Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300 to Ubiquiti Inc. - 12 upvotes, $0
    982. Torrent extension: Cross-origin downloading + "URL spoofing" + CSP-blocked XSS to Brave Software - 12 upvotes, $0
    983. DOM XSS on 50x.html page on proxy.duckduckgo.com to DuckDuckGo - 12 upvotes, $0
    984. [rm.mail.ru] Request-Path XSS to Mail.ru - 12 upvotes, $0
    985. XSS to Mail.ru - 12 upvotes, $0
    986. Html Injection and Possible XSS via MathML to X (Formerly Twitter) - 12 upvotes, $0
    987. Reflected XSS on www.olx.co.id via ad_type parameter to OLX - 12 upvotes, $0
    988. stored xss in https://www.smule.com to Smule - 12 upvotes, $0
    989. Unauthenticated reflected XSS in preview_as_user function to Concrete CMS - 12 upvotes, $0
    990. [htmr] DOM-based XSS to Node.js third-party modules - 12 upvotes, $0
    991. Stored xss on https://go.mail.ru/ to Mail.ru - 12 upvotes, $0
    992. XSS in [community.my.games] to Mail.ru - 12 upvotes, $0
    993. [my.games] Stored XSS via untrusted bucket to Mail.ru - 12 upvotes, $0
    994. DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features to Rockstar Games - 12 upvotes, $0
    995. Reflected XSS on https://www.starbucks.co.uk/shop/paymentmethod/ (bypass for 227486) to Starbucks - 12 upvotes, $0
    996. Reflected DOM XSS on www.starbucks.co.uk to Starbucks - 12 upvotes, $0
    997. Reflected XSS to Mail.ru - 12 upvotes, $0
    998. XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024) to Endless Group - 12 upvotes, $0
    999. [m-server] XSS reflected because path does not escapeHtml to Node.js third-party modules - 12 upvotes, $0
    000. reflected xss on learn.city-mobil.ru via redirect_url parameter to Mail.ru - 12 upvotes, $0
    001. [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:
    [xss_payload] to Automattic - 12 upvotes, $0
    002. Stored XSS in markdown file with Nextcloud Talk using Internet Explorer to Nextcloud - 12 upvotes, $0
    003. Stored xss in larksuite internal helpdesk and other user's helpdesk. to Lark Technologies - 12 upvotes, $0
    004. DOM-based XSS in d.miwifi.com on IE 11 to Xiaomi - 12 upvotes, $0
    005. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 12 upvotes, $0
    006. Reflected XSS on /admin/stats.php to Revive Adserver - 12 upvotes, $0
    007. Reflected XSS through ClickJacking to U.S. Dept Of Defense - 12 upvotes, $0
    008. Reflected XSS at [████████] to U.S. Dept Of Defense - 12 upvotes, $0
    009. Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information to Mail.ru - 12 upvotes, $0
    010. Universal Cross-Site Scripting vulnerability to Proctorio - 12 upvotes, $0
    011. stand.pw.mail.ru xss to Mail.ru - 12 upvotes, $0
    012. Reflected XSS on ███ via jobid parameter to Sony - 12 upvotes, $0
    013. Reflected cross site scripting in https://███████ to U.S. Dept Of Defense - 12 upvotes, $0
    014. xss on reset password page to U.S. Dept Of Defense - 12 upvotes, $0
    015. DOM XSS at https://adobedocs.github.io/indesign-api-docs/?configUrl={site} due to outdated Swagger UI to Adobe - 12 upvotes, $0
    016. XSS on ( █████████.gov ) Via URL path to U.S. Dept Of Defense - 12 upvotes, $0
    017. Stored XSS via ' profile ' at https://www.miroyalcanin.cl/ to Mars - 12 upvotes, $0
    018. Stored-XSS in https://www.coinbase.com/ to Coinbase - 11 upvotes, $5000
    019. XSS in ubermovement.com via editable Google Sheets to Uber - 11 upvotes, $2000
    020. Stored cross-site scripting in dataset owner. to Quantopian - 11 upvotes, $1925
    021. Stored XSS on support.rockstargames.com to Rockstar Games - 11 upvotes, $1000
    022. XSS в теле письма, в блочных стилях. to Mail.ru - 11 upvotes, $1000
    023. Stored xss in calendar via call link to Mail.ru - 11 upvotes, $1000
    024. Reflective XSS on wholesale.shopify.com to Shopify - 11 upvotes, $500
    025. Xss в https://e.mail.ru/ to Mail.ru - 11 upvotes, $500
    026. [account.mail.ru] XSS на странице восстановления пароля to Mail.ru - 11 upvotes, $500
    027. Stored Blind XSS to Mail.ru - 11 upvotes, $500
    028. Stored XSS in mail app to Open-Xchange - 11 upvotes, $500
    029. XSS в названии звонка to VK.com - 11 upvotes, $500
    030. XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint to Pornhub - 11 upvotes, $250
    031. [theacademy.upserve.com] Reflected XSS Query-String to Upserve - 11 upvotes, $250
    032. Cross-site scripting on dashboard2.omise.co to Omise - 11 upvotes, $200
    033. XSS on https://www.delivery-club.ru/sd/test_330933/info/ to Mail.ru - 11 upvotes, $100
    034. DOM XSS on http://talks.lystit.com to Lyst - 11 upvotes, $100
    035. Self-XSS on Suggest Tag dialog box to XVIDEOS - 11 upvotes, $50
    036. Loadbalancer + URI XSS #3 to Yahoo! - 11 upvotes, $0
    037. Stored xss to Algolia - 11 upvotes, $0
    038. Stored XSS in unifi.ubnt.com to Ubiquiti Inc. - 11 upvotes, $0
    039. Reflected Xss on to Pushwoosh - 11 upvotes, $0
    040. [scores.ubnt.com] DOM based XSS at form.html to Ubiquiti Inc. - 11 upvotes, $0
    041. Reflected cross-site scripting vulnerability on a DoD website to U.S. Dept Of Defense - 11 upvotes, $0
    042. [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME to X (Formerly Twitter) - 11 upvotes, $0
    043. [app.mixmax.com] Stored XSS on Adding new enhancement. to Mixmax - 11 upvotes, $0
    044. Stored self-XSS pubg.mail.ru в нескольких местах to Mail.ru - 11 upvotes, $0
    045. XSS with needed user intervention to Zendesk - 11 upvotes, $0
    046. XSS через подгрузку ссылки. to Mail.ru - 11 upvotes, $0
    047. Stored XSS in the Custom Logo link (non-Basic plan required) to Infogram - 11 upvotes, $0
    048. Stored XSS on urbandictionary.com to Urban Dictionary - 11 upvotes, $0
    049. Post Based XSS On Upload Via CK Editor [semrush.com] to Semrush - 11 upvotes, $0
    050. Session ID is accessible via XSS to Inflection - 11 upvotes, $0
    051. [web.icq.com] Stored XSS in link when sending message to Mail.ru - 11 upvotes, $0
    052. Disclosure of user email address and Deanonymization [mail.ru] + Blind | Stored XSS pets.mail.ru to Mail.ru - 11 upvotes, $0
    053. Reflected XSS of bbe-child-starter Theme via "value"-GET-parameter to LocalTapiola - 11 upvotes, $0
    054. Stored XSS via Create Project (Add new translation project) to Weblate - 11 upvotes, $0
    055. xss in /users/[id]/set_tier endpoint to RATELIMITED - 11 upvotes, $0
    056. Reflected XSS on https://apps.topcoder.com/wiki/ to Topcoder - 11 upvotes, $0
    057. Warehouse dom based xss may lead to Social Club Account Taker Over. to Rockstar Games - 11 upvotes, $0
    058. Unrestricted File Upload Leads to XSS & Potential RCE to U.S. Dept Of Defense - 11 upvotes, $0
    059. stored xss via Campaign Name. to lemlist - 11 upvotes, $0
    060. Stored self XSS at auto.mail.ru using add_review functionality to Mail.ru - 11 upvotes, $0
    061. xss while uploading a file to Mail.ru - 11 upvotes, $0
    062. Cross-account stored XSS at notes (through "swf" note parameter) to New Relic - 11 upvotes, $0
    063. pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment to WordPress - 11 upvotes, $0
    064. Stored-Xss at connect.topcoder.com/projects/ affected on project chat members to Topcoder - 11 upvotes, $0
    065. Session Hijack via Self-XSS to Rocket.Chat - 11 upvotes, $0
    066. XSS в обработчике ссылок to VK.com - 11 upvotes, $0
    067. Reflected XSS https://tracker.my.com to Mail.ru - 11 upvotes, $0
    068. Blind Stored XSS on ███████ leads to takeover admin account to U.S. Dept Of Defense - 11 upvotes, $0
    069. Cross site scripting to Informatica - 11 upvotes, $0
    070. Improper Sanitization leads to XSS Fire on admin panel to Informatica - 11 upvotes, $0
    071. Reflected Xss https://██████/ to U.S. Dept Of Defense - 11 upvotes, $0
    072. Blind XSS via Digital Ocean Partner account creation form. to DigitalOcean - 11 upvotes, $0
    073. XSS Reflected - ██████████ to U.S. Dept Of Defense - 11 upvotes, $0
    074. Reflected XSS due to vulnerable version of sockjs to Automattic - 11 upvotes, $0
    075. Able to bypass the fix on DOM XSS at [www.adobe.com] to Adobe - 11 upvotes, $0
    076. Self-XSS due to image URL can be eploited via XSSJacking techniques in review email to Judge.me - 11 upvotes, $0
    077. Reflected XSS on Admin Login Page to TD Bank - 11 upvotes, $0
    078. Reflected XSS vulnerability with full CSP bypass in Nextcloud installations using recommended bundle to Nextcloud - 11 upvotes, $0
    079. XSS в письме, в теле письма. to Mail.ru - 10 upvotes, $2000
    080. XSS by clicking Jira's link to GitLab - 10 upvotes, $1130
    081. HTML Injection / Reflected Cross-Site Scripting with CSP on https://accounts.firefox.com/settings to Mozilla Critical Services - 10 upvotes, $1000
    082. Xss в https://e.mail.ru/ to Mail.ru - 10 upvotes, $500
    083. Reflected XSS in https://e.mail.ru/ to Mail.ru - 10 upvotes, $500
    084. Хранимая XSS в функционале добавления аудио в WYSIWYG to VK.com - 10 upvotes, $500
    085. Dropbox Paper - Markdown XSS to Dropbox - 10 upvotes, $343
    086. Stored XSS in address on [corporate.city-mobil.ru] to Mail.ru - 10 upvotes, $300
    087. Stored XSS in eaccounting.stage.vismaonline.com to Visma Public - 10 upvotes, $250
    088. DOM-based XSS on https://zest.co.th/zestlinepay/ to Razer - 10 upvotes, $200
    089. CSS leaks SCSS debug info to HackerOne - 10 upvotes, $0
    090. XSS @ yaman.olx.ph to OLX - 10 upvotes, $0
    091. Reflected XSS in scores.ubnt.com to Ubiquiti Inc. - 10 upvotes, $0
    092. Multiple XSS in Camptix Event Ticketing Plugin to Ian Dunn - 10 upvotes, $0
    093. XSS On meta tags in profile page to GitLab - 10 upvotes, $0
    094. Cross-Site Scripting Stored On Rich Media to Pushwoosh - 10 upvotes, $0
    095. [uk.informatica.com] XSS on uk.informatica..com to Informatica - 10 upvotes, $0
    096. Reflected XSS in U2F plugin by shipping the example endpoints to Nextcloud - 10 upvotes, $0
    097. Reflected XSS in login redirection module to Pornhub - 10 upvotes, $0
    098. [kb.informatica.com] DOM based XSS in the bindBreadCrumb function to Informatica - 10 upvotes, $0
    099. [alpha.informatica.com] Expensive DOMXSS to Informatica - 10 upvotes, $0
    100. http://ht.pornhub.com/ stored XSS in widget stylesheet to Pornhub - 10 upvotes, $0
    101. Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= to Starbucks - 10 upvotes, $0
    102. Stored XSS in buy topup OLX Gold Credits to OLX - 10 upvotes, $0
    103. Stored XSS on player.vimeo.com to Vimeo - 10 upvotes, $0
    104. XSS в названии сервера to VK.com - 10 upvotes, $0
    105. Simple CSS line-height identifies platform to Tor - 10 upvotes, $0
    106. [informatica.com]- Cross Site scripting to Informatica - 10 upvotes, $0
    107. Stored XSS Using Media to Automattic - 10 upvotes, $0
    108. Stored xss via template injection to WordPress - 10 upvotes, $0
    109. reflected xss on cycloferon.health.mail.ru to Mail.ru - 10 upvotes, $0
    110. Отраженная XSS на cloud.mail.ru в URL в функционале создания и редактировании презентации. to Mail.ru - 10 upvotes, $0
    111. XSS bypass Script execute,Read any file,execute any javascript code--UXSS to Mail.ru - 10 upvotes, $0
    112. Reflected XSS on bbe_open_htmleditor_popup.php of BBE Theme via "value"-GET-parameter to LocalTapiola - 10 upvotes, $0
    113. Хранимая XSS ( API ) to Mail.ru - 10 upvotes, $0
    114. Persistent XSS - Selecting users as allowed merge request approvers to GitLab - 10 upvotes, $0
    115. xss - reflected to WordPress - 10 upvotes, $0
    116. Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS to Internet Bug Bounty - 10 upvotes, $0
    117. Reflected Cross Site Scripting (XSS) to Grammarly - 10 upvotes, $0
    118. Stored XSS in OAuth redirect URI to Nextcloud - 10 upvotes, $0
    119. Seven DOM-Based XSS Vulnerabilities | Execution in Login Sequence to Mail.ru - 10 upvotes, $0
    120. [http-file-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 10 upvotes, $0
    121. Reflected XSS on m.olx.co.id via ad_type parameter to OLX - 10 upvotes, $0
    122. Reflected XSS by changing url parameters on the user invite onboarding links. to Polymail, Inc. - 10 upvotes, $0
    123. XSS (leads to arbitrary file read in Rocket.Chat-Desktop) to Rocket.Chat - 10 upvotes, $0
    124. Reflected XSS with WAF Bypass https://pw.mail.ru to Mail.ru - 10 upvotes, $0
    125. Self xss to Nextcloud - 10 upvotes, $0
    126. Stored XSS in assets.txmblr.com to Automattic - 10 upvotes, $0
    127. Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action to Topcoder - 10 upvotes, $0
