Scribd Logo
Upload

Welcome to Scribd!

  • 142 views

    2000+ Top XSS Reports From HackerOne

    Uploaded by

    setyahangga3
    This lists the top XSS vulnerability reports submitted to HackerOne between 2000 and 2022. The top reports include stored and reflected XSS issues in websites and platforms like PayPal, GitHub, Reddit, Twitter and more. Successful reports were rewarded between $0 to $20,000.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    2000+ Top XSS Reports From HackerOne

    Uploaded by

    setyahangga3
    142 views91 pages
    This lists the top XSS vulnerability reports submitted to HackerOne between 2000 and 2022. The top reports include stored and reflected XSS issues in websites and platforms like PayPal, GitHub, Reddit, Twitter and more. Successful reports were rewarded between $0 to $20,000.

    Original Title

    2000+ Top XSS reports from HackerOne

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This lists the top XSS vulnerability reports submitted to HackerOne between 2000 and 2022. The top reports include stored and reflected XSS issues in websites and platforms like PayPal, GitHub, Reddit, Twitter and more. Successful reports were rewarded between $0 to $20,000.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    142 views91 pages

    2000+ Top XSS Reports From HackerOne

    Uploaded by

    setyahangga3
    This lists the top XSS vulnerability reports submitted to HackerOne between 2000 and 2022. The top reports include stored and reflected XSS issues in websites and platforms like PayPal, GitHub, Reddit, Twitter and more. Successful reports were rewarded between $0 to $20,000.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 91

    Top XSS reports from HackerOne (2000+)