    128. Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7 to Ubiquiti Inc. - 10 upvotes, $0
    129. Cross-site Scripting (XSS) - Reflected to 8x8 - 10 upvotes, $0
    130. The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. to Zomato - 10 upvotes, $0
    131. XSS in image metadata field to Nextcloud - 10 upvotes, $0
    132. [panel.city-mobil.ru/admin/] Blind XSS via partner name (similar to #746505) to Mail.ru - 10 upvotes, $0
    133. Reflected XSS on https://████/ (Bypass of #1002977) to U.S. Dept Of Defense - 10 upvotes, $0
    134. Reflected XSS www.█████ search form to U.S. Dept Of Defense - 10 upvotes, $0
    135. Reflected XSS In https://███████ to U.S. Dept Of Defense - 10 upvotes, $0
    136. Reflected XSS on https://██████ to U.S. Dept Of Defense - 10 upvotes, $0
    137. Reflected XSS through clickjacking at https://████ to U.S. Dept Of Defense - 10 upvotes, $0
    138. Cross site scripting to U.S. Dept Of Defense - 10 upvotes, $0
    139. CSS injection via link tag whitelisted-domain bypass - https://www.glassdoor.com to Glassdoor - 10 upvotes, $0
    140. Stored XSS on the "www.intensedebate.com/extras-widgets" url at "Recent comments by" module with malicious blog url to Automattic - 10
    upvotes, $0
    141. Account takeover leading to PII chained with stored XSS to U.S. General Services Administration - 10 upvotes, $0
    142. Jolokia Reflected XSS to Mars - 10 upvotes, $0
    143. [XSS] Reflected XSS via POST request to U.S. Dept Of Defense - 10 upvotes, $0
    144. Stored XSS Via NRQL chartbuilder JSON view to New Relic - 9 upvotes, $2500
    145. Stored xss in editor to Mapbox - 9 upvotes, $1000
    146. XSS в отправителе, БЕТА-версия почты to Mail.ru - 9 upvotes, $500
    147. Stored XSS в выборе метки на странице списка заказов. to VK.com - 9 upvotes, $500
    148. XSS on opening malicious OpenOffice presentation document to Open-Xchange - 9 upvotes, $400
    149. Логи/sql запросы на http://mx36.ucs.ru/ и reflected XSS. to Mail.ru - 9 upvotes, $400
    150. Reflected XSS in eform.molpay.com to Razer - 9 upvotes, $375
    151. Stored XSS in Template Documents to Open-Xchange - 9 upvotes, $300
    152. Reflected XSS in city-mobil.ru/ to Mail.ru - 9 upvotes, $300
    153. Persistent XSS on ForecastApp to Harvest - 9 upvotes, $250
    154. XSS с помощью специально сформированного файла. to Mail.ru - 9 upvotes, $250
    155. XSS на e.mail.ru в мобильном приложении! to Mail.ru - 9 upvotes, $250
    156. XSS https://health.mail.ru/my/ через внешнее имя аккаунта to Mail.ru - 9 upvotes, $150
    157. XSS via login cookie to Pornhub - 9 upvotes, $100
    158. Reflected XSS on www.boozt.com to Boozt Fashion AB - 9 upvotes, $100
    159. fix(cmd-socketio-server): mitigate cross site scripting attack #2068 to Hyperledger - 9 upvotes, $100
    160. Reflected XSS by way of jQuery function to Pornhub - 9 upvotes, $50
    161. Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi) to LocalTapiola - 9 upvotes, $50
    162. Reflected XSS in cart at hardware.shopify.com to Shopify - 9 upvotes, $0
    163. XSS onmouseover to Zomato - 9 upvotes, $0
    164. [tanks.mail.ru] Internet Explorer XSS via Request-URI to Mail.ru - 9 upvotes, $0
    165. [realty.mail.ru] XSS, SSI Injection to Mail.ru - 9 upvotes, $0
    166. Reflected XSS on a DoD website to U.S. Dept Of Defense - 9 upvotes, $0
    167. Stored XSS on the http://ht.pornhub.com/widgets/ to Pornhub - 9 upvotes, $0
    168. [pokerist.mail.ru] XSS Request-URI to Mail.ru - 9 upvotes, $0
    169. Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter. to Ubiquiti Inc.
    - 9 upvotes, $0
    170. Stored XSS via Discussion Title and Send as Email attribute in [marketplace.informatica.com] to Informatica - 9 upvotes, $0
    171. [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters to Harvest - 9 upvotes, $0
    172. XSS to Radancy - 9 upvotes, $0
    173. Stored XSS in Adress Book (starbucks.com/account/profile) to Starbucks - 9 upvotes, $0
    174. Reflected XSS on business-blog.zomato.com - Part I to Zomato - 9 upvotes, $0
    175. Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0) to Concrete CMS - 9 upvotes, $0
    176. Stored XSS vulnerability in RSS Feeds Description field to Concrete CMS - 9 upvotes, $0
    177. dom based xss in https://www.rockstargames.com/GTAOnline/ to Rockstar Games - 9 upvotes, $0
    178. XSS on http://irc.parrotsec.org to Parrot Sec - 9 upvotes, $0
    179. Stored XSS / Bypassing .htaccess protection in http://nodebb.ubnt.com/ to Ubiquiti Inc. - 9 upvotes, $0
    180. Stored XSS in Draft Articles. to Zendesk - 9 upvotes, $0
    181. XSS on infogram.com to Infogram - 9 upvotes, $0
    182. [public-api.wordpress.com] Stored XSS via Crafted Developer App Description to Automattic - 9 upvotes, $0
    183. dom based xss in *.zendesk.com/external/zenbox/ to Zendesk - 9 upvotes, $0
    184. Stored XSS => community.ubnt.com to Ubiquiti Inc. - 9 upvotes, $0
    185. MediaElements XSS to WordPress - 9 upvotes, $0
    186. [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 to Zomato
    - 9 upvotes, $0
    187. [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser to Node.js third-party modules - 9
    upvotes, $0
    188. XSS account.mail.ru in state JSON script to Mail.ru - 9 upvotes, $0
    189. Persistent XSS via malicious license file to ExpressionEngine - 9 upvotes, $0
    190. Stored xss in shop name @ lp.reverb.com to Reverb.com - 9 upvotes, $0
    191. Blind XSS pets.mail.ru/admin/ to Mail.ru - 9 upvotes, $0
    192. Cross Site Scripting to GoCD - 9 upvotes, $0
    193. Stored XSS on Wordpress 5.3 via Title Post to WordPress - 9 upvotes, $0
    194. CSS injection in avito.ru via IE11 to Avito - 9 upvotes, $0
    195. [webpack-bundle-analyzer] Cross-site Scripting to Node.js third-party modules - 9 upvotes, $0
    196. Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
    197. Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB to Semrush - 9 upvotes, $0
    198. xss in ub.icq.net to Mail.ru - 9 upvotes, $0
    199. Xss (cross site scripting) on http://axa.dxi.eu/ to 8x8 - 9 upvotes, $0
    200. CVE-2019-19935 - DOM based XSS in the froala editor to lemlist - 9 upvotes, $0
    201. Reflected XSS on ███████ to U.S. Dept Of Defense - 9 upvotes, $0
    202. Reflected-XSS on https://www.topcoder.com/tc via pt parameter to Topcoder - 9 upvotes, $0
    203. DOM Based XSS at docs.8x8.com to 8x8 - 9 upvotes, $0
    204. Stored XSS on add project to Moneybird - 9 upvotes, $0
    205. XSS stored in the Shopify Email app to Shopify - 9 upvotes, $0
    206. XSS on https://o2.mail.ru/jsapi/button via PostMessage to Mail.ru - 9 upvotes, $0
    207. Reflected XSS on Lark Suite to Lark Technologies - 9 upvotes, $0
    208. Reflected XSS at https://████████/███/... to U.S. Dept Of Defense - 9 upvotes, $0
    209. ███ on https://████ enable ███ scraping, injection, stored XSS to U.S. Dept Of Defense - 9 upvotes, $0
    210. Reflected XSS to U.S. Dept Of Defense - 9 upvotes, $0
    211. Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress to
    Acronis - 9 upvotes, $0
    212. CSRF Based XSS @ https://██████████ to U.S. Dept Of Defense - 9 upvotes, $0
    213. Google storage bucket takeover which is used to load JS file in dashboard.html in "github.com/kubernetes/release" which can lead to XSS to
    Kubernetes - 9 upvotes, $0
    214. In orginization stored xss using location (Larksuite survey app) to Lark Technologies - 9 upvotes, $0
    215. Stored XSS in Question edit for product name (bypass #1416672) to Judge.me - 9 upvotes, $0
    216. Reflected XSS on [█████████] to U.S. Dept Of Defense - 9 upvotes, $0
    217. Site information's Display Name section vulnerable for XSS attacks and HTML Injections. to Automattic - 9 upvotes, $0
    218. Arbitrary file download via "Save .torrent file" option can lead to Client RCE and XSS to Brave Software - 9 upvotes, $0
    219. Reflected XSS on https://wwwapps.ups.com/ctc/request?loc= to UPS VDP - 9 upvotes, $0
    220. Cross Site Scripting Vulnerability in fabric-sdk-py source code to Hyperledger - 9 upvotes, $0
    221. Reflected XSS in chatbot to MTN Group - 9 upvotes, $0
    222. Moodle XSS on s-immerscio.comprehend.ibm.com to IBM - 9 upvotes, $0
    223. XSS via Vuln Rendertron Instance At ██████████.jetblue.com/render/* to JetBlue - 9 upvotes, $0
    224. Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 8 upvotes, $3000
    225. shopifyapps.com XSS on sales channels via currency formatting to Shopify - 8 upvotes, $1000
    226. pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss to Pornhub - 8 upvotes, $750
    227. a stored xss issue in https://files.slack.com to Slack - 8 upvotes, $500
    228. OX Guard: DOM Based Cross-Site Scripting to Open-Xchange - 8 upvotes, $500
    229. [account.mail.ru] XSS на странице удаления аккаунта через backUrl to Mail.ru - 8 upvotes, $500
    230. XSS - Calendar - Unescaped common name of appointment participant to Open-Xchange - 8 upvotes, $450
    231. Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover to EXNESS - 8 upvotes, $300
    232. Stored Xss to Mail.ru - 8 upvotes, $200
    233. Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi) to LocalTapiola - 8 upvotes, $150
    234. Stored XSS in wis.pr to Whisper - 8 upvotes, $100
    235. Stored XSS Found to Slack - 8 upvotes, $0
    236. Cross site scripting to Mail.ru - 8 upvotes, $0
    237. Stored XSS On Statement to Gratipay - 8 upvotes, $0
    238. Reflected XSS on Uber.com careers to Uber - 8 upvotes, $0
    239. Stored XSS via Angular Expression injection on developer.zendesk.com to Zendesk - 8 upvotes, $0
    240. Stored Cross site scripting to Zomato - 8 upvotes, $0
    241. [odnoklassniki.ru] XSS via Host to Mail.ru - 8 upvotes, $0
    242. Reflected XSS in www.olx.ph to OLX - 8 upvotes, $0
    243. Self-XSS via location cookie city field when getting suggestions for a new location to Yelp - 8 upvotes, $0
    244. [rubm.qiwi.com] Yui charts.swf XSS to QIWI - 8 upvotes, $0
    245. Reflected Xss in AirMax [Nanostation Loco M2] to Ubiquiti Inc. - 8 upvotes, $0
    246. Reflected XSS in a Navy website to U.S. Dept Of Defense - 8 upvotes, $0
    247. Reflected XSS on an Army website to U.S. Dept Of Defense - 8 upvotes, $0
    248. Reflected XSS on a Department of Defense website to U.S. Dept Of Defense - 8 upvotes, $0
    249. Reflected XSS on a Department of Defense website to U.S. Dept Of Defense - 8 upvotes, $0
    250. [marketplace.informatica.com] Persistent XSS through document title to Informatica - 8 upvotes, $0
    251. Reflected XSS vector to GoCD - 8 upvotes, $0
    252. [XSS/3dsecure.qiwi.com] 3DSecure XSS to QIWI - 8 upvotes, $0
    253. a stored xss in web widget chat to Zendesk - 8 upvotes, $0
    254. XSS on a DoD website to U.S. Dept Of Defense - 8 upvotes, $0
    255. [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect to Informatica - 8 upvotes, $0
    256. XSS via SVG file to Ubiquiti Inc. - 8 upvotes, $0
    257. Markdown based stored XSS (IE only) to GitLab - 8 upvotes, $0
    258. XSS to Ubiquiti Inc. - 8 upvotes, $0
    259. Reflected XSS on a DoD website to U.S. Dept Of Defense - 8 upvotes, $0
    260. Flash XSS on homepage fliptilescroller to General Motors - 8 upvotes, $0
    261. Xss on billing to QIWI - 8 upvotes, $0
    262. Stored but [SELF] XSS in mercantile.wordpress.org to WordPress - 8 upvotes, $0
    263. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 8 upvotes, $0
    264. Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains
    payload to Concrete CMS - 8 upvotes, $0
    265. XSS on Nanostation Loco M2 Airmax to Ubiquiti Inc. - 8 upvotes, $0
    266. Unauthenticated Cross-Site Scripting in Web Management Console to Ubiquiti Inc. - 8 upvotes, $0
    267. Reflective XSS to WebSummit - 8 upvotes, $0
    268. Self-XSS in WordPress Editor Link Modal to WordPress - 8 upvotes, $0
    269. Stored Cross-Site scripting in the infographics using links to Infogram - 8 upvotes, $0
    270. XSS when replying / forwarding to a malicious email on iOS to Mail.ru - 8 upvotes, $0
    271. self-xss ads_easy_promote vk.com to VK.com - 8 upvotes, $0
    272. XSS on account.mail.ru/login to Mail.ru - 8 upvotes, $0
    273. DOM-based Cross-Site Scripting in redirect url checkout to RBKmoney - 8 upvotes, $0
    274. [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML to Node.js
    third-party modules - 8 upvotes, $0
    275. XSS through document projects to Khan Academy - 8 upvotes, $0
    276. [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template to Node.js third-party modules - 8
    upvotes, $0