    1. Bypass for #488147 enables stored XSS on https://paypal.com/signin again to PayPal - 2572 upvotes, $20000
    2. Stored XSS on https://paypal.com/signin via cache poisoning to PayPal - 654 upvotes, $18900
    3. Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ to Glassdoor - 636 upvotes, $0
    4. Stored XSS in Wiki pages to GitLab - 599 upvotes, $0
    5. Stored XSS on imgur profile to Imgur - 591 upvotes, $0
    6. Reflected XSS in OAUTH2 login flow to LY Corporation - 472 upvotes, $1989
    7. XSS in steam react chat client to Valve - 457 upvotes, $7500
    8. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 452 upvotes, $0
    9. XSS vulnerable parameter in a location hash to Slack - 442 upvotes, $0
    10. One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on
    www.redditmedia.com to Reddit - 441 upvotes, $10000
    11. Blind XSS on image upload to CS Money - 415 upvotes, $1000
    12. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 408 upvotes, $0
    13. Stored XSS Vulnerability to WordPress - 397 upvotes, $0
    14. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 371 upvotes, $4000
    15. Reflected XSS on www.hackerone.com and resources.hackerone.com to HackerOne - 360 upvotes, $500
    16. [accounts.reddit.com] Redirect parameter allows for XSS to Reddit - 352 upvotes, $5000
    17. Stored XSS in wordpress.com to Automattic - 348 upvotes, $0
    18. HEY.com email stored XSS to Basecamp - 347 upvotes, $5000
    19. Reflected XSS in TikTok endpoints to TikTok - 346 upvotes, $0
    20. Blind XSS on Twitter's internal Big Data panel at █████████████ to X (Formerly Twitter) - 344 upvotes, $0
    21. Stored XSS in Private Message component (BuddyPress) to WordPress - 331 upvotes, $0
    22. XSS while logging using Google to Shopify - 328 upvotes, $1750
    23. DOM XSS on duckduckgo.com search to DuckDuckGo - 317 upvotes, $0
    24. Stored XSS in my staff name fired in another your internal panel to Shopify - 317 upvotes, $0
    25. Reflected XSS to Bumble - 314 upvotes, $1000
    26. Reflected XSS at https://pay.gold.razer.com escalated to account takeover to Razer - 287 upvotes, $750
    27. yelp.com XSS ATO (via login keylogger, link Google account) to Yelp - 286 upvotes, $0
    28. Stored XSS in markdown via the DesignReferenceFilter to GitLab - 278 upvotes, $16000
    29. Cross-site Scripting (XSS) - Stored in RDoc wiki pages to GitLab - 276 upvotes, $3500
    30. Unrestricted file upload leads to Stored XSS to Visma Public - 268 upvotes, $250
    31. Persistent XSS on keybase.io via "payload" field in /user/sigchain_signature.toffee template to Keybase - 265 upvotes, $0
    32. Stored XSS via Kroki diagram to GitLab - 260 upvotes, $13950
    33. Account takeover through the combination of cookie manipulation and XSS to Grammarly - 259 upvotes, $0
    34. RichText parser vulnerability in scheduled posts allows XSS to Reddit - 252 upvotes, $5000
    35. Arbitrary File Upload to Stored XSS to Visma Public - 245 upvotes, $250
    36. Stored xss in address field in billing activity at https://shop.aaf.com/Order/step1/index.cfm to Alliance of American Football - 238 upvotes, $0
    37. XSS and Open Redirect on MoPub Login to X (Formerly Twitter) - 231 upvotes, $1540
    38. XSS via Direct Message deeplinks to X (Formerly Twitter) - 228 upvotes, $0
    39. Cross-site Scripting (XSS) on HackerOne careers page to HackerOne - 224 upvotes, $500
    40. Reflected XSS on www.hackerone.com via Wistia embed code to HackerOne - 224 upvotes, $500
    41. Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF to New Relic - 224 upvotes, $0
    42. XSS At "pages.et.uber.com" to Uber - 221 upvotes, $0
    43. [panel.city-mobil.ru/admin/] Blind XSS into username to Mail.ru - 219 upvotes, $0
    44. [www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 214 upvotes, $750
    45. Stored XSS in developer.uber.com to Uber - 213 upvotes, $7500
    46. Stored XSS on reports. to X (Formerly Twitter) - 213 upvotes, $700
    47. XSS at jamfpro.shopifycloud.com to Shopify - 206 upvotes, $9400
    48. Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state to Grammarly - 205
    upvotes, $3000
    49. XSS via Mod Log Removed Posts to Reddit - 203 upvotes, $6000
    50. Ability to create own account UUID leads to stored XSS to Upserve - 197 upvotes, $1500
    51. XSS and cache poisoning via upload.twitter.com on ton.twitter.com to X (Formerly Twitter) - 195 upvotes, $0
    52. Stored XSS on TikTok Ads to TikTok - 191 upvotes, $2500
    53. DOM Based XSS in www.hackerone.com via PostMessage to HackerOne - 189 upvotes, $500
    54. H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing to Shopify - 188 upvotes, $0
    55. Stored Xss Vulnerability on ████████ to U.S. Dept Of Defense - 187 upvotes, $0
    56. XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) to Rockstar Games - 187 upvotes, $0
    57. Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes,
    $1100
    58. XSS on Desktop Client to Keybase - 173 upvotes, $0
    59. Stored XSS & SSRF in Lark Docs to Lark Technologies - 171 upvotes, $3000
    60. Reflected Cross site Scripting (XSS) on www.starbucks.com to Starbucks - 167 upvotes, $0
    61. XSS at https://exchangemarketplace.com/blogsearch to Shopify - 166 upvotes, $0
    62. DOM Based XSS via postMessage at https://inventory.upserve.com/login/ to Upserve - 163 upvotes, $2500
    63. Cross-account stored XSS at embedded charts to New Relic - 157 upvotes, $0
    64. Stored-XSS with CSP-bypass via labels' color to GitLab - 156 upvotes, $0
    65. XSS in gist integration to Slack - 154 upvotes, $500
    66. xss on https://www.rockstargames.com/GTAOnline/jp/screens/ to Rockstar Games - 154 upvotes, $0
    67. IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier to HackerOne - 148 upvotes, $2500
    68. Stored XSS in notes (charts) because of insecure chart data JSON generation to New Relic - 146 upvotes, $0
    69. Prototype Pollution leads to XSS on https://blog.swiftype.com/#proto[asd]=alert(document.domain) to Elastic - 144 upvotes, $2000
    70. XSS in www.shopify.com/markets?utm_source= to Shopify - 144 upvotes, $700
    71. Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP to
    HackerOne - 143 upvotes, $1500
    72. CSRF leads to a stored self xss to Imgur - 142 upvotes, $0
    73. Stored XSS in IE11 on hackerone.com via custom fields to HackerOne - 141 upvotes, $0
    74. XSS Reflected on reddit.com via url path to Reddit - 141 upvotes, $0
    75. Reflected xss in https://sh.reddit.com to Reddit - 140 upvotes, $5000
    76. XSS via message subject - mobile application to Mail.ru - 139 upvotes, $1000
    77. Stored XSS in Notes (with CSP bypass for gitlab.com) to GitLab - 137 upvotes, $13950
    78. XSS - main page - search[user_id] parameter to OLX - 136 upvotes, $0
    79. XSS reflected on [https://www.pixiv.net] to pixiv - 135 upvotes, $500
    80. Persistent XSS in Note objects to GitLab - 134 upvotes, $4500
    81. Reflected XSS in twitterflightschool.com to X (Formerly Twitter) - 132 upvotes, $1120
    82. Stored XSS on byddypress Plug-in via groups name to WordPress - 131 upvotes, $0
    83. Stored XSS in 'Notes' to Visma Public - 130 upvotes, $250
    84. Reflected XSS at https://www.paypal.com/ppcreditapply/da/us to PayPal - 130 upvotes, $0
    85. Reflected/Stored XSS on duckduckgo.com to DuckDuckGo - 130 upvotes, $0
    86. Stored XSS when uploading files to an invoice to Visma Public - 128 upvotes, $250
    87. Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com to HackerOne - 123 upvotes, $0
    88. Stored XSS in localhost:* via integrated torrent downloader to Brave Software - 122 upvotes, $0
    89. Stored XSS in custom emoji to GitLab - 121 upvotes, $3000
    90. XSS via referrer parameter to X (Formerly Twitter) - 121 upvotes, $0
    91. Stored XSS in private message to Shopify - 120 upvotes, $1000
    92. Stored XSS in Document Title to Localize - 120 upvotes, $50
    93. [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter to Uber - 119 upvotes, $3000
    94. Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com to LinkedIn - 118 upvotes, $0
    95. " 😂 " + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ to Mail.ru - 117 upvotes, $0
    96. web.icq.com XSS in chat message via contact info to Mail.ru - 116 upvotes, $0
    97. Stored XSS in SVG file as data: url to Shopify - 115 upvotes, $5300
    98. A reflected XSS in python/Lib/DocXMLRPCServer.py to Internet Bug Bounty - 115 upvotes, $0
    99. Reflected XSS on https://inventory.upserve.com/ (affects IE users only) to Upserve - 114 upvotes, $0
    100. Stored XSS vulnerability in comments on *.wordpress.com to Automattic - 114 upvotes, $0
    101. Possible XSS vulnerability without a content security bypass to Stripe - 113 upvotes, $2000
    102. Stored XSS in backup scanning plan name to Acronis - 113 upvotes, $500
    103. XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" to Shopify -
    112 upvotes, $3000
    104. Stored XSS in Snapmatic + R★Editor comments to Rockstar Games - 112 upvotes, $0
    105. Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ to TikTok - 112 upvotes, $0
    106. Reflected XSS on https://www.uber.com to Uber - 111 upvotes, $0
    107. XSS via JavaScript evaluation of an attacker controlled resource at www.pornhub.com to Pornhub - 109 upvotes, $250
    108. Reflected xss on ads.tiktok.com using from parameter. to TikTok - 109 upvotes, $0
    109. Insecure file upload in xiaoai.mi.com Lead to Stored XSS to Xiaomi - 107 upvotes, $0
    110. Stored XSS on www.hackerone.com due to deleted S3-bucket from old page_widget to HackerOne - 105 upvotes, $500
    111. XSS: Group search terms to Vanilla - 105 upvotes, $0
    112. Web Cache Poisoning leads to Stored XSS to Glassdoor - 105 upvotes, $0
    113. DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054) to HackerOne - 104 upvotes, $0
    114. Stored XSS on any page in most Uber domains to Uber - 103 upvotes, $6000
    115. Reflected XSS in VPN Appliance to New Relic - 103 upvotes, $0
    116. DOM XSS at https://www.thx.com in IE/Edge browser to Razer - 102 upvotes, $250
    117. XSS at https://www.glassdoor.com/Salary/* via filter.jobTitleExact to Glassdoor - 102 upvotes, $0
    118. Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs to Slack - 101 upvotes,
    $1000
    119. Stored XSS in Shopify Chat to Shopify - 101 upvotes, $500
    120. XSS in SocialIcon Link to Linktree - 100 upvotes, $0
    121. DOM XSS on ads.tiktok.com to TikTok - 99 upvotes, $2500
    122. XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction) to PayPal - 98 upvotes, $0
    123. Reflected XSS in *.myshopify.com/account/register to Shopify - 97 upvotes, $1500
    124. [www.zomato.com] Blind XSS in one of the admin dashboard to Zomato - 97 upvotes, $500
    125. RXSS to Stored XSS - forums.pubg.com | URL parameter to PUBG - 97 upvotes, $0
    126. Reflected XSS on https://make.wordpress.org via 'channel' parameter to WordPress - 95 upvotes, $0
    127. Stored XSS via Create a Fetish section. to FetLife - 94 upvotes, $0
    128. Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid} to HackerOne - 94 upvotes, $0
    129. XSS in request approvals to GitLab - 93 upvotes, $3000
    130. Stored XSS on TikTok Live Form to TikTok - 93 upvotes, $1500
    131. Reflected XSS in pubg.com to PUBG - 93 upvotes, $0
    132. DOM XSS at www.forescout.com in Microsoft Edge and IE Browser to ForeScout Technologies - 93 upvotes, $0
    133. Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media to Automattic - 93 upvotes, $0
    134. DOM-based XSS on mobile.line.me to LY Corporation - 92 upvotes, $0
    135. XSS in Email Input [intensedebate.com] to Automattic - 92 upvotes, $0
    136. Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data to X (Formerly Twitter) - 92
    upvotes, $0
    137. Bypass: Stored-XSS with CSP-bypass via scoped labels' color to GitLab - 92 upvotes, $0
    138. Reflected XSS online-store-git.shopifycloud.com to Shopify - 91 upvotes, $3500
    139. CSTI at Plugin page leading to active stored XSS (Publisher name) to New Relic - 91 upvotes, $0
    140. CSP-bypass XSS in project settings page to GitLab - 91 upvotes, $0
    141. DOM-Based XSS in tumblr.com to Automattic - 90 upvotes, $0
    142. Stored xss at https://█.8x8.com/api/█/ID to 8x8 Bounty - 90 upvotes, $0
    143. Stored XSS in vanilla to Vanilla - 89 upvotes, $300
    144. Stored XSS to Mail.ru - 89 upvotes, $0
    145. Stored XSS in vanilla to Vanilla - 88 upvotes, $300
    146. DOM based XSS on *.██████.com via document.domain sink in Safari to ██████ - 87 upvotes, $0
    147. Stored XSS in "Create Groups" to GitLab - 86 upvotes, $2500
    148. capsula.mail.ru - Admin blind stored XSS to Mail.ru - 86 upvotes, $1500
    149. Reflected XSS on transact.playstation.com using postMessage from the opening window to PlayStation - 86 upvotes, $1000
    150. Cache Poisoning Allows Stored XSS Via hav Cookie Parameter (To Account Takeover) to Expedia Group Bug Bounty - 86 upvotes, $750
    151. CRLF injection leads to internal XSS on PangleGlobal to TikTok - 86 upvotes, $0
    152. Reflected XSS on TikTok Website to TikTok - 85 upvotes, $3000
    153. Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled to New Relic - 85
    upvotes, $2123
    154. CRLF to XSS & Open Redirection to TikTok - 85 upvotes, $0
    155. xss to Pornhub - 84 upvotes, $0
    156. Flash Based Reflected XSS on www.grouplogic.com/jwplayer/player.swf to Acronis - 84 upvotes, $0
    157. Reflected XSS in https://light.mail.ru/login via page to Mail.ru - 83 upvotes, $0
    158. Blind XSS in operator's interface for 33slona.ru to Mail.ru - 83 upvotes, $0
    159. Persistent DOM-based XSS in https://help.twitter.com via localStorage to X (Formerly Twitter) - 82 upvotes, $0
    160. Unrestricted file upload leads to Stored XSS to GitLab - 82 upvotes, $0
    161. XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications to Shopify - 81
    upvotes, $5000
    162. [pay.gold.razer.com] Stored XSS - Order payment to Razer - 81 upvotes, $1500
    163. Html Injection and Possible XSS in sms-be-vip.twitter.com to X (Formerly Twitter) - 81 upvotes, $0
    164. DOMXSS in redirect param to Semmle - 81 upvotes, $0
    165. Potential unprivileged Stored XSS through wp_targeted_link_rel to WordPress - 80 upvotes, $0
    166. Reflected XSS on http://www.grouplogic.com/files/glidownload/verify.asp to Acronis - 80 upvotes, $0
    167. Reflected XSS в /video to VK.com - 79 upvotes, $500
    168. Reflect XSS on Mobile Search page to Pornhub - 79 upvotes, $250
    169. Urgent! Stored XSS at plugin's violations leading to account takeover to New Relic - 79 upvotes, $0
    170. New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields to GitLab - 78
    upvotes, $13950
    171. Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS to GSA Bounty - 77 upvotes, $750
    172. Stored XSS in Email Templates via link to Judge.me - 77 upvotes, $500
    173. stored XSS in hey.com message content to Basecamp - 77 upvotes, $0
    174. Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com) to HackerOne - 77 upvotes, $0
    175. Stored XSS via Angular Expression injection via Subject while starting conversation with other users. to FetLife - 77 upvotes, $0
    176. Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" to GitLab - 76 upvotes, $3000
    177. ██████ DOM XSS via Shopify.API.remoteRedirect to Shopify - 76 upvotes, $0
    178. XSS Payload on TikTok Seller Center endpoint to TikTok - 75 upvotes, $1000
    179. Stored XSS in email to Mail.ru - 75 upvotes, $0
    180. Stored XSS on https://app.crowdsignal.com/surveys/[Survey-Id]/question - Bypass to Automattic - 75 upvotes, $0
    181. [https://city-mobil.ru/taxiserv] Blind XSS into username to Mail.ru - 74 upvotes, $0
    182. DOM XSS on duckduckgo.com search to DuckDuckGo - 74 upvotes, $0
    183. XSS from arbitrary attachment upload. to Qulture.Rocks - 74 upvotes, $0
    184. Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php to Automattic - 74 upvotes, $0
    185. Stored XSS in Discounts section to Shopify - 73 upvotes, $1000
    186. XSS via POST request to https://account.mail.ru/signup/ to Mail.ru - 73 upvotes, $1000
    187. Passive stored XSS at broadcast room to Chaturbate - 73 upvotes, $0
    188. xss stored to Shopify - 73 upvotes, $0
    189. Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field to TikTok - 73 upvotes, $0
    190. XSS in ZenTao integration affecting self hosted instances without strict CSP to GitLab - 72 upvotes, $13950
    191. Reflective Cross-site Scripting via Newsletter Form to Shopify - 72 upvotes, $2000
    192. Blind XSS in redtube administering site my.reflected.net to Pornhub - 72 upvotes, $1000
    193. Reflected XSS in https://www.starbucks.co.jp/store/search/ to Starbucks - 72 upvotes, $0