    277. Your page has 2 blocking CSS resources. This causes a delay in rendering your page. to Node.js - 8 upvotes, $0
    278. XSS (Persistent) - Selecting role(s) for protected branches to GitLab - 8 upvotes, $0
    279. XSS on support.wordcamp.org in ajax-quote.php to WordPress - 8 upvotes, $0
    280. X-XSS-Protection header has not been set at app.passit.io to Passit - 8 upvotes, $0
    281. Stored self-xss and its escalation to a victim account in e.mail.ru to Mail.ru - 8 upvotes, $0
    282. XSS in delivery club to Mail.ru - 8 upvotes, $0
    283. Stored XSS against all Chaturbate users using an application name to Chaturbate - 8 upvotes, $0
    284. Cross site scripting (content-sniffing) to Khan Academy - 8 upvotes, $0
    285. Reflected cross site scripting at https://auto.mail.ru/reviews/add_review/ via problems_text parameter. to Mail.ru - 8 upvotes, $0
    286. XSS при загрузке изображения на [games.mail.ru] to Mail.ru - 8 upvotes, $0
    287. Hidden Stored XSS in nested post embeds to Vanilla - 8 upvotes, $0
    288. [███] SQL injection & Reflected XSS to U.S. Dept Of Defense - 8 upvotes, $0
    289. The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS. to OWOX,
    Inc. - 8 upvotes, $0
    290. [atlasboard-atlassian-package] Cross-site Scripting (XSS) to Node.js third-party modules - 8 upvotes, $0
    291. XSS via HTTP request version in account.my.games to Mail.ru - 8 upvotes, $0
    292. xss on bittorrent.com to BTFS - 8 upvotes, $0
    293. Post based XSS (Cross site scripting) on https://apimgr.8x8.com to 8x8 - 8 upvotes, $0
    294. Stored XSS at Synthetics private locations (planted through location label or description) to New Relic - 8 upvotes, $0
    295. Stored XSS via Comment Form at ████████ to U.S. Dept Of Defense - 8 upvotes, $0
    296. DOM XSS on https://www.███████ to U.S. Dept Of Defense - 8 upvotes, $0
    297. XSS on kubernetes-csi.github.io (mdBook) to Kubernetes - 8 upvotes, $0
    298. Reflected XSS on /admin/stats.php to Revive Adserver - 8 upvotes, $0
    299. Dom XSS Rootkit on [https://www.glassdoor.com/] to Glassdoor - 8 upvotes, $0
    300. Reflected XSS at www.███████ at /██████████ via the ████████ parameter to U.S. Dept Of Defense - 8 upvotes, $0
    301. Stored unauth XSS in calendar event via CSRF to Concrete CMS - 8 upvotes, $0
    302. Blind XSS to Rocket.Chat - 8 upvotes, $0
    303. Cross-site Scripting (XSS) - Reflected at https://██████████/ to U.S. Dept Of Defense - 8 upvotes, $0
    304. Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag to Ruby on Rails - 8 upvotes, $0
    305. Reflected xss on videostore.mtnonline.com to MTN Group - 8 upvotes, $0
    306. SSRF & XSS (W3 Total Cache) to Pornhub - 7 upvotes, $1000
    307. touch.mail.ru/messages - Stored XSS to Mail.ru - 7 upvotes, $750
    308. VERY DANGEROUS XSS STORED inside emails to Mail.ru - 7 upvotes, $600
    309. "a stored xss issue in share post menu" to Slack - 7 upvotes, $500
    310. Stored XSS in Email attachment file name to Open-Xchange - 7 upvotes, $500
    311. XSS - Guard - Insufficient escaping of User-IDs from PGP Keys to Open-Xchange - 7 upvotes, $500
    312. Stored XSS on recruit.innogames.de to InnoGames - 7 upvotes, $500
    313. XSS on opening malicious OpenOffice presentation document to Open-Xchange - 7 upvotes, $400
    314. PornIQ Reflected Cross-Site Scripting to Pornhub - 7 upvotes, $250
    315. [connect.mail.ru] Memory Disclosure / IE XSS to Mail.ru - 7 upvotes, $250
    316. Stored XSS and html injection in biz.mail.ru to Mail.ru - 7 upvotes, $250
    317. DOM based XSS via postMessage at store.my.games to Mail.ru - 7 upvotes, $200
    318. XSS PoC for the wacky.buggywebsite.com challenge to BugPoC - 7 upvotes, $100
    319. XSS in Draft Orders in Timeline i SHOPIFY Admin Site! to Shopify - 7 upvotes, $0
    320. Adobe XSS to Adobe - 7 upvotes, $0
    321. Reflected XSS in Gallery App to Nextcloud - 7 upvotes, $0
    322. XSS and open redirect in verkkopalvelu.lahitapiola.fi to LocalTapiola - 7 upvotes, $0
    323. Reflected XSS on a Navy website to U.S. Dept Of Defense - 7 upvotes, $0
    324. Application XSS filter function Bypass may allow Multiple stored XSS to Vimeo - 7 upvotes, $0
    325. XSS on Meta Tag at https://m.olx.ph to OLX - 7 upvotes, $0
    326. [RDoc] XSS in project README files to GitLab - 7 upvotes, $0
    327. [reStructuredText] XSS in project README files to GitLab - 7 upvotes, $0
    328. CSRF bypass + XSS on verkkopalvelu.tapiola.fi to LocalTapiola - 7 upvotes, $0
    329. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
    330. Stored XSS thru SVG upload to Moneybird - 7 upvotes, $0
    331. Stored xss in agent.qiwi.com to QIWI - 7 upvotes, $0
    332. Stored passive XSS at scheduled posts (kitcrm.com) to Shopify - 7 upvotes, $0
    333. [kb.informatica.com] Stored XSS to Informatica - 7 upvotes, $0
    334. XSS on IOS app via HTML rendering to Nextcloud - 7 upvotes, $0
    335. Stored XSS in Express Objects - Concrete5 v8.1.0 to Concrete CMS - 7 upvotes, $0
    336. xss на нескольких форумах игр от mail.ru (Cross-Site Scripting) to Mail.ru - 7 upvotes, $0
    337. [compose.mixmax.com] Stored XSS on compose.mixmax.com in contact names. to Mixmax - 7 upvotes, $0
    338. Stored XSS in Templates>Enahance>Social Badges to Mixmax - 7 upvotes, $0
    339. Stored XSS on Admin Access Page - Email field to Revive Adserver - 7 upvotes, $0
    340. Stored XSS in Name field in User Groups/Group Details form to Concrete CMS - 7 upvotes, $0
    341. XSS on vimeo.com | "Search within these results" feature (requires user interaction) to Vimeo - 7 upvotes, $0
    342. XSS when using captions/subtitles on video player based on Flash (requires user interaction) to Vimeo - 7 upvotes, $0
    343. xss flash on http://presentatie.werkenbijmcdonalds.nl/ to Radancy - 7 upvotes, $0
    344. Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap] to Concrete CMS - 7 upvotes, $0
    345. Stored XSS in content when Graph is created via API to Infogram - 7 upvotes, $0
    346. Stored XSS using SVG on subdomain infra.mail.ru to Mail.ru - 7 upvotes, $0
    347. Stored Cross-Site scripting in the infographics using Data Objects links to Infogram - 7 upvotes, $0
    348. X-XSS-Protection -> Misconfiguration to U.S. Dept Of Defense - 7 upvotes, $0
    349. XSS работающая по всему сайту, где есть упоминания to VK.com - 7 upvotes, $0
    350. XSS in api_v1 to FormAssembly - 7 upvotes, $0
    351. Reflected Cross-site Scripting Vulnerability via JSON Error Message to Inflection - 7 upvotes, $0
    352. [metascraper] Stored XSS in Open Graph meta properties read by metascrapper to Node.js third-party modules - 7 upvotes, $0
    353. Flash-based XSS on mediaelement-flash-audio-ogg.swf of www.lahitapiolarahoitus.fi to LocalTapiola - 7 upvotes, $0
    354. XSS on e.mail.ru via postMessage to Mail.ru - 7 upvotes, $0
    355. XSS at https://icq.com/people to Mail.ru - 7 upvotes, $0
    356. XSS in OLX.pl ("title" in new advertisement) to OLX - 7 upvotes, $0
    357. Stored XSS in Node-Red to Node.js third-party modules - 7 upvotes, $0
    358. XSS e.mail.ru fixSpecialSymbols to Mail.ru - 7 upvotes, $0
    359. XSS via Cookie in e.mail.ru to Mail.ru - 7 upvotes, $0
    360. Stored XSS on Add Event in Calendar to Concrete CMS - 7 upvotes, $0
    361. Stored XSS on Add Calendar to Concrete CMS - 7 upvotes, $0
    362. Stored 'undefined' Cross-site Scripting to Khan Academy - 7 upvotes, $0
    363. Reflected XSS on ssl-ccstatic.highwebmedia.com via player.swf to Chaturbate - 7 upvotes, $0
    364. Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) to GitLab - 7 upvotes, $0
    365. Хранимая XSS в пожертованиях на dobro.mail.ru to Mail.ru - 7 upvotes, $0
    366. Browser Self XSS Protection not implemented to Weblate - 7 upvotes, $0
    367. Reflected xss in Serendipity's /index.php to Hanno's projects - 7 upvotes, $0
    368. Reflected XSS in delivery-club.ru to Mail.ru - 7 upvotes, $0
    369. Stored XSS in profile page to Vercel - 7 upvotes, $0
    370. XSS Reflect to TomTom - 7 upvotes, $0
    371. Stored XSS @ /engage/<project_slug> to Weblate - 7 upvotes, $0
    372. Corda Server XSS ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    373. [https://fleet.city-mobil.ru] Stored XSS into driver mailing to Mail.ru - 7 upvotes, $0
    374. Stored XSS in the file search filter to Concrete CMS - 7 upvotes, $0
    375. DOM based Cross-site Scripting to BugPoC - 7 upvotes, $0
    376. Stored XSS at Mobile (Versions tab) to New Relic - 7 upvotes, $0
    377. Passive stored XSS at Synthetics job result page (View resource) to New Relic - 7 upvotes, $0
    378. REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter to Mail.ru - 7 upvotes, $0
    379. Cross Site Scripting (XSS) – Reflected to U.S. Dept Of Defense - 7 upvotes, $0
    380. the same as #948259 - XSS at jsgames.mail.ru to Mail.ru - 7 upvotes, $0
    381. Reflected XSS on https://█████████html?url to U.S. Dept Of Defense - 7 upvotes, $0
    382. capsula.mail.ru - reflected xss to Mail.ru - 7 upvotes, $0
    383. Reflected XSS on /admin/campaign-zone-zones.php to Revive Adserver - 7 upvotes, $0
    384. Reflected XSS on ███████ to U.S. Dept Of Defense - 7 upvotes, $0
    385. [Swiftype] - Stored XSS via document field url triggers on https://app.swiftype.com/engines/\<engine\>/document_types/\
    <type\>/documents/\<id\> to Elastic - 7 upvotes, $0

    386. XSS on ███ to U.S. Dept Of Defense - 7 upvotes, $0


    387. XSS on ub.icq.net to Mail.ru - 7 upvotes, $0
    388. XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi to Ubiquiti Inc. - 7 upvotes, $0
    389. XSS to Reddit - 7 upvotes, $0
    390. Dom Xss vulnerability to Recorded Future - 7 upvotes, $0
    391. Open Akamai ARL XSS at ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    392. Open Akamai ARL XSS at ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    393. XSS in redditmedia.com can compromise data of reddit.com to Reddit - 7 upvotes, $0
    394. Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style) to Ruby on Rails - 7 upvotes, $0
    395. stored cross site scripting in https://███ to U.S. Dept Of Defense - 7 upvotes, $0
    396. Reflected XSS at ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    397. Reflected XSS in ██████ to U.S. Dept Of Defense - 7 upvotes, $0
    398. DOM-XSS to U.S. Dept Of Defense - 7 upvotes, $0
    399. Stored XSS in drive.uber.com WordPress admin panel to Uber - 6 upvotes, $2000
    400. Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail to Open-Xchange - 6 upvotes, $500
    401. Persistent XSS: Editor link to Phabricator - 6 upvotes, $300
    402. Reflected XSS in Meta Tag to Pornhub - 6 upvotes, $250
    403. Reflected XSS Vulnerability in https://www.lahitapiola.fi/cs/Satellite to LocalTapiola - 6 upvotes, $250
    404. XSS в портальной навигации to Mail.ru - 6 upvotes, $150
    405. XSS to Boozt Fashion AB - 6 upvotes, $120
    406. Stored XSS in name selection to Algolia - 6 upvotes, $100
    407. Reflected XSS in LTContactFormReceiver (/cs/Satellite) to LocalTapiola - 6 upvotes, $50
    408. XSS at http://smarthistory.khanacademy.org to Khan Academy - 6 upvotes, $0
    409. XSS & HTML injection to Localize - 6 upvotes, $0
    410. XSS in invite approval to Localize - 6 upvotes, $0
    411. XSS in main page to Localize - 6 upvotes, $0
    412. XSS in private message to Concrete CMS - 6 upvotes, $0
    413. Stored XSS in www.slack-files.com to Slack - 6 upvotes, $0
    414. Here is another XSS i got for you to MoneyStream - 6 upvotes, $0
    415. Cross site scripting on ads.twitter.com to X (Formerly Twitter) - 6 upvotes, $0
    416. XSS by image file name to FanFootage - 6 upvotes, $0
    417. Persistent XSS on public project page to GitLab - 6 upvotes, $0
    418. Stored XSS in Financial Account executing in Bank tab to Moneybird - 6 upvotes, $0
    419. Stored Cross Site Scripting [SELF] in partners.uber.com to Uber - 6 upvotes, $0
    420. Stored XSS in comments to Paragon Initiative Enterprises - 6 upvotes, $0
    421. xss in group to ok.ru - 6 upvotes, $0
    422. XSS @ *.olx.com.ar to OLX - 6 upvotes, $0
    423. XSS yaman.olx.ph to OLX - 6 upvotes, $0
    424. Additonal stored XSS in Add note/Expected payment Date to Xero - 6 upvotes, $0
    425. XSS in the "Poll" Feature on Twitter.com to X (Formerly Twitter) - 6 upvotes, $0
    426. newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf to Uber - 6 upvotes, $0
    427. Stored XSS triggered by json key during UI generation to Algolia - 6 upvotes, $0
    428. XSS on Home page olx.com.ar via auto save search text to OLX - 6 upvotes, $0
    429. Reflective XSS at m.olx.ph to OLX - 6 upvotes, $0
    430. [now.informatica.com] Reflective Xss to Informatica - 6 upvotes, $0
    431. Stored XSS in Filters to Pushwoosh - 6 upvotes, $0
    432. Public profile is vulnerable to stored XSS / Facebook Token can be stolen to DigitalSellz - 6 upvotes, $0
    433. Reflected XSS in [olx.qa] to OLX - 6 upvotes, $0
    434. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 6 upvotes, $0
    435. Reflected XSS on frag.mail.ru to Mail.ru - 6 upvotes, $0
    436. [network.informatica.com] The login form XSS via the referer value to Informatica - 6 upvotes, $0
    437. Reflected XSS in a DoD Website to U.S. Dept Of Defense - 6 upvotes, $0
    438. Reflected XSS in Zomato Mobile - category parameter to Zomato - 6 upvotes, $0
    439. Reflected XSS on Zones > Invocation Code to Revive Adserver - 6 upvotes, $0
    440. XSS on mobile version of vimeo.com where the button "Follow" appears to Vimeo - 6 upvotes, $0
    441. XSS в комментариях от имени сообщества to VK.com - 6 upvotes, $0
    442. XSS during presentation to Zaption - 6 upvotes, $0
    443. XSS when Shared to Infogram - 6 upvotes, $0
    444. Multiple xss on infogram templates to Infogram - 6 upvotes, $0
    445. Stored XSS On Wordpress Infogram plugin to Infogram - 6 upvotes, $0
    446. Persistent Cross-Site Scripting in WooCommerce WordPress plugin to Automattic - 6 upvotes, $0
    447. Persistent XSS in share button to Infogram - 6 upvotes, $0
    448. [marketplace.informatica.com]-Reflected XSS to Informatica - 6 upvotes, $0
    449. Хранимая XSS на странице "Виджет для авторизации" to VK.com - 6 upvotes, $0
    450. [uppy] Stored XSS due to crafted SVG file to Node.js third-party modules - 6 upvotes, $0
    451. XSS уязвимость to Mail.ru - 6 upvotes, $0
    452. Stored Cross Site Scripting to Y Combinator - 6 upvotes, $0
    453. XSS touch.mail.ru compose Body to Mail.ru - 6 upvotes, $0
    454. XSS ( Работа с письмами ) to Mail.ru - 6 upvotes, $0
    455. [tianma-static] Stored xss on filename to Node.js third-party modules - 6 upvotes, $0
    456. [hs.mail.ru] XSS play_now.php to Mail.ru - 6 upvotes, $0
    457. [hs.mail.ru] CRLF Injection / XSS to Mail.ru - 6 upvotes, $0
    458. [new.wf.mail.ru] XSS Request-URI to Mail.ru - 6 upvotes, $0
    459. [evo2.my.com] Internet Explorer XSS to Mail.ru - 6 upvotes, $0
    460. [█████] Reflected GET XSS (/personnel.php?...&rcnum=*) with mouse action to U.S. Dept Of Defense - 6 upvotes, $0
    461. Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter to Starbucks - 6 upvotes, $0
    462. Double linking cause XSS (but blokeced by CSP in gitlab.com) to GitLab - 6 upvotes, $0
    463. XSS на сайте https://warofdragons.my.games/. to Mail.ru - 6 upvotes, $0
    464. [reveal.js] XSS by calling arbitrary method via postMessage to Node.js third-party modules - 6 upvotes, $0
    465. xss to Stellar.org - 6 upvotes, $0
    466. XSS on remote.bittorrent.com to BTFS - 6 upvotes, $0
    467. Stored XSS on go.mail.ru to Mail.ru - 6 upvotes, $0
    468. DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter to Rockstar Games - 6 upvotes, $0
    469. Stored XSS at ██████userprofile.aspx to U.S. Dept Of Defense - 6 upvotes, $0
    470. Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters to Starbucks - 6 upvotes, $0
    471. [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser to Node.js third-party modules - 6 upvotes, $0
    472. [self?] XSS в адресе пользователя [sbermarket.ru] to Mail.ru - 6 upvotes, $0
    473. [delivery.city-mobil.ru] Stored XSS into support request comment to Mail.ru - 6 upvotes, $0
    474. Stored XSS at Template Editor in "Section Name" Field of Block element 'Accordion'. to Stripo Inc - 6 upvotes, $0
    475. [BugPOC and Amazon XSS CTF writeup] A CSP Bypass Story to BugPoC - 6 upvotes, $0
    476. [aw.mail.ru] XSS on /quiztank page to Mail.ru - 6 upvotes, $0
    477. Stored XSS at https://www.█████████.mil to U.S. Dept Of Defense - 6 upvotes, $0
    478. Stored XSS via 64(?) vulnerable fields in ███ leads to credential theft/account takeover to U.S. Dept Of Defense - 6 upvotes, $0
    479. [MY.GAMES] XSS в мессенджере to Mail.ru - 6 upvotes, $0
    480. Second Order XSS via █████ to U.S. Dept Of Defense - 6 upvotes, $0
    481. Reflected XSS on █████████ to U.S. Dept Of Defense - 6 upvotes, $0
    482. DOM XSS в learning.ozon.ru to Ozon - 6 upvotes, $0
    483. XSS reflected to Engel & Völkers Technology GmbH - 6 upvotes, $0
    484. [www.███] Reflected Cross-Site Scripting to U.S. Dept Of Defense - 6 upvotes, $0
    485. Stored-XSS in merge requests to GitLab - 6 upvotes, $0
    486. ███████ - XSS - CVE-2020-3580 to U.S. Dept Of Defense - 6 upvotes, $0
    487. Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru] to Mail.ru - 6 upvotes, $0
    488. Reflected XSS at https://█████ via "██████████" parameter to U.S. Dept Of Defense - 6 upvotes, $0
    489. Stored XSS in Question edit from product name to Judge.me - 6 upvotes, $0
    490. XSS on https://████/ via ███████ parameter to U.S. Dept Of Defense - 6 upvotes, $0
    491. XSS at http://nextapps.mtnonline.com/search/suggest/q/{xss payload} to MTN Group - 6 upvotes, $0
    492. Reflected XSS via ████████ parameter to U.S. Dept Of Defense - 6 upvotes, $0
    493. Cross-site scripting (DOM-based) to OneWeb - 6 upvotes, $0
    494. [doc.rt.informaticacloud.com] Reflected XSS via Stack Strace to Informatica - 6 upvotes, $0
    495. XSS DUE TO CVE-2022-38463 in https://████████ to U.S. Dept Of Defense - 6 upvotes, $0
    496. XSS in Acronis Cloud Manager Admin Portal to Acronis - 6 upvotes, $0
    497. stored cross site scripting in https://██████████ to U.S. Dept Of Defense - 6 upvotes, $0
    498. Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) to Uber - 5 upvotes, $3000
    499. Reflected XSS via Livefyre Media Wall in newsroom.uber.com to Uber - 5 upvotes, $2000
    500. [h1-2102] Stored XSS in product description via productUpdate GraphQL query leads to XSS at handshake-web-
    internal.shopifycloud.com/products/[ID] to Shopify - 5 upvotes, $1600
    501. Persistent cross-site scripting (XSS) in map attribution to Mapbox - 5 upvotes, $1000
    502. XSS on internal: privileged origin through reader mode to Brave Software - 5 upvotes, $500
    503. Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML. to Pornhub - 5 upvotes,
    $200
    504. Store Cross-Site Scripting - www.razer.ru to Razer - 5 upvotes, $200
    505. XSS на странице "Платежи водителей" [city-mobil.ru/taxiserv] to Mail.ru - 5 upvotes, $150
    506. Stored XSS at Udemy to Udemy - 5 upvotes, $50
    507. Cross Site Scripting – Album Page to Pornhub - 5 upvotes, $50
    508. Stored XSS from ticket messages in admin table in SupportFlow to Ian Dunn - 5 upvotes, $50
    509. Stored XSS in SupportFlow Ticket Subject to Ian Dunn - 5 upvotes, $50
    510. XSS in Groups to Localize - 5 upvotes, $0
    511. Stored XSS in Slackbot Direct Messages to Slack - 5 upvotes, $0
    512. XSS 1 to StopTheHacker - 5 upvotes, $0
    513. reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean to Yahoo! - 5 upvotes, $0
    514. XSS on [/concrete/concrete/elements/dashboard/sitemap.php] to Concrete CMS - 5 upvotes, $0
    515. Stored XSS on this link https://sehacure.slack.com/help/requests/ to Slack - 5 upvotes, $0
    516. Reflected XSS connect.mail.ru (IE6-IE8) to Mail.ru - 5 upvotes, $0
    517. XSS on any site that includes the moogaloop flash player | deprecated embed code to Vimeo - 5 upvotes, $0
    518. Tweet Deck XSS- Persistent- Group DM name to X (Formerly Twitter) - 5 upvotes, $0
    519. Potential XSS on sanitize/Rails::Html::WhiteListSanitizer to Ruby on Rails - 5 upvotes, $0
    520. XSS via React element spoofing to Imgur - 5 upvotes, $0
    521. XSS on hardware.shopify.com to Shopify - 5 upvotes, $0
    522. XSS via Fabrico Account Name to X (Formerly Twitter) - 5 upvotes, $0
    523. Several XSS affecting Zomato.com and developers.zomato.com to Zomato - 5 upvotes, $0
    524. Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
    525. refelected Xss on https://gmid.gm.com/gmid/jsp/GMIDInitialLogin.jsp to General Motors - 5 upvotes, $0
    526. XSS in https://www.coursera.org/courses/ to Coursera - 5 upvotes, $0
    527. DOM XSS в /activation.php?act=activate_mobile to VK.com - 5 upvotes, $0
    528. Xss in m.ok.ru to ok.ru - 5 upvotes, $0
    529. [mrgs.mail.ru] Internet Explorer XSS via Request-URI to Mail.ru - 5 upvotes, $0
    530. Stored XSS on contact name to OLX - 5 upvotes, $0
    531. Reflected XSS at m.olx.ph to OLX - 5 upvotes, $0
    532. [now.informatica.com] Reflective XSS to Informatica - 5 upvotes, $0
    533. XSS vulnerability on an Army website to U.S. Dept Of Defense - 5 upvotes, $0
    534. Wordpress flashmediaelement.swf XSS on stopthehacker.com to StopTheHacker - 5 upvotes, $0
    535. Stored XSS in albums on http://m.imgur.com/ to Imgur - 5 upvotes, $0
    536. [Textile] XSS in project README files to GitLab - 5 upvotes, $0
    537. Reflected XSS on Signup Page to New Relic - 5 upvotes, $0
    538. Stored XSS в имени песни (2) на платёжном гейте. to ok.ru - 5 upvotes, $0
    539. [allods.mail.ru] Reflected XSS to Mail.ru - 5 upvotes, $0
    540. Reflected XSS in olx.pt to OLX - 5 upvotes, $0
    541. [careers.informatica.com] XSS on "isJTN" to Informatica - 5 upvotes, $0
    542. [marketplace.informatica.com]- Stored XSS on Image title and Edit Property to Informatica - 5 upvotes, $0
    543. [marketplace.informatica.com] Search XSS to Informatica - 5 upvotes, $0
    544. self xss in to Quora - 5 upvotes, $0
    545. Self-XSS can be achieved in the editor link using filter bypass to Weblate - 5 upvotes, $0
    546. Reflected XSS on Branch domain to Cuvva - 5 upvotes, $0
    547. Reflected XSS and something more Store XSS too to General Motors - 5 upvotes, $0
    548. Flash XSS on global nav to General Motors - 5 upvotes, $0
    549. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
    550. Reflected XSS on business-blog.zomato.com - Part 2 to Zomato - 5 upvotes, $0
    551. Reflected cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
    552. Cross-site Scripting (XSS) in /updates-pro/archive/ to MapsMarker.com e.U. - 5 upvotes, $0
    553. Reflected XSS на https://aw.mail.ru/news/ to Mail.ru - 5 upvotes, $0
    554. Reflected XSS in Step 2 of the Installation to Revive Adserver - 5 upvotes, $0
    555. XSS on player.vimeo.com without user interaction and vimeo.com with user interaction to Vimeo - 5 upvotes, $0
    556. Reflected XSS on vimeo.com/musicstore to Vimeo - 5 upvotes, $0
    557. Reflected XSS on www.bookfresh.com/index.html?view=upload_form to Bookfresh - 5 upvotes, $0
    558. XSS on Report Classic to Infogram - 5 upvotes, $0
    559. Stored XSS via transloadit.com and imageproxy to Coursera - 5 upvotes, $0
    560. Report Design Critical Stored DOM XSS Vulnerability to Infogram - 5 upvotes, $0
    561. [marketplace.informatica.com] - Stored XSS to Informatica - 5 upvotes, $0
    562. muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 5
    upvotes, $0
    563. [html-janitor] Passing user-controlled data to clean() leads to XSS to Node.js third-party modules - 5 upvotes, $0
    564. Reflected XSS { support.mycrypto.com } to MyCrypto - 5 upvotes, $0
    565. Outdated MediaElement.js Reflected Cross-Site Scripting (XSS) to Zomato - 5 upvotes, $0
    566. [public] Stored XSS in filenames in directory served by public to Node.js third-party modules - 5 upvotes, $0
    567. [maps.me] Reflected XSS to Mail.ru - 5 upvotes, $0
    568. The react-marked-markdown module allows XSS injection in href values. to Node.js third-party modules - 5 upvotes, $0
    569. [public] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
    570. [html-pages] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
    571. stored xss in scrape-metadata when reading metadata from an html page to Node.js third-party modules - 5 upvotes, $0
    572. XSS (stored) Wizard is saving executable code to Rocket.Chat - 5 upvotes, $0
    573. XSS in http://localhost:8153/go/admin/config/server/update to GoCD - 5 upvotes, $0
    574. Stored XSS in Profile Comments to Vanilla - 5 upvotes, $0
    575. Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████ to U.S. Dept Of Defense - 5 upvotes, $0
    576. Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS to Node.js third-party modules - 5 upvotes, $0
    577. HTML injection and limited XSS via logo image upload - Nextcloud 12.0.0 to Nextcloud - 5 upvotes, $0
    578. [share.polymail.io] XSS when uploading a file to the server to Polymail, Inc. - 5 upvotes, $0
    579. Stored XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 5 upvotes, $0