    194. Reflected cross-site scripting on multiple Starbucks assets. to Starbucks - 72 upvotes, $0
    195. XSS on tiktok.com to TikTok - 72 upvotes, $0
    196. XSS via Cookie in Mail.ru to Mail.ru - 71 upvotes, $1000
    197. Reflected XSS on www.pornhub.com and www.pornhubpremium.com to Pornhub - 71 upvotes, $750
    198. Multiple XSS on account settings that can hijack any users in the company. to X (Formerly Twitter) - 71 upvotes, $700
    199. RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 71 upvotes, $0
    200. Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application to Mail.ru - 71 upvotes, $0
    201. XSS on https://partners.acronis.com/ to Acronis - 71 upvotes, $0
    202. Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage to LocalTapiola - 70 upvotes, $5000
    203. [account.mail.ru] XSS-уязвимость в форме авторизации to Mail.ru - 70 upvotes, $1000
    204. New XSS vector in ReaderMode with %READER-TITLE-NONCE% to Brave Software - 69 upvotes, $1000
    205. Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage to LocalTapiola - 69 upvotes, $0
    206. Reflected XSS in <any>.myshopify.com through theme preview to Shopify - 69 upvotes, $0
    207. help.shopify.com Cross Site Scripting to Shopify - 69 upvotes, $0
    208. Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv to Vimeo - 69 upvotes,
    $0
    209. stripo.email reflected xss to Stripo Inc - 69 upvotes, $0
    210. Potential stored Cross-Site Scripting vulnerability in Support Backend to HackerOne - 69 upvotes, $0
    211. Reflected XSS & Open Redirect at mcs main domain to Mail.ru - 68 upvotes, $0
    212. [dev.twitter.com] XSS and Open Redirect to X (Formerly Twitter) - 67 upvotes, $1120
    213. reflected xss in e.mail.ru to Mail.ru - 67 upvotes, $1000
    214. Reflected XSS on secure.chaturbate.com to Chaturbate - 67 upvotes, $800
    215. POST-based XSS on apps.shopify.com to Shopify - 67 upvotes, $500
    216. WordPress Flash XSS in flashmediaelement.swf to Automattic - 67 upvotes, $0
    217. Stored XSS в личных сообщениях to VK.com - 67 upvotes, $0
    218. Stored Self XSS on https://app.crowdsignal.com (in Photo Insert App) + Stored XSS on https://your-subdomain.survey.fm to Automattic - 67
    upvotes, $0
    219. XSS on Videos IA to DuckDuckGo - 67 upvotes, $0
    220. Stored XSS through PDF viewer to Slack - 66 upvotes, $4875
    221. Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru to Mail.ru - 66 upvotes, $1000
    222. Multiple DOMXSS on Amplify Web Player to X (Formerly Twitter) - 66 upvotes, $0
    223. Possible DOM XSS on app.hey.com to Basecamp - 66 upvotes, $0
    224. xss is triggered on your web to Shopify - 66 upvotes, $0
    225. web.icq.com XSS in chat message via contact info to Mail.ru - 65 upvotes, $0
    226. URL Advisor component in KIS products family is vulnerable to Universal XSS to Kaspersky - 65 upvotes, $0
    227. Stored XSS through Facebook Page Connection to Shopify - 65 upvotes, $0
    228. Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages to Starbucks - 65 upvotes, $0
    229. DOM XSS triggered in secure support desk to QIWI - 65 upvotes, $0
    230. XSS in linktr.ee - on link thumbnail adding to Linktree - 64 upvotes, $600
    231. XSS on rockstargames.com to Rockstar Games - 64 upvotes, $500
    232. xss in https://www.uber.com to Uber - 64 upvotes, $0
    233. Cross Site Scripting using Email parameter in Ads endpoint 1 to TikTok - 64 upvotes, $0
    234. Reflected XSS on www.grouplogic.com/video.asp to Acronis - 64 upvotes, $0
    235. Stored Cross-site Scripting on devicelock.com/forum/ to Acronis - 64 upvotes, $0
    236. Stored XSS in /admin/product and /admin/collections to Shopify - 63 upvotes, $5300
    237. Reflected XSS and Server Side Template Injection in all HubSpot CMSes to HubSpot - 63 upvotes, $0
    238. Stored XSS in Post title (PoC) to Imgur - 63 upvotes, $0
    239. Wormable stored XSS in www.evernote.com to Evernote - 62 upvotes, $0
    240. Stored XSS | api.mapbox.com | IE 11 | Styles name to Mapbox - 62 upvotes, $0
    241. Stored XSS in [https://streamlabs.com/dashboard#/*goal] pages to Logitech - 62 upvotes, $0
    242. Authenticated path traversal to Stored XSS and Denial-of-Service to phpBB - 62 upvotes, $0
    243. Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/**** to Shopify - 61 upvotes, $2900
    244. Stored XSS in Acronis Cyber Protect Console to Acronis - 61 upvotes, $500
    245. Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) to X (Formerly Twitter) - 61 upvotes, $0
    246. [http_server] Stored XSS in the filename when directories listing to Node.js third-party modules - 61 upvotes, $0
    247. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 60 upvotes, $500
    248. DOM based CSS Injection on grammarly.com to Grammarly - 60 upvotes, $250
    249. [www.zomato.com] Blind XSS in one of the Admin Dashboard to Zomato - 60 upvotes, $0
    250. reflected XSS on panther.com to Panther Labs - 60 upvotes, $0
    251. Reflected XSS on $Any$.myshopify.com/admin to Shopify - 58 upvotes, $1500
    252. XSS via X-Forwarded-Host header to Omise - 58 upvotes, $200
    253. Stored XSS on https://events.hackerone.com to HackerOne - 58 upvotes, $0
    254. [web.icq.com] Stored XSS in Account Name to Mail.ru - 57 upvotes, $1000
    255. Unrestricted file upload when creating quotes allows for Stored XSS to Visma Public - 57 upvotes, $250
    256. Persistent Cross-Site Scripting in default Laravel installation to Laravel - 57 upvotes, $0
    257. Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload to Starbucks - 57 upvotes, $0
    258. Stored-XSS on wiki pages to GitLab - 57 upvotes, $0
    259. XSS Reflected at https://sketch.pixiv.net/ Via next_url to pixiv - 56 upvotes, $500
    260. XSS from Mastodon embeds to IRCCloud - 56 upvotes, $500
    261. WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass) to
    Starbucks - 56 upvotes, $0
    262. Stored XSS on upload files leads to steal cookie to Palo Alto Software - 56 upvotes, $0
    263. DOM-Based XSS in tumblr.com to Automattic - 56 upvotes, $0
    264. Web Cache Poisoning leads to XSS and DoS to Glassdoor - 56 upvotes, $0
    265. Stored XSS on wordpress.com to Automattic - 56 upvotes, $0
    266. Stored XSS on activity to Shopify - 55 upvotes, $2000
    267. Reflected XSS at http://promotion.molthailand.com/index.php via promotion_id parameter to Razer - 55 upvotes, $250
    268. The Custom Emoji Page has a Reflected XSS to Slack - 55 upvotes, $0
    269. XSS at TikTok Ads Endpoint to TikTok - 55 upvotes, $0
    270. XSS account.mail.ru to Mail.ru - 54 upvotes, $1000
    271. HTML Injection with XSS possible to Imgur - 54 upvotes, $0
    272. Reflected XSS on https://www.glassdoor.com/job-listing/spotlight to Glassdoor - 54 upvotes, $0
    273. Self XSS to Shopify - 53 upvotes, $500
    274. [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name to Uber - 53 upvotes, $0
    275. Unrestricted File Upload Results in Cross-Site Scripting Attacks to Uber - 53 upvotes, $0
    276. Blind XSS via Feedback form. to Judge.me - 53 upvotes, $0
    277. Reflected XSS Via origCity Parameter (UPPER Case + WAF Protection Bypass) to Expedia Group Bug Bounty - 52 upvotes, $300
    278. Stored XSS in Intense Debate comment system to Automattic - 52 upvotes, $0
    279. CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman to U.S. Dept Of Defense - 52 upvotes, $0
    280. Reflected XSS on marketsandresearch.td.com to TD Bank - 51 upvotes, $0
    281. Stored XSS via Mermaid Prototype Pollution vulnerability to GitLab - 50 upvotes, $3000
    282. DOMXSS in Tweetdeck to X (Formerly Twitter) - 50 upvotes, $0
    283. Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/ to PayPal - 50 upvotes, $0
    284. XSS and HTML Injection on the pressable.com search box to Automattic - 50 upvotes, $0
    285. CSRF + XSS REFLECT to Daimler Truck - 50 upvotes, $0
    286. Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains to Uber
    - 49 upvotes, $6000
    287. Stored XSS in photos_user_map.gne to Flickr - 49 upvotes, $3263
    288. Stored XSS on the job page to GitLab - 49 upvotes, $3000
    289. Stored XSS on support.rockstargames.com to Rockstar Games - 49 upvotes, $1000
    290. Stored xss to Shopify - 49 upvotes, $1000
    291. XSS в сюжетах. to VK.com - 49 upvotes, $500
    292. XSS through __e2e_action_id delivered by JSONP to Quora - 49 upvotes, $0