    580. Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action to Topcoder - 5 upvotes, $0
    581. Reflected XSS and HTML Injectionon a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
    582. Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode to Rockstar Games - 5 upvotes, $0
    583. Stored XSS on express entries to Concrete CMS - 5 upvotes, $0
    584. Stored XSS on Company Logo to 8x8 - 5 upvotes, $0
    585. Reflected XSS in "keywords" parameter at "https://sbermarket.ru/metro/search" to Mail.ru - 5 upvotes, $0
    586. xss on [storehouse5.ucs.ru] to Mail.ru - 5 upvotes, $0
    587. Stored XSS at APM transaction map (transactionName field) to New Relic - 5 upvotes, $0
    588. XSS via "gp" cookie reflected in source code to Mail.ru - 5 upvotes, $0
    589. xss on polaris.shopify.com/demo using postMessage to Shopify - 5 upvotes, $0
    590. Arbitrary file upload and stored XSS via ███ support request to U.S. Dept Of Defense - 5 upvotes, $0
    591. HTML Injection + XSS Vulnerability - https://████████/ | Proof of Concept [PoC] to U.S. Dept Of Defense - 5 upvotes, $0
    592. Blind Stored XSS on https://█████████ after filling a request at https://█████ to U.S. Dept Of Defense - 5 upvotes, $0
    593. reflected xss @ www.█████████ to U.S. Dept Of Defense - 5 upvotes, $0
    594. Reflected XSS in https://██████████ via "████████" parameter to U.S. Dept Of Defense - 5 upvotes, $0
    595. Cross-site Scripting (XSS) possible at https://sifchain.finance// via CVE-2019-8331 exploitation to Sifchain - 5 upvotes, $0
    596. CSS-Reflected to Engel & Völkers Technology GmbH - 5 upvotes, $0
    597. [█████████] Reflected Cross-Site Scripting Vulnerability to U.S. Dept Of Defense - 5 upvotes, $0
    598. XSS DUE TO CVE-2020-3580 to U.S. Dept Of Defense - 5 upvotes, $0
    599. Stored XSS on https://community.my.games/ (Add Post) to Mail.ru - 5 upvotes, $0
    600. 8x8pilot.com: Reflected XSS in Apache Tomcat /jsp-examples example directory to 8x8 - 5 upvotes, $0
    601. Reflected XSS on https://www.glassdoor.com/parts/header.htm to Glassdoor - 5 upvotes, $0
    602. Reflected Cross Site Scripting at http://www.grouplogic.com/files/glidownload/verify3.asp [Uppercase Filter Bypass] to Acronis - 5 upvotes, $0
    603. Shop - Reflected XSS With Clickjacking Leads to Steal User's Cookie In Two Domain to Meredith - 5 upvotes, $0
    604. Reflected XSS | https://████████ to U.S. Dept Of Defense - 5 upvotes, $0
    605. XSS via Client Side Template Injection on www.███/News/Speeches to U.S. Dept Of Defense - 5 upvotes, $0
    606. stored cross site scripting in https://███ to U.S. Dept Of Defense - 5 upvotes, $0
    607. Reflected XSS in ██████████ to U.S. Dept Of Defense - 5 upvotes, $0
    608. XSS in twitter.com/safety/unsafe_link_warning to X (Formerly Twitter) - 4 upvotes, $1400
    609. Stored XSS in the Shopify Discussion Forums to Shopify - 4 upvotes, $500
    610. Strored Cross Site Scripting to Shopify - 4 upvotes, $500
    611. a stored xss in slack integration https://onerror.slack.com/services/import to Slack - 4 upvotes, $500
    612. XSS in my.shopify.com in widget to Shopify - 4 upvotes, $500
    613. Reflected Cross-Site Scripting on French subdomain to Pornhub - 4 upvotes, $250
    614. Cross Site Scripting - On Mouse Over, Blog page to Pornhub - 4 upvotes, $250
    615. Reflected XSS Vulnerability in www.lahitapiola.fi/cs/Satellite to LocalTapiola - 4 upvotes, $250
    616. [0.vk.com] Reflected XSS на странице подтверждения. to VK.com - 4 upvotes, $200
    617. [reflected xss, pornhub.com] /blog, any to Pornhub - 4 upvotes, $100
    618. XSS on 3rd party service Localtapiola is using to LocalTapiola - 4 upvotes, $100
    619. Vulnerability found, XSS (Cross site Scripting) to Yahoo! - 4 upvotes, $0
    620. Persistent class XSS [the fuck] to Khan Academy - 4 upvotes, $0
    621. XSS IN member List (Because of City Textbox) to Concrete CMS - 4 upvotes, $0
    622. XSS in main page (invitation) to Localize - 4 upvotes, $0
    623. XSS Vulnerability (my.yahoo.com) to Yahoo! - 4 upvotes, $0
    624. https://caldav.calendar.yahoo.com/ - XSS (STORED) to Yahoo! - 4 upvotes, $0
    625. XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use) to Mail.ru - 4 upvotes, $0
    626. XSS in original referrer after follow to X (Formerly Twitter) - 4 upvotes, $0
    627. Stored XSS in Slack.com to Slack - 4 upvotes, $0
    628. Stored XSS in api key of operator wallet to Enter - 4 upvotes, $0
    629. Stored Cross Site Scripting Vulnerability in Yahoo Mail to Yahoo! - 4 upvotes, $0
    630. Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc. to HackerOne - 4 upvotes, $0
    631. apps.owncloud.com: XSS via referrer to ownCloud - 4 upvotes, $0
    632. Persistent XSS in image title to Imgur - 4 upvotes, $0
    633. Reflected XSS via. search to Adobe - 4 upvotes, $0
    634. xss in DM group name in twitter to X (Formerly Twitter) - 4 upvotes, $0
    635. Dom Based Xss to Uber - 4 upvotes, $0
    636. [tz.mail.ru] XSS в функционале авторизации to Mail.ru - 4 upvotes, $0
    637. Stored XSS on [your_zendesk].zendesk.com in Facebook Channel to Zendesk - 4 upvotes, $0
    638. Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay to Zomato - 4 upvotes, $0
    639. Reflected XSS at yaman.olx.ph to OLX - 4 upvotes, $0
    640. Template stored XSS to drchrono - 4 upvotes, $0
    641. XSS in uber oauth to Uber - 4 upvotes, $0
    642. XSS via password recovering to Uber - 4 upvotes, $0
    643. XSS in people.uber.com to Uber - 4 upvotes, $0
    644. XSS in Tagregator plugin to Ian Dunn - 4 upvotes, $0
    645. Arbitrary SQL query execution and reflected XSS in the "SQL Query Form" to ExpressionEngine - 4 upvotes, $0
    646. these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1:
    https://www.youtube.com/w to OLX - 4 upvotes, $0
    647. stored SELF xss on Basic Google Maps Placemarks Settings plugin to Ian Dunn - 4 upvotes, $0
    648. [support.my.com] Internet Explorer XSS to Mail.ru - 4 upvotes, $0
    649. [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS to Nextcloud - 4 upvotes, $0
    650. Reflected XSS in OLX.in to OLX - 4 upvotes, $0
    651. REFLECTED CROSS SITE SCRIPTING IN OLX to OLX - 4 upvotes, $0
    652. Stored XSS on new Calling plugin (spreed) to Nextcloud - 4 upvotes, $0
    653. Persistent XSS vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    654. Cross-site scripting vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    655. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    656. Stored cross-site scripting (XSS) on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    657. Stored xss to ownCloud - 4 upvotes, $0
    658. [marketplace.informatica.com] Profile stored XSS to Informatica - 4 upvotes, $0
    659. XSS on username when register to proffesional account to FormAssembly - 4 upvotes, $0
    660. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    661. Cross-Site Scripting (XSS) on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    662. Cross-site-Scripting to Paragon Initiative Enterprises - 4 upvotes, $0
    663. [demo.weblate.org] Stored Self-XSS via Editor Link in Profile to Weblate - 4 upvotes, $0
    664. Stored XSS in RSS Feeds Title (Concrete5 v8.1.0) to Concrete CMS - 4 upvotes, $0
    665. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    666. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    667. Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf to General Motors - 4 upvotes, $0
    668. Stored XSS templates -> 'call for action' feature to Mixmax - 4 upvotes, $0
    669. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    670. MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) to Zomato - 4 upvotes, $0
    671. XSS in flashmediaelement.swf (business-blog.zomato.com) to Zomato - 4 upvotes, $0
    672. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    673. Reflective XSS vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    674. Stored cross site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    675. xss found in zomato to Zomato - 4 upvotes, $0
    676. Reflected XSS on hi-tech.mail.ru to Mail.ru - 4 upvotes, $0
    677. Reflected XSS. to Mail.ru - 4 upvotes, $0
    678. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    679. Cross-site scripting (XSS) on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    680. XSS Vulnerability in WooCommerce Product Vendors plugin to Automattic - 4 upvotes, $0
    681. Reflective XSS to ExpressionEngine - 4 upvotes, $0
    682. Cross site scripting in a subdomain of newrelic.com to New Relic - 4 upvotes, $0
    683. Stored XSS on BillingCountry parameter to New Relic - 4 upvotes, $0
    684. Non Critical Code Quality Bug / Self XSS on Map Editor to Infogram - 4 upvotes, $0
    685. [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component to Node.js third-party modules - 4 upvotes, $0
    686. Self-xss via drag&drop in email form to Mail.ru - 4 upvotes, $0
    687. [afisha.mail.ru] HTML-инъекция через XSS на портале виджета to Mail.ru - 4 upvotes, $0
    688. [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server to Node.js third-party modules - 4 upvotes, $0
    689. [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec to RubyGems - 4 upvotes, $0
    690. [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser to Node.js third-party modules
    - 4 upvotes, $0
    691. Airship: Persistent XSS via Comment to Paragon Initiative Enterprises - 4 upvotes, $0
    692. [exceljs] Possible XSS via cell value when worksheet is displayed in browser to Node.js third-party modules - 4 upvotes, $0
    693. Browser Self XSS Protection not implemented to PortSwigger Web Security - 4 upvotes, $0
    694. [serve] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 4 upvotes, $0
    695. [serve] Stored XSS in the filename when directories listing to Node.js third-party modules - 4 upvotes, $0
    696. [target.my.com] CRLF Injection -> XSS to Mail.ru - 4 upvotes, $0
    697. [beta.tracker.my.com] XSS Request-URI to Mail.ru - 4 upvotes, $0
    698. XSS in Bootbox to Node.js third-party modules - 4 upvotes, $0
    699. XSS to Mail.ru - 4 upvotes, $0
    700. xss to Mail.ru - 4 upvotes, $0
    701. Reflected Cross Site Scripting vuln in tomtom.com to TomTom - 4 upvotes, $0
    702. self XSS на странице https://aw.mail.ru/pin/ to Mail.ru - 4 upvotes, $0
    703. Stored XSS in embedded posts containing images to Vanilla - 4 upvotes, $0
    704. [████████] Reflected XSS to U.S. Dept Of Defense - 4 upvotes, $0
    705. [███████] Reflected GET XSS (/mission.php?...&missionDate=*) to U.S. Dept Of Defense - 4 upvotes, $0
    706. Stored XSS on scan.nextcloud.com to Nextcloud - 4 upvotes, $0
    707. potential RCE and XSS via file upload requiring user account and default settings to Nextcloud - 4 upvotes, $0
    708. Unrestricted file upload leads to stored xss on https://████████/ to U.S. Dept Of Defense - 4 upvotes, $0
    709. XSS (Cross site scripting) on https://apimgr.8x8.com to 8x8 - 4 upvotes, $0
    710. Stored XSS agent_status to 8x8 - 4 upvotes, $0
    711. HTML Injection leads to XSS on███ to U.S. Dept Of Defense - 4 upvotes, $0
    712. Stored XSS firing if the error occurs when trying to delete the APM app to New Relic - 4 upvotes, $0
    713. CSTI fix (#587829) bypass leading to stored XSS at plugins again to New Relic - 4 upvotes, $0
    714. Cross Site Scripting and Open Redirect in affiliate-preview.php file to Revive Adserver - 4 upvotes, $0
    715. Stored XSS through name / last name on https://██████████/ to U.S. Dept Of Defense - 4 upvotes, $0
    716. Self XSS + CSRF Leads to Reflected XSS in https://████/ to U.S. Dept Of Defense - 4 upvotes, $0
    717. Cross-site Scripting (XSS) - Reflected to Zivver - 4 upvotes, $0
    718. XSS by MathML at Active Storage to Ruby on Rails - 4 upvotes, $0
    719. Cross-Site Scripting thorough XSSJacking/PasteJacking Technique to Zivver - 4 upvotes, $0
    720. Post-Auth Stored XSS with User Interaction leads to Remote Code Execution to Rocket.Chat - 4 upvotes, $0
    721. xss on https://███████(█████████ parameter) to U.S. Dept Of Defense - 4 upvotes, $0
    722. XSS due to CVE-2020-3580 [██████] to U.S. Dept Of Defense - 4 upvotes, $0
    723. Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text" to Concrete CMS - 4 upvotes, $0
    724. Stored XSS вирус в al_video.php?act=a_choose_video_box to VK.com - 4 upvotes, $0
    725. Reflected XSS at https://█████████ via "███" parameter to U.S. Dept Of Defense - 4 upvotes, $0
    726. XSS Stored on https://seedr.ru to Mail.ru - 4 upvotes, $0
    727. XSS at videostore.mtnonline.com/GL/*.aspx via all parameters to MTN Group - 4 upvotes, $0
    728. Reflected Cross Site Scripting at ColdFusion Debugging Panel http://www.grouplogic.com/CFIDE/debug/cf_debugFr.cfm to Acronis - 4 upvotes,
    $0
    729. stored cross site scripting in https://███████ to U.S. Dept Of Defense - 4 upvotes, $0
    730. stored cross site scripting in https://██████████ to U.S. Dept Of Defense - 4 upvotes, $0
    731. stored cross site scripting in https://█████████ to U.S. Dept Of Defense - 4 upvotes, $0
    732. stored cross site scripting in https://███ to U.S. Dept Of Defense - 4 upvotes, $0
    733. Reflected XSS in ██████████ to U.S. Dept Of Defense - 4 upvotes, $0
    734. Cross-Site-Scripting in "Search Messages" to Rocket.Chat - 4 upvotes, $0
    735. XSS in ServiceNow logout https://████:443 to U.S. Dept Of Defense - 4 upvotes, $0
    736. XSS exploit of RDoc documentation generated by rdoc to Ruby - 4 upvotes, $0
    737. Stored XSS in RDoc hyperlinks through javascript scheme to Ruby - 4 upvotes, $0
    738. XSS in getrush.uber.com to Uber - 3 upvotes, $3000
    739. XSS in L.mapbox.shareControl in mapbox.js to Mapbox - 3 upvotes, $1000
    740. JavaScript: Add some new XSS sinks and sources of Next.js (and some extra improvements) to GitHub Security Lab - 3 upvotes, $1000
    741. Persistent Cross Site Scripting within the IRCCloud Pastebin to IRCCloud - 3 upvotes, $500
    742. XSS on partners.uber.com to Uber - 3 upvotes, $500
    743. [e.mail.ru] XSS на странице отправки денежного перевода to Mail.ru - 3 upvotes, $500
    744. XSS by file (Active Storage Proxying ) to Ruby on Rails - 3 upvotes, $500
    745. Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) to LocalTapiola - 3 upvotes, $400
    746. XSS Reflected incategories*p to Pornhub - 3 upvotes, $250
    747. XSS ReflectedGET /embed_player? to Pornhub - 3 upvotes, $250
    748. Reflective XSS can be triggered in IE to Slack - 3 upvotes, $150
    749. Reflected Self-XSS Vulnerability in the Comment section of Files Information to Nextcloud - 3 upvotes, $100
    750. csp bypass leads to xss on wacky.buggywebsite.com to BugPoC - 3 upvotes, $100
    751. Solution for XSS challenge wacky.buggywebsite.com to BugPoC - 3 upvotes, $100
    752. Cross site scripting to Deriv.com - 3 upvotes, $75
    753. Dom based XSS https://www.khanacademy.org/ to Khan Academy - 3 upvotes, $0
    754. http://smarthistory.khanacademy.org/search-results.html XSS to Khan Academy - 3 upvotes, $0
    755. Stored XSS {dangerous?} https://www.khanacademy.org/coach/roster/?listId=allStudents to Khan Academy - 3 upvotes, $0
    756. XSS via Email to Respondly - 3 upvotes, $0
    757. XSS via Email Link to Respondly - 3 upvotes, $0
    758. XSS in password to Localize - 3 upvotes, $0
    759. /index.php/dashboard/sitemap/explore/ Cross-site scripting to Concrete CMS - 3 upvotes, $0
    760. XSS in Yahoo! Web Analytics to Yahoo! - 3 upvotes, $0
    761. Yahoo! Reflected XSS to Yahoo! - 3 upvotes, $0
    762. Flash XSS in http://go.mail.ru to Mail.ru - 3 upvotes, $0
    763. XSS in editor by any user to Phabricator - 3 upvotes, $0
    764. XSS ON MOPUB.COM to X (Formerly Twitter) - 3 upvotes, $0
    765. Flash XSS in http://lingvo.mail.ru to Mail.ru - 3 upvotes, $0
    766. stored xss in transaction to Enter - 3 upvotes, $0
    767. Vulnerability type xss uncovered in airbnb.es to Airbnb - 3 upvotes, $0
    768. Xss in website's link to Shopify - 3 upvotes, $0
    769. XSS - URL Redirects to Shopify - 3 upvotes, $0
    770. XSS in experts.shopify.com to Shopify - 3 upvotes, $0
    771. XSS at importing Product List to Shopify - 3 upvotes, $0
    772. XSS at Bulk editing products to Shopify - 3 upvotes, $0
    773. [persistent cross-site scripting] customers can target admins to Shopify - 3 upvotes, $0
    774. XSS using yql and developers console proxy to Yahoo! - 3 upvotes, $0
    775. XSS in my yahoo to Yahoo! - 3 upvotes, $0
    776. XSS Reflected - Yahoo Travel to Yahoo! - 3 upvotes, $0
    777. [ishop.qiwi.com] XSS + Misconfiguration to QIWI - 3 upvotes, $0
    778. Reflected XSS in chat. to Shopify - 3 upvotes, $0
    779. Reflective Xss Vulnerability to Urban Dictionary - 3 upvotes, $0
    780. XSS in WordPress to Automattic - 3 upvotes, $0
    781. [start.icq.com] Reflected XSS via Cookies to Mail.ru - 3 upvotes, $0
    782. xss to Keybase - 3 upvotes, $0
    783. Stored XSS in Slack (weird, trial and error) to Slack - 3 upvotes, $0
    784. Stored XSS in comments to Zendesk - 3 upvotes, $0
    785. Stored XSS on vimeo.com and player.vimeo.com to Vimeo - 3 upvotes, $0
    786. Sql injection And XSS to Khan Academy - 3 upvotes, $0
    787. Stored XSS in comments to Zendesk - 3 upvotes, $0
    788. XSS m.imgur.com to Imgur - 3 upvotes, $0
    789. XSS vulnerability in "/coach/roster/" ( create your first class) to Khan Academy - 3 upvotes, $0
    790. Cross site scripting On api Calculator API requests to ok.ru - 3 upvotes, $0
    791. XSS at www.woothemes.com to Automattic - 3 upvotes, $0
    792. Reflected XSS in owncloud.com to ownCloud - 3 upvotes, $0
    793. Cross site scripting in apps.owncloud.com to ownCloud - 3 upvotes, $0
    794. Vulnerability : XSS Vulnerability to Xero - 3 upvotes, $0
    795. doc.owncloud.org: XSS via Referrer to ownCloud - 3 upvotes, $0
    796. Stored Cross-Site Scripting in Map Share Page to Mapbox - 3 upvotes, $0
    797. Possible XSS to HackerOne - 3 upvotes, $0
    798. www.veris.in DOM based XSS to Veris - 3 upvotes, $0
    799. stored XSS in concrete5 5.7.2.1 to Concrete CMS - 3 upvotes, $0
    800. XSS on www.wordpress.com to Automattic - 3 upvotes, $0
    801. XSS on gmchat.gm.com to General Motors - 3 upvotes, $0
    802. Self-XSS Vulnerability on Password Reset Form to Uber - 3 upvotes, $0
    803. XSS on codex.wordpress.org to Automattic - 3 upvotes, $0
    804. Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 to Concrete CMS - 3 upvotes, $0
    805. XSS on zomato.com to Zomato - 3 upvotes, $0
    806. [github.algolia.com] XSS to Algolia - 3 upvotes, $0
    807. Stored XSS from Display Settings triggered on Save and viewing realtime search demo to Algolia - 3 upvotes, $0
    808. XSS in Subtitles of Vimeo Flash Player and Hubnut to Vimeo - 3 upvotes, $0
    809. Reflected xss on websummit.net to WebSummit - 3 upvotes, $0
    810. Reflected Cross site scripting to Veris - 3 upvotes, $0
    811. Stored XSS на street-combats.mail.ru to Mail.ru - 3 upvotes, $0
    812. Critical : Malware and XSS file can be uploaded and executed on udemy to Udemy - 3 upvotes, $0
    813. Web Browser XSS Protection Not Enabled to Open-Xchange - 3 upvotes, $0
    814. xss for admin of https://newsletter.nextcloud.com to Nextcloud - 3 upvotes, $0
    815. Reflective XSS at dubai.dubizzle.com to OLX - 3 upvotes, $0
    816. [api.login.icq.net] Reflected XSS to Mail.ru - 3 upvotes, $0
    817. Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi) to LocalTapiola - 3 upvotes, $0
    818. XSS vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    819. XSS in a newrelic.com site to New Relic - 3 upvotes, $0
    820. stored xss issue in folder name on go.xero.com/Docs/Folders to Xero - 3 upvotes, $0
    821. cross-site scripting in get request to OLX - 3 upvotes, $0
    822. Self XSS at translation page through Editor Link at demo.weblate.org to Weblate - 3 upvotes, $0
    823. Reflected XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    824. Reflected XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    825. DOM Based XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    826. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    827. Reflected XSS. to Mail.ru - 3 upvotes, $0
    828. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    829. Reflected XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    830. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
    831. SSL-protected Reflected XSS in m.uber.com to Uber - 3 upvotes, $0
    832. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
    833. udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3
    upvotes, $0
    834. lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3
    upvotes, $0
    835. Stored XSS in WordPress to WordPress - 3 upvotes, $0
    836. [aw.my.com] Reflected XSS to Mail.ru - 3 upvotes, $0
    837. [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name
    to Node.js third-party modules - 3 upvotes, $0
    838. XSS in express-useragent through HTTP User-Agent to Node.js third-party modules - 3 upvotes, $0
    839. Reflected Cross-Site Scripting in Serendipity (serendipity.SetCookie) to Hanno's projects - 3 upvotes, $0
    840. Reflected XSS to GoCD - 3 upvotes, $0
    841. Stored XSS на странице pubg.mail.ru/community to Mail.ru - 3 upvotes, $0
    842. Reflected DOM-Based XSS On Due Lack Filter On Parameter ?next to Vercel - 3 upvotes, $0
    843. Reflected XSS on www.tomtom.com to TomTom - 3 upvotes, $0
    844. [min-http-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 3 upvotes, $0
    845. Reflected XSS on https://merchant.kartpay.com/payment_settings [status] to Kartpay - 3 upvotes, $0
    846. █████ - DOM-based XSS to U.S. Dept Of Defense - 3 upvotes, $0
    847. █████ - DOM-based XSS to U.S. Dept Of Defense - 3 upvotes, $0
    848. [██████] Reflected GET XSS (/personnel.php?..&folder=*) with mouse action to U.S. Dept Of Defense - 3 upvotes, $0
    849. Persistent XSS on favorite via filename to Nextcloud - 3 upvotes, $0
    850. Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter to Starbucks - 3 upvotes, $0
    851. [node-red] Stored XSS within Flow's - "Name" field to Node.js third-party modules - 3 upvotes, $0
    852. Stored XSS in template comments. to Stripo Inc - 3 upvotes, $0
    853. Post Based Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 3 upvotes, $0
    854. Reflected XSS on error page on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 3 upvotes, $0
    855. Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 3 upvotes, $0
    856. [████████] — XSS on /███████_flight/images via advanced_val parameter to U.S. Dept Of Defense - 3 upvotes, $0
    857. XSS Reflected to U.S. Dept Of Defense - 3 upvotes, $0
    858. XSS on https://deti.mail.ru/ to Mail.ru - 3 upvotes, $0
    859. Reflected XSS on http://axa.dxi.eu to 8x8 - 3 upvotes, $0
    860. [service.engelvoelkers.com] XSS in /video/id to Engel & Völkers Technology GmbH - 3 upvotes, $0
    861. Stored XSS in app.lemlist.com to lemlist - 3 upvotes, $0
    862. Reflected XSS on ███████ page to U.S. Dept Of Defense - 3 upvotes, $0
    863. Stored XSS at APM apps labels autocomplete dropdown (apps listing) to New Relic - 3 upvotes, $0
    864. Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin to New Relic - 3 upvotes, $0
    865. [snekserve] Stored XSS via filenames HTML formatted to Node.js third-party modules - 3 upvotes, $0
    866. Reflected XSS in https://███████ via search parameter to U.S. Dept Of Defense - 3 upvotes, $0
    867. Reflected XSS at wacky.buggywebsite.com/frame.html to BugPoC - 3 upvotes, $0
    868. reflected xss in ██████ to Engel & Völkers Technology GmbH - 3 upvotes, $0
    869. Reflected XSS at ████ via ██████████= parameter to U.S. Dept Of Defense - 3 upvotes, $0
    870. Stored XSS в m.vk.com/video to VK.com - 3 upvotes, $0
    871. Reflected XSS at https://██████/██████████ via "████████" parameter to U.S. Dept Of Defense - 3 upvotes, $0
    872. Reflected XSS at https://██████/██████ via "██████" parameter to U.S. Dept Of Defense - 3 upvotes, $0
    873. XSS Reflected - ███ to U.S. Dept Of Defense - 3 upvotes, $0
    874. XSS on https://██████/███ via █████ parameter to U.S. Dept Of Defense - 3 upvotes, $0
    875. Reflected XSS [██████] to U.S. Dept Of Defense - 3 upvotes, $0
    876. Reflected Xss in [██████] to U.S. Dept Of Defense - 3 upvotes, $0
    877. Reflected XSS [██████] to U.S. Dept Of Defense - 3 upvotes, $0
    878. XSS in Desktop Client via user status and information to Nextcloud - 3 upvotes, $0
    879. XSS in Desktop Client in call notification popup to Nextcloud - 3 upvotes, $0
    880. stored cross site scripting in https://████ to U.S. Dept Of Defense - 3 upvotes, $0
    881. stored cross site scripting in https://███ to U.S. Dept Of Defense - 3 upvotes, $0
    882. Reflected Cross-Site Scripting(CVE-2022-32770 ) to Rocket.Chat - 3 upvotes, $0
    883. DOM Cross-Site Scripting ( XSS ) to X (Formerly Twitter) - 2 upvotes, $1400
    884. XSS platform.twitter.com to X (Formerly Twitter) - 2 upvotes, $1120
    885. Reflected Xss to Slack - 2 upvotes, $500