    293. Reflected XSS in m.imgur.com to Imgur - 49 upvotes, $0
    294. (Prerelease UI) Stored XSS via role name in JSON chart to New Relic - 48 upvotes, $2500
    295. OX (Guard): Stored Cross-Site Scripting via Incoming Email to Open-Xchange - 48 upvotes, $1000
    296. [careers.informatica.com] Reflected Cross Site Scripting to XSS Shell Possible to Informatica - 48 upvotes, $0
    297. XSS within Shopify Email App - Admin to Shopify - 48 upvotes, $0
    298. Stored XSS in collabora via user name to Nextcloud - 48 upvotes, $0
    299. XSS Reflected in m.vk.com to VK.com - 48 upvotes, $0
    300. XSS on Issue reference numbers to GitLab - 48 upvotes, $0
    301. Stored XSS at https://linkpop.com to Shopify - 48 upvotes, $0
    302. Stored XSS in markdown when redacting references to GitLab - 47 upvotes, $5000
    303. [my.games, lootdog.io] XSS via MCS Bucket to Mail.ru - 47 upvotes, $1333
    304. Email templates XSS by filterXSS bypass to Judge.me - 47 upvotes, $1250
    305. XSS in Desktop Client in the notifications to Nextcloud - 47 upvotes, $750
    306. Stored XSS on store.my.games to Mail.ru - 47 upvotes, $200
    307. Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution) to IRCCloud - 47 upvotes, $0
    308. [Android] XSS via start ContentActivity to Quora - 47 upvotes, $0
    309. csp bypass + xss to X (Formerly Twitter) - 47 upvotes, $0
    310. Reflected XSS to Shopify - 47 upvotes, $0
    311. Stored XSS in wordpress.com to Automattic - 47 upvotes, $0
    312. Reflected xss and open redirect on larksuite.com using /?back_uri= parameter. to Lark Technologies - 47 upvotes, $0
    313. Stored XSS in merge request pages to GitLab - 46 upvotes, $3500
    314. Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover to Uber - 46 upvotes, $3000
    315. XSS on link and window.opener to Slack - 46 upvotes, $1000
    316. [auth2.zomato.com] Reflected XSS at oauth2/fallbacks/error | ORY Hydra an OAuth 2.0 and OpenID Connect Provider to Zomato - 46 upvotes,
    $0
    317. Blind XSS via Suspended Ticket Recovery to Zendesk - 46 upvotes, $0
    318. Reflected XSS through multiple inputs in the issue collector on Jira to Roblox - 46 upvotes, $0
    319. Cross-site scripting on api.collabs.shopify.com to Shopify - 45 upvotes, $1600
    320. xss stored in https://your store.myshopify.com/admin/ to Shopify - 45 upvotes, $1000
    321. Blind stored xss [parcel.grab.com] > name parameter to Grab - 45 upvotes, $750
    322. H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps to Shopify - 45 upvotes, $500
    323. Cross-site scripting (reflected) to X (Formerly Twitter) - 45 upvotes, $0
    324. XSS in HTML Content Generated by Flash Slideshow Maker (All Versions) to Socusoft - 45 upvotes, $0
    325. Reflected XSS in https://lite.pubg.com to PUBG - 45 upvotes, $0
    326. DOM based XSS on /GTAOnline/tw/starterpack/ to Rockstar Games - 45 upvotes, $0
    327. [dev.twitter.com] XSS and Open Redirect Protection Bypass to X (Formerly Twitter) - 44 upvotes, $1120
    328. Stored XSS when you read eamils. <style> to Mail.ru - 44 upvotes, $1000
    329. Stored XSS in photo comment functionality to Pornhub - 44 upvotes, $0
    330. Reflected XSS in https://blocked.myndr.net to Myndr - 44 upvotes, $0
    331. DOM XSS on https://www.rockstargames.com/GTAOnline/feedback to Rockstar Games - 44 upvotes, $0
    332. XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com to Shopify - 44 upvotes, $0
    333. Cross-site Scripting (XSS) - Stored to Mail.ru - 44 upvotes, $0
    334. Stored XSS via Mermaid Prototype Pollution vulnerability to GitLab - 43 upvotes, $3000
    335. Stored XSS in the ticketing system to TikTok - 43 upvotes, $1000
    336. Stored XSS in profile page to Acronis - 43 upvotes, $50
    337. Store XSS to Slack - 43 upvotes, $0
    338. Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF to Glassdoor - 43 upvotes, $0
    339. XSS vulnerability without a content security bypass in a CUSTOM App through Button tag to Stripe - 42 upvotes, $2000
    340. [e.mail.ru] XSS в поиске to Mail.ru - 42 upvotes, $750
    341. XSS on services.shopify.com to Shopify - 42 upvotes, $500
    342. Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages to Doppler - 42 upvotes, $0
    343. [intensedebate.com] XSS Reflected POST-Based to Automattic - 42 upvotes, $0
    344. DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution to Mail.ru - 42 upvotes, $0
    345. Stored XSS in Mermaid when viewing Markdown files to GitLab - 42 upvotes, $0
    346. wp-embed XSS on Safari to WordPress - 42 upvotes, $0
    347. Stored XSS in profile activity feed messages to Rockstar Games - 41 upvotes, $1000
    348. IE 11 Self-XSS on Jira Integration Preview Base Link to HackerOne - 41 upvotes, $750
    349. Stored XSS Payload when sending videos to TikTok - 41 upvotes, $500
    350. Stored xss to Algolia - 41 upvotes, $100
    351. (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation to HackerOne - 41 upvotes, $0
    352. Stored XSS in blog comments through Shopify API to Shopify - 41 upvotes, $0
    353. [IRCCloud Android] XSS in ImageViewerActivity to IRCCloud - 41 upvotes, $0
    354. Stored XSS in Jetpack's Simple Payment Module by Contributors / Authors to Automattic - 41 upvotes, $0
    355. Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/] to Mail.ru - 41 upvotes, $0
    356. Reflected xss on 8x8.com subdomain to 8x8 - 41 upvotes, $0
    357. Reflected Cross site Scripting (XSS) on https://one.newrelic.com to New Relic - 41 upvotes, $0
    358. XSS vulnerabilities due to missing checks in tag helpers to Ruby on Rails - 41 upvotes, $0
    359. Stored xss on message reply to Mail.ru - 40 upvotes, $500
    360. XSS в личных сообщениях to ok.ru - 40 upvotes, $0
    361. DOM Based XSS in mycrypto.com to MyCrypto - 40 upvotes, $0
    362. Stored XSS (client-side, using cookie poisoning) on the pornhubpremium.com to Pornhub - 40 upvotes, $0
    363. Очень жесткая XSS в личных сообщениях m.ok.ru to ok.ru - 40 upvotes, $0
    364. WooCommerce: Persistent XSS via customer address (state/county) to Automattic - 40 upvotes, $0
    365. Reflected XSS in https://www.starbucks.com/account/create/redeem/MCP131XSR via xtl_amount, xtl_coupon_code, xtl_amount_type parameters
    to Starbucks - 40 upvotes, $0
    366. Moodle XSS on evolve.glovoapp.com to Glovo - 40 upvotes, $0
    367. Self XSS in Create New Workspace Screen to Mattermost - 40 upvotes, $0
    368. XSS and iframe injection on tiktok ads portal using redirect params to TikTok - 40 upvotes, $0
    369. Stored XSS in Brower name field reflected in two pages to New Relic - 39 upvotes, $3000
    370. Blind XSS - Report review - Admin panel to Zomato - 39 upvotes, $350
    371. [https://app.recordedfuture.com] - Reflected XSS via username parameter to Recorded Future - 39 upvotes, $300
    372. Stored XSS in '' Section and WAF Bypass to Semrush - 39 upvotes, $0
    373. Cross Site Scripting via CVE-2018-5230 on https://apps.topcoder.com to Topcoder - 39 upvotes, $0
    374. XSS: v-safe-html is not safe enough to GitLab - 39 upvotes, $0
    375. reflected XSS in [www.equifax.com] to Equifax-vdp - 39 upvotes, $0
    376. XSS on about:tbupdate to Tor - 39 upvotes, $0
    377. Reflected XSS on multiple uberinternal.com domains to Uber - 38 upvotes, $2000
    378. XSS в upload.php to VK.com - 38 upvotes, $1500
    379. Mattermost Server OAuth Flow Cross-Site Scripting to Mattermost - 38 upvotes, $900
    380. Stored XSS on buy button to Shopify - 38 upvotes, $500
    381. Reflected Xss On https://vk.com/search to VK.com - 38 upvotes, $500
    382. XSS through chat messages to Vanilla - 38 upvotes, $300
    383. Reflected XSS via "Error" parameter on https://admin.acronis.com/admin/su/ to Acronis - 38 upvotes, $50
    384. HTML injection (with XSS possible) on the https://www.data.gov/issue/ using media_url attribute to GSA Bounty - 38 upvotes, $0
    385. CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS to Chaturbate - 38 upvotes, $0
    386. Reflected XSS in lert.uber.com to Uber - 38 upvotes, $0
    387. CSTI on https://www.ecobee.com leads to XSS to ecobee - 38 upvotes, $0
    388. XSS on https://app.mopub.com/reports/custom/add/ [new-d1] to X (Formerly Twitter) - 38 upvotes, $0
    389. Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com to IBM - 38 upvotes, $0
    390. Reflected XSS on https://www.uber.com to Uber - 37 upvotes, $1000
    391. CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' to Rockstar Games -
    37 upvotes, $0
    392. Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-* to Starbucks - 37 upvotes, $0
    393. DOM based XSS in the WooCommerce plugin to Automattic - 37 upvotes, $0
    394. Stored XSS on demo app link to Shopify - 37 upvotes, $0
    395. [qiwi.me] Stored XSS to QIWI - 37 upvotes, $0
    396. Cross-Site Scripting through search form on mtnplay.co.zm to MTN Group - 37 upvotes, $0
    397. dom based xss on [hello.merchant.razer.com] to Razer - 36 upvotes, $500
    398. Self XSS on Acronis Cyber Cloud to Acronis - 36 upvotes, $100
    399. (BYPASS) Open redirect and XSS in supporthiring.shopify.com to Shopify - 36 upvotes, $0
    400. Stored XSS on the https://www.redtube.com/users/[profile]/collections to Pornhub - 36 upvotes, $0
    401. Хранимый XSS в Business-аккаунте, на странице компании to DRIVE.NET, Inc. - 36 upvotes, $0
    402. Reflected xss в m.vk.com/chatjoin to VK.com - 36 upvotes, $0
    403. reflected xss in https://wordpress.com/start/account/user to Automattic - 36 upvotes, $0
    404. Blind Stored XSS Via Staff Name to Shopify - 35 upvotes, $3000
    405. Rails ActionView sanitize helper bypass leading to XSS using SVG tag. to Internet Bug Bounty - 35 upvotes, $2400
    406. [stored xss, pornhub.com] stream post function to Pornhub - 35 upvotes, $1500
    407. XSS on product comments in transfers to Shopify - 35 upvotes, $500
    408. www.starbucks.co.uk Reflected XSS via utm_source parameter to Starbucks - 35 upvotes, $0
    409. Persistent XSS in www.starbucks.com to Starbucks - 35 upvotes, $0
    410. Stored XSS in [shop].myshopify.com/admin/orders/[id] to Shopify - 35 upvotes, $0
    411. Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
    412. Persistent XSS in https://sandbox.reverb.com/item/ to Reverb.com - 35 upvotes, $0
    413. Stored XSS in galleries - https://www.redtube.com/gallery/[id] path to Pornhub - 35 upvotes, $0
    414. Multiple stored XSS in WordPress to WordPress - 35 upvotes, $0
    415. Reflected XSS on https://www.olx.co.id/iklan/*.html via "ad_type" parameter to OLX - 35 upvotes, $0
    416. CSS Injection to disable app & potential message exfil to Slack - 35 upvotes, $0
    417. Stored XSS in blob viewer to GitLab - 35 upvotes, $0
    418. Store-XSS in error message of build-dependencies to GitLab - 35 upvotes, $0
    419. Account takeover via XSS to Rocket.Chat - 35 upvotes, $0
    420. Reflected XSS in photogallery component on [https://market.av.ru] to Azbuka Vkusa - 35 upvotes, $0
    421. One Click XSS in [www.shopify.com] to Shopify - 35 upvotes, $0
    422. Stored XSS on developer.uber.com via admin account compromise to Uber - 34 upvotes, $5000
    423. DOM XSS via Shopify.API.Modal.initialize to Shopify - 34 upvotes, $500
    424. Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) to Shopify - 34 upvotes, $500
    425. Cookie exfiltration through XSS on the main search request of www.lahitapiola.fi to LocalTapiola - 34 upvotes, $500
    426. XSS *.myshopify.com/collections/vendors?q= to Shopify - 34 upvotes, $0
    427. XSS found on Snapchat website to Snapchat - 34 upvotes, $0
    428. Stored XSS in the guide's GameplayVersion (www.dota2.com) to Valve - 34 upvotes, $0
    429. [allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS to Mail.ru - 34 upvotes, $0
    430. XSS in biz.mail.ru/error to Mail.ru - 33 upvotes, $500
    431. Stored XSS to Open-Xchange - 33 upvotes, $500
    432. XSS in IE11 on portswigger.net via Flash to PortSwigger Web Security - 33 upvotes, $0
    433. Stored XSS Deleting Menu Links in the Shopify Admin to Shopify - 33 upvotes, $0
    434. DOM Based xss on https://www.rockstargames.com/ ( 1 ) to Rockstar Games - 33 upvotes, $0
    435. Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH to Glassdoor - 33
    upvotes, $0
    436. POST BASED REFLECTED XSS IN dailydeals.mtn.co.za to MTN Group - 33 upvotes, $0
    437. Bypass Filter and get Stored Xss to Shopify - 32 upvotes, $3000
    438. Stored XSS on issue comments and other pages which contain notes to GitLab - 32 upvotes, $3000
    439. Cross-site scripting on algorithm collaborator to Quantopian - 32 upvotes, $2100
    440. DOM based XSS via insecure parameter on [ https://uberpay-mock-psp.uber.com ] to Uber - 32 upvotes, $1420
    441. Stored XSS при удалении группы из беседы (m.vk.com) to VK.com - 32 upvotes, $500
    442. XSS For Profile Name to Vanilla - 32 upvotes, $300
    443. BlIND XSS on https://open.vanillaforums.com to Vanilla - 32 upvotes, $300
    444. Blind Stored XSS in https://partners.acronis.com/admin which lead to sensitive information/PII leakage to Acronis - 32 upvotes, $150
    445. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
    446. Blind Stored XSS Payload fired at the backend on https://█████████/ to U.S. Dept Of Defense - 32 upvotes, $0
    447. [XSS] Reflected XSS via POST request in (editJobAlert.htm) file to Glassdoor - 32 upvotes, $0
    448. Stored-XSS in merge requests to GitLab - 32 upvotes, $0
    449. Bypassing Content-Security-Policy leads to open-redirect and iframe xss to Stripo Inc - 32 upvotes, $0
    450. Reflected XSS on delivery.glovoapp.com to Glovo - 32 upvotes, $0
    451. Clipboard DOM-based XSS to GitLab - 32 upvotes, $0
    452. Reflected XSS on Partners Subdomain to Uber - 31 upvotes, $2000
    453. [Java] CWE-079: Query to detect XSS with JavaServer Faces (JSF) to GitHub Security Lab - 31 upvotes, $1800
    454. XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app to Shopify -
    31 upvotes, $1000
    455. XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter to Shopify - 31 upvotes, $1000
    456. XSS in message e.mail.ru to Mail.ru - 31 upvotes, $1000
    457. Stored XSS in chat topic due to insecure emoticon parsing on any message type to Chaturbate - 31 upvotes, $450
    458. Cookie based XSS on http://ftp1.thx.com to Razer - 31 upvotes, $375
    459. Reflected XSS on partners.cloudflare.com to Cloudflare Vulnerability Disclosure - 31 upvotes, $0
    460. XSS risk reduction with X-XSS-Protection: 1; mode=block header to Radancy - 31 upvotes, $0
    461. XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации to QIWI - 31 upvotes, $0
    462. XSS leads to RCE on the RocketChat desktop client. to Rocket.Chat - 31 upvotes, $0
    463. Reflected Cross-Site scripting in : mtn.bj to MTN Group - 31 upvotes, $0
    464. Xss At Shopify Email App to Shopify - 31 upvotes, $0
    465. SSRF & Blind XSS in Gravatar email to Automattic - 31 upvotes, $0
    466. DOM XSS at https://adobedocs.github.io/OAE_PartnerAPI/?configUrl={site} due to outdated Swagger UI to Adobe - 31 upvotes, $0
    467. Stored XSS on app.crowdsignal.com your-subdomain.crowdsignal.net via Thank You Header to Automattic - 31 upvotes, $0
    468. XSS in Cisco Endpoint to U.S. Dept Of Defense - 31 upvotes, $0
    469. Reflected XSS on developer.uber.com via Angular template injection to Uber - 30 upvotes, $3000
    470. Reflected XSS POST method at partners.uber.com to Uber - 30 upvotes, $3000
    471. Xss was found by exploiting the URL markdown on http://store.steampowered.com to Valve - 30 upvotes, $1000
    472. Self-Stored XSS - Chained with login/logout CSRF to Zomato - 30 upvotes, $300
    473. Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 30 upvotes, $250
    474. Cross-site scripting in "Contact customer" form to Shopify - 30 upvotes, $0
    475. XSS-уязвимость, связанная с загрузкой файлов to VK.com - 30 upvotes, $0
    476. [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification to Automattic - 30 upvotes, $0
    477. XSS inside HTML Link Tag to OLX - 30 upvotes, $0
    478. Stored XSS in https://productreviews.shopifyapps.com/proxy/v4/reviews/product to Shopify - 30 upvotes, $0
    479. DOM XSS on duckduckgo.com search to DuckDuckGo - 30 upvotes, $0
    480. [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS to Automattic - 30 upvotes, $0
    481. Reflected XSS and possible SSRF/XXE on https://events.hackerone.com/conferences/get_recording_slides_xml.xml?url=myserver/xss.xml to
    HackerOne - 30 upvotes, $0
    482. Stored XSS on top.mail.ru to Mail.ru - 30 upvotes, $0
    483. Reflected XSS on av.ru via q parameter at https://av.ru/collections/* to Azbuka Vkusa - 30 upvotes, $0
    484. Cross-site Scripting (XSS) - Reflected to MTN Group - 30 upvotes, $0