    886. touch.mail.ru XSS via message id to Mail.ru - 2 upvotes, $500
    887. XSS https://www.shopify.com/signup to Shopify - 2 upvotes, $500
    888. www.shopify.com XSS on blog pages via sharing buttons to Shopify - 2 upvotes, $500
    889. Stored XSS in https://checkout.shopify.com/ to Shopify - 2 upvotes, $500
    890. XSS on https://app.shopify.com/ to Shopify - 2 upvotes, $500
    891. Home page reflected XSS to Mail.ru - 2 upvotes, $250
    892. an xss issue to Algolia - 2 upvotes, $100
    893. Unauthenticated Stored XSS in API Panel to WePay - 2 upvotes, $100
    894. Cross Site Scripting to Deriv.com - 2 upvotes, $50
    895. Stored XSS in all fields in Basic Google Maps Placemarks Settings to Ian Dunn - 2 upvotes, $25
    896. XSS in www.eobot.com(IE9 only) to Eobot - 2 upvotes, $10
    897. Stored XSS to Slack - 2 upvotes, $0
    898. https://www.khanacademy.org/coach/reports/activity XSS to Khan Academy - 2 upvotes, $0
    899. XSS in Localize.io to Localize - 2 upvotes, $0
    900. Xss in CampTix Event Ticketing to Ian Dunn - 2 upvotes, $0
    901. Dangerous Persistent xss to IRCCloud - 2 upvotes, $0
    902. Stored XSS in Channel Chat to Slack - 2 upvotes, $0
    903. Persistent XSS in afisha.mail.ru to Mail.ru - 2 upvotes, $0
    904. Reflected XSS in Pastebin-view to IRCCloud - 2 upvotes, $0
    905. Flash XSS - http://hi-tech.mail.ru/ to Mail.ru - 2 upvotes, $0
    906. XSS in "About Video" to Mail.ru - 2 upvotes, $0
    907. XSS in Team Only Area to Localize - 2 upvotes, $0
    908. https://polldaddy.com storage.swf XSS to Automattic - 2 upvotes, $0
    909. xss in app.simplenote.com to Automattic - 2 upvotes, $0
    910. XSS in the input to Respondly - 2 upvotes, $0
    911. XSS in Stopthehacker support to StopTheHacker - 2 upvotes, $0
    912. Flash XSS on swfupload.swf showing at app.mavenlink.com to Mavenlink - 2 upvotes, $0
    913. Reflected XSS to Mail.ru - 2 upvotes, $0
    914. Unchecking hidden parameter is vulnerable to XSS-attack to Khan Academy - 2 upvotes, $0
    915. rs.mail.ru - Flash Based XSS to Mail.ru - 2 upvotes, $0
    916. Cross Site Scripting (XSS) - app.relateiq.com to RelateIQ - 2 upvotes, $0
    917. Stored XSS in username.slack.com to Slack - 2 upvotes, $0
    918. http://cdnjs.cloudflare.com/ Cross-site scripting 2 to Cloudflare Vulnerability Disclosure - 2 upvotes, $0
    919. XSS in https://hk.user.auctions.yahoo.com to Yahoo! - 2 upvotes, $0
    920. XSS on Every sports.yahoo.com page to Yahoo! - 2 upvotes, $0
    921. Reflected cross site scripting in login page to StopTheHacker - 2 upvotes, $0
    922. Suffix of url-path is vulnerable to XSS-attack to Khan Academy - 2 upvotes, $0
    923. Stored xss to X (Formerly Twitter) - 2 upvotes, $0
    924. Browser cross-site scripting filter misconfiguration to ReddAPI - 2 upvotes, $0
    925. ads.twitter.com xss to X (Formerly Twitter) - 2 upvotes, $0
    926. Stored XSS on http://cards.mail.ru to Mail.ru - 2 upvotes, $0
    927. [qiwi.com] /oauth/confirm.action XSS to QIWI - 2 upvotes, $0
    928. XSS in fabric.io to X (Formerly Twitter) - 2 upvotes, $0
    929. [static.qiwi.com] XSS proxy.html to QIWI - 2 upvotes, $0
    930. Stored XSS on http://top.mail.ru to Mail.ru - 2 upvotes, $0
    931. Vimeo Search - XSS Vulnerability [http://vimeo.com/search] to Vimeo - 2 upvotes, $0
    932. XSS on Vimeo to Vimeo - 2 upvotes, $0
    933. Stored XSS in Direct debit name to Mobile Vikings - 2 upvotes, $0
    934. Stored xss in user name to Mobile Vikings - 2 upvotes, $0
    935. Reflected xss in user name thru cookie to Mobile Vikings - 2 upvotes, $0
    936. Stored xss in user name (2) affected another user. to Mobile Vikings - 2 upvotes, $0
    937. Reflected Cross Site Scripting - 'puser' Parameter in login page to Adobe - 2 upvotes, $0
    938. Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her] to Adobe - 2 upvotes, $0
    939. XSS in myshopify.com Admin site in TAX Overrides to Shopify - 2 upvotes, $0
    940. XSS on support.shopify.com to Shopify - 2 upvotes, $0
    941. XSS at Bulk editing ProductVariants to Shopify - 2 upvotes, $0
    942. xss profile to Udemy - 2 upvotes, $0
    943. XSS in Myshopify Admin Site in DISCOUNTS to Shopify - 2 upvotes, $0
    944. Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS to Shopify - 2 upvotes, $0
    945. Reflected XSS in chat to Shopify - 2 upvotes, $0
    946. Reflected XSS in mail.yahoo.com to Yahoo! - 2 upvotes, $0
    947. XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) to Shopify - 2 upvotes, $0
    948. No CSRF protection when creating new community points actions, and related stored XSS to Concrete CMS - 2 upvotes, $0
    949. Stored Cross site scripting In developer.zendesk.com to Zendesk - 2 upvotes, $0
    950. XSS on ecommerce.shopify.com to Shopify - 2 upvotes, $0
    951. files.mail.ru: XSS to Mail.ru - 2 upvotes, $0
    952. /surveys/2auth: DOM-based XSS to Mail.ru - 2 upvotes, $0
    953. help2.m.smailru.net: XSS to Mail.ru - 2 upvotes, $0
    954. XSS on https://www.udemy.com/asset/export.html to Udemy - 2 upvotes, $0
    955. apps.owncloud.com: Stored XSS in profile page to ownCloud - 2 upvotes, $0
    956. Cross-site Scripting in all Zopim to Zendesk - 2 upvotes, $0
    957. XSS at http://vk.com on IE using flash files to VK.com - 2 upvotes, $0
    958. apps.owncloud.com: Potential XSS to ownCloud - 2 upvotes, $0
    959. XSS Vulnerability to Udemy - 2 upvotes, $0
    960. XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо to
    Mail.ru - 2 upvotes, $0
    961. Cookie securing your "Opening soon" store is not secured against XSS to Shopify - 2 upvotes, $0
    962. XSS in creating tweets to Shopify - 2 upvotes, $0
    963. Cross-site Scripting https://www.zendesk.com/product/pricing/ to Zendesk - 2 upvotes, $0
    964. Reflective Xss on news.mail.ru and admin.news.mail.ru to Mail.ru - 2 upvotes, $0
    965. Flash XSS на old.corp.mail.ru to Mail.ru - 2 upvotes, $0
    966. XSS in imgur mobile to Imgur - 2 upvotes, $0
    967. XSS in imgur mobile 3 to Imgur - 2 upvotes, $0
    968. XSS at forum : to Mail.ru - 2 upvotes, $0
    969. Stored XSS on https://www.algolia.com/realtime-search-demo/* to Algolia - 2 upvotes, $0
    970. Self-XSS in mails sent by hello@owncloud.com to ownCloud - 2 upvotes, $0
    971. Stored XSS in /admin/orders to Shopify - 2 upvotes, $0
    972. Stored XSS in adding fileset to Concrete CMS - 2 upvotes, $0
    973. Cross-Site Scripting Vulnerability in urbandictionary.com to Urban Dictionary - 2 upvotes, $0
    974. Cross-Site Scripting Vulnerability in dovecot.fi to Open-Xchange - 2 upvotes, $0
    975. Stored Cross-Site Scripting via Angular Template Injection to New Relic - 2 upvotes, $0
    976. Reflected XSS на games.mail.ru to Mail.ru - 2 upvotes, $0
    977. Stored XSS in member book to Veris - 2 upvotes, $0
    978. XSS in Asset name to Veris - 2 upvotes, $0
    979. [login.newrelic.com] XSS via return_to to New Relic - 2 upvotes, $0
    980. xss yaman.olx.ph to OLX - 2 upvotes, $0
    981. XSS, Unvalidated redirects & phishing website hosting on dropbox servers to Dropbox - 2 upvotes, $0
    982. XSS in GM to General Motors - 2 upvotes, $0
    983. [forum.owncloud.org] IE, Edge XSS via Request-URI to ownCloud - 2 upvotes, $0
    984. Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) to Nextcloud - 2 upvotes, $0
    985. XSS Via Method injection to Gratipay - 2 upvotes, $0
    986. XSS and Open Redirect on https://jobs.dubizzle.com/ to OLX - 2 upvotes, $0
    987. XSS and HTML Injection https://sharjah.dubizzle.com/ to OLX - 2 upvotes, $0
    988. Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page to LocalTapiola - 2 upvotes, $0
    989. Reflected XSS vulnerability in a DoD website to U.S. Dept Of Defense - 2 upvotes, $0
    990. hosted.weblate.org: X-XSS-Protection not enabled to Weblate - 2 upvotes, $0
    991. weblate.org: X-XSS-Protection not enabled to Weblate - 2 upvotes, $0
    992. CSS to Zomato - 2 upvotes, $0
    993. Stored XSS vulnerability on a DoD website to U.S. Dept Of Defense - 2 upvotes, $0
    994. Reflected XSS on a DoD website to U.S. Dept Of Defense - 2 upvotes, $0
    995. Stored XSS in Gallery application (NC-SA-2017-010) to Nextcloud - 2 upvotes, $0
    996. IE search XSS to General Motors - 2 upvotes, $0
    997. XSS Vulnerability in developer.gm.com to General Motors - 2 upvotes, $0
    998. xss to Gratipay - 2 upvotes, $0
    999. [cloudcmd] Stored XSS in the filename when directories listing to Node.js third-party modules - 2 upvotes, $0
    000. [legal.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    001. [allods.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    002. [id.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    003. [furry.aw.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    004. [evo2.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    005. [evo.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    006. [mg.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    007. [support.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    008. [wos.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    009. [account.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    010. [lucky-fields.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    011. [sf.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    012. [games.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    013. XSS in "explore-keywords-dropdown" results. to Zomato - 2 upvotes, $0
    014. Cross site scripting (content-sniffing) to Liberapay - 2 upvotes, $0
    015. [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser to Node.js third-party modules - 2 upvotes, $0
    016. XSS on New contact to Mail.ru - 2 upvotes, $0
    017. Reflected Xss bypass Content-Type: text/plain to Python Cryptographic Authority - 2 upvotes, $0
    018. xss to Mail.ru - 2 upvotes, $0
    019. XSS On Nextcloud Integrated with zimbra drive to Nextcloud - 2 upvotes, $0
    020. Stored XSS at branded site in .mail.ru domain to Mail.ru - 2 upvotes, $0
    021. Strored Xss on https://my.stripo.email/ ( multiple inputs) to Stripo Inc - 2 upvotes, $0
    022. Prevent XSS when passing a parameter directly into link_to to Ruby on Rails - 2 upvotes, $0
    023. Reflected XSS on https://███████/ to U.S. Dept Of Defense - 2 upvotes, $0
    024. [garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/" to Mail.ru - 2 upvotes, $0
    025. Stored XSS in agoric-sdk - malicious iframes, malicious svg to Agoric - 2 upvotes, $0
    026. Reflected XSS - https://███ to U.S. Dept Of Defense - 2 upvotes, $0
    027. Reflected Cross-Site Scripting/HTML Injection to Informatica - 2 upvotes, $0
    028. Reflected XSS in https://███████ via hidden parameter "████████" to U.S. Dept Of Defense - 2 upvotes, $0
    029. Reflected XSS at https://██████████/████████ via "███████" parameter to U.S. Dept Of Defense - 2 upvotes, $0
    030. XSS trigger via HTML Iframe injection in ( https://██████████ ) due to unfiltered HTML tags to U.S. Dept Of Defense - 2 upvotes, $0
    031. CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████ to U.S. Dept Of Defense - 2 upvotes, $0
    032. [www.█████] Path-based reflected Cross Site Scripting to U.S. Dept Of Defense - 2 upvotes, $0
    033. Reflected XSS [███] to U.S. Dept Of Defense - 2 upvotes, $0
    034. XSS DUE TO CVE-2020-3580 to U.S. Dept Of Defense - 2 upvotes, $0
    035. STORED XSS in █████████/nlc/login.aspx via "edit" GET parameter through markdown editor [HtUS] to U.S. Dept Of Defense - 2 upvotes, $0
    036. Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat to Rocket.Chat - 2 upvotes, $0
    037. Reflected XSS | https://████ to U.S. Dept Of Defense - 2 upvotes, $0
    038. XSS platform.twitter.com | video-js metadata to X (Formerly Twitter) - 1 upvotes, $1120
    039. XSS In archive.uber.com Due to Mime Sniffing in IE to Uber - 1 upvotes, $750
    040. XSS in dropbox main domain to Dropbox - 1 upvotes, $512
    041. XSS in a file or folder name to Mail.ru - 1 upvotes, $500
    042. e.mail.ru stored XSS in agent via sticker (smile) to Mail.ru - 1 upvotes, $500
    043. auth.mail.ru: XSS in login form to Mail.ru - 1 upvotes, $500
    044. www.shopify.com XSS via third-party script to Shopify - 1 upvotes, $500
    045. many xss in widgets.shopifyapps.com to Shopify - 1 upvotes, $500
    046. XSS on hardware.shopify.com to Shopify - 1 upvotes, $500
    047. xss in the all widgets of shopifyapps.com to Shopify - 1 upvotes, $500
    048. File upload XSS (Java applet) on http://slackatwork.com/ to Slack - 1 upvotes, $200
    049. cloud.mail.ru: File upload XSS using Content-Type header to Mail.ru - 1 upvotes, $150