    485. Stored XSS in merge request creation page through payload in approval rule name to GitLab - 29 upvotes, $3000
    486. Stored XSS on profile page via Steam display name to Rockstar Games - 29 upvotes, $1250
    487. stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter to Rockstar Games - 29 upvotes,
    $1000
    488. XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app to Shopify - 29 upvotes, $800
    489. Self-XSS in password reset functionality to Shopify - 29 upvotes, $500
    490. XSS в колбек апи в сообществах to VK.com - 29 upvotes, $500
    491. Stored XSS on promo.indrive.com to inDrive - 29 upvotes, $284
    492. DOM Based XSS in Discourse Search to Discourse - 29 upvotes, $256
    493. XSS in (Support Requests) : User Cases to Acronis - 29 upvotes, $50
    494. Reflected XSS in www.dota2.com to Valve - 29 upvotes, $0
    495. Reflected XSS in www.olx.co.id to OLX - 29 upvotes, $0
    496. Stored XSS at https://app.smtp2go.com/settings/users/ to SMTP2GO - 29 upvotes, $0
    497. HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites to QIWI - 29 upvotes, $0
    498. xss due to incorrect handling of postmessages to Khan Academy - 29 upvotes, $0
    499. Stored XSS on wordpress.com to Automattic - 29 upvotes, $0
    500. CRLF and XSS stored on ton.twitter.com to X (Formerly Twitter) - 28 upvotes, $1680
    501. Stored XSS in Dovetale by application of creator to Shopify - 28 upvotes, $1600
    502. Stored XSS(Cross Site Scripting) In Slack App Name to Slack - 28 upvotes, $1000
    503. o2.mail.ru XSS to Mail.ru - 28 upvotes, $1000
    504. Reflected XSS in error pages (NC-SA-2017-008) to Nextcloud - 28 upvotes, $450
    505. Persistent XSS via Signatures to Vanilla - 28 upvotes, $300
    506. [allhiphop.vanillacommunities.com] XSS Request-URI to Vanilla - 28 upvotes, $100
    507. XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js to Rockstar Games - 28 upvotes, $0
    508. Reflected XSS on the data.gov (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers) to GSA Bounty - 28 upvotes, $0
    509. [mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection to WordPress - 28 upvotes, $0
    510. [qiwi.com] XSS on payment form to QIWI - 28 upvotes, $0
    511. XSS Stored to Coursera - 28 upvotes, $0
    512. DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property. to Ed - 28 upvotes, $0
    513. Stored Cross Site Scripting on Zendesk agent dashboard to Zendesk - 28 upvotes, $0
    514. Reflected Xss to U.S. Dept Of Defense - 28 upvotes, $0
    515. Self xss in product reviews to Shopify - 28 upvotes, $0
    516. Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter to Glassdoor - 28 upvotes, $0
    517. Stored XSS in Satisfaction Surveys via "Ask Reason for Dissatisfaction" option to Lark Technologies - 28 upvotes, $0
    518. Stored XSS in "product type" field executed via product filters to Judge.me - 28 upvotes, $0
    519. XSS in http://www.glassdoor.com/Search/results.htm via Parameter Pollution to Glassdoor - 28 upvotes, $0
    520. Stored XSS in group issue list to GitLab - 27 upvotes, $2000
    521. Stored XSS in snapmatic comments to Rockstar Games - 27 upvotes, $1000
    522. [web.icq.com] Stored XSS in "О Контакте" to Mail.ru - 27 upvotes, $500
    523. Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3 to LocalTapiola - 27 upvotes, $300
    524. Reflected XSS at city-mobil.ru to Mail.ru - 27 upvotes, $300
    525. XSS in vk.link to VK.com - 27 upvotes, $300
    526. CSS injection via BB code tag "█████" to phpBB - 27 upvotes, $0
    527. Search input is vulnerable for XSS in qa.td.com and dev.td.com to TD Bank - 27 upvotes, $0
    528. Basic XSS [WAF Bypasses] to Cloudflare Public Bug Bounty - 26 upvotes, $50
    529. DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request to Rockstar Games - 26 upvotes, $0
    530. [GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com to Algolia - 26 upvotes, $0
    531. Cloudflare based XSS for IE11 to Cloudflare Vulnerability Disclosure - 26 upvotes, $0
    532. Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= to Rockstar Games - 26 upvotes, $0
    533. Preview bar: Incomplete message origin validation results in XSS to Shopify - 26 upvotes, $0
    534. Stored - XSS to Shopify - 26 upvotes, $0
    535. Stored XSS in Macro Editing - Introduced by Admins to affect Admins to Zendesk - 26 upvotes, $0
    536. DOM XSS on app.starbucks.com via ReturnUrl to Starbucks - 26 upvotes, $0
    537. Cross-site Scripting (XSS) - DOM - iqcard.informatica.com to Informatica - 26 upvotes, $0
    538. Bypass extension check leads to stored XSS at https://s2.booth.pm to pixiv - 26 upvotes, $0
    539. CSRF + XSS leads to ATO to Mail.ru - 26 upvotes, $0
    540. XSS Stored in Cacheable response to Acronis - 26 upvotes, $0
    541. Stored DOM XSS via Mermaid chart to GitLab - 25 upvotes, $3000
    542. Reflected cross-site scripting (XSS) on api.tiles.mapbox.com to Mapbox - 25 upvotes, $1000
    543. Stored XSS on member post feed to Rockstar Games - 25 upvotes, $1000
    544. cross site scripting bypass session to Mail.ru - 25 upvotes, $1000
    545. Stored XSS in history on [corporate.city-mobil.ru] to Mail.ru - 25 upvotes, $300
    546. XSS reflected on [https://www.youporn.com] to Pornhub - 25 upvotes, $150
    547. Cross Site Scripting (Reflected) on https://www.acronis.cz/ to Acronis - 25 upvotes, $50
    548. WordPress core stored XSS via attachment file name to Automattic - 25 upvotes, $0
    549. Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire to Rockstar Games - 25 upvotes, $0
    550. XSS on https://www.starbucks.co.uk (can lead to credit card theft) (/shop/paymentmethod) to Starbucks - 25 upvotes, $0
    551. Stored xss в пересланном сообщении. to Mail.ru - 25 upvotes, $0
    552. Self-XSS to Good-XSS - pornhub.com to Pornhub - 25 upvotes, $0
    553. stored xss in app.lemlist.com to lemlist - 25 upvotes, $0
    554. Cross Site Scripting using Email parameter in Ads endpoint 2 to TikTok - 25 upvotes, $0
    555. [intensedebate.com] XSS Reflected POST-Based on update/tumblr2/{$id} to Automattic - 25 upvotes, $0
    556. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 25 upvotes, $0
    557. Reflected XSS to U.S. Dept Of Defense - 25 upvotes, $0
    558. Stored XSS in repository file viewer to GitLab - 24 upvotes, $2000
    559. Universal XSS with Playlist feature to Brave Software - 24 upvotes, $750
    560. [e.mail.ru] Stored xss in Mpop cookie to Mail.ru - 24 upvotes, $600
    561. Blind stored xss in demo form to Upserve - 24 upvotes, $500
    562. XSS via the lang parameter in a POST request on light.mail.ru to Mail.ru - 24 upvotes, $500
    563. Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities to Uber - 24 upvotes, $500
    564. Stored XSS in api.icq.net to Mail.ru - 24 upvotes, $150
    565. HTML injection leads to reflected XSS to Zomato - 24 upvotes, $150
    566. Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 24 upvotes, $100
    567. Stored Cross-Site-Scripting in CMS Airship's authors profiles to Paragon Initiative Enterprises - 24 upvotes, $0
    568. [stagecafrstore.starbucks.com] CRLF Injection, XSS to Starbucks - 24 upvotes, $0
    569. [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite to Grab - 24 upvotes, $0
    570. Reflected XSS в /al_audio.php to VK.com - 24 upvotes, $0
    571. XSS in touch.mail.ru to Mail.ru - 24 upvotes, $0
    572. Persistent XSS via e-mail when creating merge requests to GitLab - 24 upvotes, $0
    573. Stored XSS in Review Section https://games.mail.ru/ to Mail.ru - 24 upvotes, $0
    574. Authenticated Stored Cross-site Scripting in bbPress to WordPress - 24 upvotes, $0
    575. [tumblr.com] 69< Firefox Only XSS Reflected to Automattic - 24 upvotes, $0
    576. Reflected XSS on /admin/stats.php to Revive Adserver - 24 upvotes, $0
    577. Stored XSS in the banner block description to Stripo Inc - 24 upvotes, $0
    578. Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement to HackerOne - 24 upvotes, $0
    579. Stored XSS on PyPi simple API endpoint to GitLab - 23 upvotes, $3000
    580. Universal Cross-Site Scripting in Keybase Chrome extension to Keybase - 23 upvotes, $500
    581. DOM Based XSS charting_library to Gatecoin - 23 upvotes, $500
    582. Persistent XSS via filename in projects to Nextcloud - 23 upvotes, $150
    583. Reflected XSS in the IE 11 / Edge (latest versions) on the stage-go.wepay.com to WePay - 23 upvotes, $100