    050. xss in /browse/contacts/ to Openfolio - 1 upvotes, $100
    051. DOM Based XSS in Checkout to LeaseWeb - 1 upvotes, $100
    052. an xss issue in https://hunter22.slack.com/help/requests/793043 to Slack - 1 upvotes, $100
    053. www.lahitapiola.fi DOM XSS by choosing regional company to LocalTapiola - 1 upvotes, $100
    054. Stored XSS to Localize - 1 upvotes, $0
    055. Import emails from Gmail are activate XSS to Respondly - 1 upvotes, $0
    056. Find, private notes Cross-site scripting. to Respondly - 1 upvotes, $0
    057. Persistent Cross-site scripting vulnerability settings. to Respondly - 1 upvotes, $0
    058. XSS - http://js.cloudflare.com to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
    059. Stored XSS in slack.com (integrations) to Slack - 1 upvotes, $0
    060. XSS 01 on staging.fct.li to Factlink - 1 upvotes, $0
    061. Xss On http://my.mail.ru/ to Mail.ru - 1 upvotes, $0
    062. genericons.com - DOM based XSS. to Automattic - 1 upvotes, $0
    063. http://jetpack.me/ Self XSS to Automattic - 1 upvotes, $0
    064. email field doesn't filtered against XSS to Uzbey - 1 upvotes, $0
    065. Cross-site scripting vulnerability detected to Uzbey - 1 upvotes, $0
    066. Album image XSS to Uzbey - 1 upvotes, $0
    067. XSS to jsDelivr - 1 upvotes, $0
    068. XSS vulnerability in video player page to X (Formerly Twitter) - 1 upvotes, $0
    069. Cross site scripting in type parameter to Uzbey - 1 upvotes, $0
    070. jplayer.swf Cross-site scripting to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
    071. XSS Reflected - https://www.stopthehacker.com/ to StopTheHacker - 1 upvotes, $0
    072. xss in simperium.com to Automattic - 1 upvotes, $0
    073. Cross-Site Scripting in getMarketplacePurchaseFrame to Concrete CMS - 1 upvotes, $0
    074. TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) to Yahoo! - 1 upvotes, $0
    075. XSS in Theme Preview Tools File to Concrete CMS - 1 upvotes, $0
    076. XSS on gravatar to Automattic - 1 upvotes, $0
    077. Reflected XSS to Mail.ru - 1 upvotes, $0
    078. Reflected XSS in User-Agent to Mail.ru - 1 upvotes, $0
    079. Cross Site Scripting (Stored) to ExpressionEngine - 1 upvotes, $0
    080. XSS in 3rd party plugin (not affecting Uzbey's users) to Uzbey - 1 upvotes, $0
    081. [send.qiwi.ru] XSS at auth?login= to QIWI - 1 upvotes, $0
    082. Cross-site Scripting in mailing (username) to RelateIQ - 1 upvotes, $0
    083. APIs for channels allow HTML entities that may cause XSS issue to Vimeo - 1 upvotes, $0
    084. Vimeo.com - reflected xss vulnerability to Vimeo - 1 upvotes, $0
    085. player.vimeo.com - Reflected XSS Vulnerability to Vimeo - 1 upvotes, $0
    086. Stored XSS in concrete5 5.7.0.4. to Concrete CMS - 1 upvotes, $0
    087. XSS Vulnerability in cfire.mail.ru/screen/1/ to Mail.ru - 1 upvotes, $0
    088. Vimeo.com - Reflected XSS Vulnerability to Vimeo - 1 upvotes, $0
    089. files.acrobat.com stored XSS via send file to Adobe - 1 upvotes, $0
    090. XSS with Time-of-Day Format to Phabricator - 1 upvotes, $0
    091. XSS in realty.mail.ru to Mail.ru - 1 upvotes, $0
    092. XSS in ad.mail.ru to Mail.ru - 1 upvotes, $0
    093. XSS Vulnerability on all pages to Mobile Vikings - 1 upvotes, $0
    094. Pretty Photo Dom XSS to jsDelivr - 1 upvotes, $0
    095. XSS in touch.sports.mail.ru to Mail.ru - 1 upvotes, $0
    096. Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 to Concrete CMS - 1 upvotes, $0
    097. XSS in https://app.mavenlink.com/workspaces/ to Mavenlink - 1 upvotes, $0
    098. XSS on added name album on videos. to VK.com - 1 upvotes, $0
    099. Stored XSS on Title of Page List in edit page list to Concrete CMS - 1 upvotes, $0
    100. Stored XSS on Search Title to Concrete CMS - 1 upvotes, $0
    101. Stored XSS in Contact Form to Concrete CMS - 1 upvotes, $0
    102. Stored XSS in Title of the topic List to Concrete CMS - 1 upvotes, $0
    103. Stored XSS in title of date navigation to Concrete CMS - 1 upvotes, $0
    104. Stored XSS in Feature tile to Concrete CMS - 1 upvotes, $0
    105. Stored Xss in Feature Paragraph to Concrete CMS - 1 upvotes, $0
    106. Stored XSS in Testimonial name to Concrete CMS - 1 upvotes, $0
    107. Stored XSS in testimonial Company to Concrete CMS - 1 upvotes, $0
    108. Stored XSS in Testimonial Position to Concrete CMS - 1 upvotes, $0
    109. Stored XSS In Company URL to Concrete CMS - 1 upvotes, $0
    110. Stored XSS in Image Alt. Text to Concrete CMS - 1 upvotes, $0
    111. Stored XSS in Message to Display When No Pages Listed. to Concrete CMS - 1 upvotes, $0
    112. Stored XSS in Bio/Quote to Concrete CMS - 1 upvotes, $0
    113. Stored XSS on Blog's page Tile to Concrete CMS - 1 upvotes, $0
    114. Self Xss on File Replace to Concrete CMS - 1 upvotes, $0
    115. Cross site scripting to Enter - 1 upvotes, $0
    116. Multiple XSS Vulnerabilities in Concrete5 5.7.3.1 to Concrete CMS - 1 upvotes, $0
    117. xss on autoserch to Udemy - 1 upvotes, $0
    118. XSS in Search Communities Function to Informatica - 1 upvotes, $0
    119. XSS - Gallery Search Listing to Zaption - 1 upvotes, $0
    120. api.video.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    121. touch.afisha.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    122. target.mail.ru: XSS через Referer to Mail.ru - 1 upvotes, $0
    123. target.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    124. 3k.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    125. GET /surveys/2auth: XSS to Mail.ru - 1 upvotes, $0
    126. owncloud.com: DOM Based XSS to ownCloud - 1 upvotes, $0
    127. [riot.mail.ru] Reflected XSS in debug-mode to Mail.ru - 1 upvotes, $0
    128. Flash XSS on img.mail.ru to Mail.ru - 1 upvotes, $0
    129. Reflected Self-XSS in Slack to Slack - 1 upvotes, $0
    130. Self-XSS in posts by formatting text as code to Slack - 1 upvotes, $0
    131. Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics to Imgur - 1 upvotes, $0
    132. XSS Reflected in test.qiwi.ru to QIWI - 1 upvotes, $0
    133. owncloud.com: Persistent XSS In Account Profile to ownCloud - 1 upvotes, $0
    134. reflected in xss to Mail.ru - 1 upvotes, $0
    135. XSS at wordpress.com to Automattic - 1 upvotes, $0
    136. Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 1 upvotes, $0
    137. Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification to Udemy - 1 upvotes, $0
    138. Cross Site Scripting - type Patameter to Zomato - 1 upvotes, $0
    139. Xss via Dropbox to ThisData - 1 upvotes, $0
    140. apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only) to ownCloud - 1 upvotes, $0
    141. Cross Site Scripting to Mail.ru - 1 upvotes, $0
    142. Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/ to Uber - 1 upvotes, $0
    143. Stored XSS via "Free Shipping" option (Discounts) to Shopify - 1 upvotes, $0
    144. doc.owncloud.org: X-XSS-Protection not enabled to ownCloud - 1 upvotes, $0
    145. Synthetics Xss to New Relic - 1 upvotes, $0
    146. Stored XSS in Access Rules to Veris - 1 upvotes, $0
    147. STORED XSS FOUND to ThisData - 1 upvotes, $0
    148. Cross-site Scripting (XSS) to Uber - 1 upvotes, $0
    149. XSS on love.uber.com to Uber - 1 upvotes, $0
    150. Stored XSS on 'Badges' page to Veris - 1 upvotes, $0
    151. Stored XSS through Angular Expression Sandbox Escape to New Relic - 1 upvotes, $0
    152. XSS to Deriv.com - 1 upvotes, $0
    153. XSS and CSRF in Zomato Contact form to Zomato - 1 upvotes, $0
    154. XSS In /zuora/ functionality to Zendesk - 1 upvotes, $0
    155. DOM based XSS on to Uber - 1 upvotes, $0
    156. Reflected XSS on Zomato API to Zomato - 1 upvotes, $0
    157. Persistent XSS on Reservation / Booking Page to Zomato - 1 upvotes, $0
    158. Reflected XSS in Backend search to Moneybird - 1 upvotes, $0
    159. Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App to Veris - 1 upvotes, $0
    160. Multiple Stored XSS to Veris - 1 upvotes, $0
    161. Stored XSS to Veris - 1 upvotes, $0
    162. XSS in Blog to drchrono - 1 upvotes, $0
    163. Reflected XSS in domain www.veris.in to Veris - 1 upvotes, $0
    164. Self-XSS in Partners Profile to Uber - 1 upvotes, $0
    165. Stored self-XSS at m.uber.com to Uber - 1 upvotes, $0
    166. Self-XSS on partners.uber.com to Uber - 1 upvotes, $0
    167. Two XSS vulns in widget parameters (all_collections.php and o2.php) to Zomato - 1 upvotes, $0
    168. [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal ) to Moneybird - 1 upvotes, $0
    169. DOM XSS bypassing in Regional Office -selector to LocalTapiola - 1 upvotes, $0
    170. Google Authenticator - Cross Site Scripting to Ian Dunn - 1 upvotes, $0
    171. Reflected XSS @ games.mail.ru to Mail.ru - 1 upvotes, $0
    172. Stored Xss in rpm.newrelic.com to New Relic - 1 upvotes, $0
    173. DOM based XSS in search functionality to SecNews - 1 upvotes, $0
    174. xss on demo.nextcloud.com due to outdated version to Nextcloud - 1 upvotes, $0
    175. Full Page Caching Stored XSS Vulnerability to Concrete CMS - 1 upvotes, $0
    176. Cross Site Scripting to Nextcloud - 1 upvotes, $0
    177. Reflected XSS on ht.pornhub.com - /export/GetPreview to Pornhub - 1 upvotes, $0
    178. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 1 upvotes, $0
    179. XSS found In Your Web to Gratipay - 1 upvotes, $0
    180. XSS on app.legalrobot.com to Legal Robot - 1 upvotes, $0
    181. Reflected XSS in admin settings to Deconf - 1 upvotes, $0
    182. XSS to Mail.ru - 1 upvotes, $0
    183. XSS in https://merchant.kartpay.com/settlements to Kartpay - 1 upvotes, $0
    184. [dy-server2] - stored Cross-Site Scripting to Node.js third-party modules - 1 upvotes, $0
    185. xss on setup config page to Nextcloud - 1 upvotes, $0
    186. Reflected XSS on https://█████ to U.S. Dept Of Defense - 1 upvotes, $0
    187. xss reflected on https://███████- (███ parameters) to U.S. Dept Of Defense - 1 upvotes, $0
    188. XSS Reflected on https://███ (███ parameter) to U.S. Dept Of Defense - 1 upvotes, $0
    189. XSS due to CVE-2020-3580 [███] to U.S. Dept Of Defense - 1 upvotes, $0
    190. 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290) to Ubiquiti Inc. - 1 upvotes, $0
    191. 4 xss vulnerability dom based cwe 79 ; wordpress bootstrap.min.js is vulnerable to Sifchain - 1 upvotes, $0
    192. Reflected XSS on https://███/████via hidden parameter "█████████" to U.S. Dept Of Defense - 1 upvotes, $0
    193. XSS because of Akamai ARL misconfiguration on ████ to U.S. Dept Of Defense - 1 upvotes, $0
    194. Reflected XSS - in Email Input to U.S. Dept Of Defense - 1 upvotes, $0
    195. XSS on https://███████/██████████ parameter to U.S. Dept Of Defense - 1 upvotes, $0
    196. XSS on https://████████/████' parameter to U.S. Dept Of Defense - 1 upvotes, $0
    197. Reflected XSS via File Upload to Reddit - 1 upvotes, $0
    198. XSS via .eml file to Mail.ru - 0 upvotes, $1337
    199. XSS in https://hackpad.com/ to Dropbox Acquisitions - 0 upvotes, $216
    200. Stored XSS through fileupload to Mail.ru - 0 upvotes, $200
    201. Flash-based XSS in cdnjs.cloudflare.com subdomain to Cloudflare Vulnerability Disclosure - 0 upvotes, $0
    202. Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration to ExpressionEngine - 0 upvotes, $0
    203. Unvalidated Redirects and Stored XSS to Dropbox - 0 upvotes, $0
    204. XSS in version history of an HTML file in a shared folder to Dropbox - 0 upvotes, $0
    205. otrs.owncloud.com: Reflected Cross-Site Scripting to ownCloud - 0 upvotes, $0
    206. Stored XSS to Udemy - 0 upvotes, $0
    207. XSS via modified Zomato widget (res_search_widget.php) to Zomato - 0 upvotes, $0
    208. Reflected Cross Site scripting Attack (XSS) to OLX - 0 upvotes, $0
    209. Improper parsing of input could lead to future XSS vulnerabilities in Sequences to Mixmax - 0 upvotes, $0
    210. self cross site scripting to Gratipay - 0 upvotes, $0
    211. x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
    212. XSS (Reflected) to New Relic - 0 upvotes, $0
    213. Self XSS via help.mail.ru interface to Mail.ru - 0 upvotes, $0
    214. Stored XSS on ████████helpdesk to U.S. Dept Of Defense - 0 upvotes, $0
    215. [flsaba] Stored XSS in the file and directory name when directories listing to Node.js third-party modules - 0 upvotes, $0
    216. [tianma-static] Security issue with XSS. to Node.js third-party modules - 0 upvotes, $0
    217. XSS DI BIODATA to Bumble - 0 upvotes, $0
    218. XSS due to CVE-2020-3580 [███.mil] to U.S. Dept Of Defense - 0 upvotes, $0

    You might also like