    584. Reflected XSS on developers.zomato.com to Zomato - 23 upvotes, $100
    585. Reflected XSS on my.acronis.com to Acronis - 23 upvotes, $50
    586. Wordpress 4.7.2 - Two XSS in Media Upload when file too large. to WordPress - 23 upvotes, $0
    587. XSS в личных сообщениях to VK.com - 23 upvotes, $0
    588. XSS Reflected on my_report to Semrush - 23 upvotes, $0
    589. Camo Image Proxy Bypass with CSS Escape Sequences to Chaturbate - 23 upvotes, $0
    590. Stored XSS on Broken Themes via filename to WordPress - 23 upvotes, $0
    591. Reflected XSS in https://www.█████/ to U.S. Dept Of Defense - 23 upvotes, $0
    592. Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app) to Rocket.Chat - 23 upvotes, $0
    593. Stored XSS at Module Name to Stripo Inc - 23 upvotes, $0
    594. XSS seems to work again after change to linkpop at https://linkpop.com/testnaglinagli to Shopify - 23 upvotes, $0
    595. Dom-Based XSS on parameter ?vsid= to JetBlue - 23 upvotes, $0
    596. Reflected xss on https://█████████ to U.S. Dept Of Defense - 23 upvotes, $0
    597. Reflected XSS on https://e.mail.ru/compose/ via Body parameter to Mail.ru - 22 upvotes, $1000
    598. Stored XSS on Share-popup of a directory's Gallery-view to Nextcloud - 22 upvotes, $750
    599. File Upload XSS in image uploading of App in mopub to X (Formerly Twitter) - 22 upvotes, $560
    600. Stored XSS on apps.shopify.com to Shopify - 22 upvotes, $500
    601. XSS on Brave Today through custom RSS feed to Brave Software - 22 upvotes, $500
    602. Stored XSS in Public Profile Reviews to Judge.me - 22 upvotes, $250
    603. XSS in PDF Viewer to Nextcloud - 22 upvotes, $100
    604. Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) to Starbucks - 22 upvotes, $0
    605. [newscdn.starbucks.com] CRLF Injection, XSS to Starbucks - 22 upvotes, $0
    606. Possibility to insert stored XSS inside <img> tag to Pornhub - 22 upvotes, $0
    607. Admin bar: Incomplete message origin validation results in XSS to Shopify - 22 upvotes, $0
    608. Self DOM-Based XSS in www.hackerone.com to HackerOne - 22 upvotes, $0
    609. [kb.informatica.com] Dom Based xss to Informatica - 22 upvotes, $0
    610. XSS via unicode characters in upload filename to WordPress - 22 upvotes, $0
    611. xss triggered in "myshopify.com/admin/product" to Shopify - 22 upvotes, $0
    612. Stored XSS on oslo.io in notifications via project name change to Logitech - 22 upvotes, $0
    613. CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style) to Internet Bug Bounty -
    21 upvotes, $2400
    614. [Web ICQ Client] XSS уязвимость в имени пользователя to Mail.ru - 21 upvotes, $1000
    615. Stored XSS in e.mail.ru (payload affect multiple users) to Mail.ru - 21 upvotes, $750
    616. XSS on manually entering Postal codes to Shopify - 21 upvotes, $500
    617. Reflected XSS via Double Encoding to Rockstar Games - 21 upvotes, $500
    618. [render.bitstrips.com] Stored XSS via an incorrect avatar property value to Snapchat - 21 upvotes, $400
    619. XSS Challenge to BugPoC - 21 upvotes, $300
    620. Stored blind xss on showmax support team to Showmax - 21 upvotes, $256
    621. CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud to Acronis - 21 upvotes, $250
    622. XSS in OAuth Redirect Url to Dropbox - 21 upvotes, $0
    623. XSS in zendesk.com/product/ to Zendesk - 21 upvotes, $0
    624. Stored XSS in community.ubnt.com to Ubiquiti Inc. - 21 upvotes, $0
    625. DOM Based XSS In mercantile.wordpress.org to WordPress - 21 upvotes, $0
    626. xss filter bypass [polldaddy] to Automattic - 21 upvotes, $0
    627. Potential XSS vulnerability to HTML minification to Cloudflare Vulnerability Disclosure - 21 upvotes, $0
    628. Stored XSS in learnboost.com via the lesson[goals] parameter. to Automattic - 21 upvotes, $0
    629. Reflected Swf XSS In ( plugins.svn.wordpress.org ) to WordPress - 21 upvotes, $0
    630. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 21 upvotes, $0
    631. [contact-sys.com] XSS /ajax/transfer/status trn param to QIWI - 21 upvotes, $0
    632. [takeapeek] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 21 upvotes, $0
    633. XSS web.icq.com double linkify to Mail.ru - 21 upvotes, $0
    634. XSS in messages on geekbrains.ru to Mail.ru - 21 upvotes, $0
    635. Xss Reflected On spgw.terrhq.ru [ url ] to Mail.ru - 21 upvotes, $0
    636. Stored XSS on Zeit.co user profile to Vercel - 21 upvotes, $0
    637. H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage to Shopify - 21 upvotes, $0
    638. H1514 Stored XSS in Return Magic App portal content to Shopify - 21 upvotes, $0
    639. Reflected XSS on https://go.mail.ru/search?fr=mn&q=<payload> to Mail.ru - 21 upvotes, $0
    640. Cross-site Scripting (XSS) - Reflected vseapteki.ru to Mail.ru - 21 upvotes, $0
    641. Stored XSS in https://app.mopub.com to X (Formerly Twitter) - 21 upvotes, $0
    642. Solution for XSS challenge calc.buggywebsite.com to BugPoC - 21 upvotes, $0
    643. XSS / SELF XSS to Shopify - 21 upvotes, $0
    644. [icq.im] Reflected XSS via chat invite link to Mail.ru - 21 upvotes, $0
    645. Reflected XSS in https://www.██████/ to U.S. Dept Of Defense - 21 upvotes, $0
    646. XSS :D to BugPoC - 21 upvotes, $0
    647. Reflected XSS in https://www.topcoder.com/blog/category/community-stories/ to Topcoder - 21 upvotes, $0
    648. CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru to Mail.ru - 21 upvotes, $0
    649. Reflected XSS в m.vk.com to VK.com - 21 upvotes, $0
    650. add class vulnerable Stored XSS to Mail.ru - 21 upvotes, $0
    651. слепая XSS в админ панели torg.mail.ru через отзыв to Mail.ru - 20 upvotes, $500
    652. Blind Stored XSS In "Report a Problem" on www.data.gov/issue/ to GSA Bounty - 20 upvotes, $300
    653. Data URI Stored XSS on Donations Page to Mail.ru - 20 upvotes, $200
    654. [Markdown] Stored XSS via character encoding parser bypass to GitLab - 20 upvotes, $0
    655. Reflected xss on theacademy.upserve.com to Upserve - 20 upvotes, $0
    656. reflected XSS avito.ru to Avito - 20 upvotes, $0
    657. Stored XSS in infogram.com via language to Infogram - 20 upvotes, $0
    658. Xss on community.imgur.com to Imgur - 20 upvotes, $0
    659. [FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II to WordPress - 20 upvotes, $0
    660. Reflected XSS to OWOX, Inc. - 20 upvotes, $0
    661. XSS in select attribute options to Concrete CMS - 20 upvotes, $0
    662. Stored Cross Site Scripting. to 8x8 - 20 upvotes, $0
    663. Stored XSS In mlbootcamp.ru to Mail.ru - 20 upvotes, $0
    664. XSS through image upload of contacts using svg file with png extension to Nextcloud - 20 upvotes, $0
    665. Reflected XSS on /admin/userlog-index.php to Revive Adserver - 20 upvotes, $0
    666. Stored XSS on 1.4.0 to ImpressCMS - 20 upvotes, $0
    667. XSS in www.glassdoor.com to Glassdoor - 20 upvotes, $0
    668. XSS @ love.uber.com to Uber - 19 upvotes, $3000
    669. Stored XSS in dropboxforum.com to Dropbox - 19 upvotes, $512
    670. XSS in e.mail.ru to Mail.ru - 19 upvotes, $500
    671. Stored XSS in "post last edited" option to Discourse - 19 upvotes, $256
    672. [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/ to Grab - 19 upvotes, $200
    673. Solution to the XSS Challenge to BugPoC - 19 upvotes, $200
    674. XSS through image upload of contacts using svg file to Nextcloud - 19 upvotes, $100
    675. Cross-Site Scripting Reflected On Main Domain to Instacart - 19 upvotes, $0
    676. XSS vulnerability using GIF tags to Pornhub - 19 upvotes, $0
    677. XSS in the search bar of mercantile.wordpress.org to WordPress - 19 upvotes, $0
    678. Stored XSS in comments on https://www.starbucks.co.uk/blog/* to Starbucks - 19 upvotes, $0
    679. Stored XSS with CRLF injection via post message to user feed to Rockstar Games - 19 upvotes, $0
    680. Admin Macro Description Stored XSS to Zendesk - 19 upvotes, $0
    681. Search Page Reflected XSS on sharjah.dubizzle.com through unencoded output of GET parameter in JavaScript to OLX - 19 upvotes, $0
    682. [seeftl] Stored XSS when directory listing via filename. to Node.js third-party modules - 19 upvotes, $0
    683. XSS at go.mail.ru to Mail.ru - 19 upvotes, $0
    684. Stored XSS in Application menu via Home Page Url to Ping Identity - 19 upvotes, $0
    685. Reflected XSS on a Atavist theme to Automattic - 19 upvotes, $0
    686. Reflected XSS via IE to Nord Security - 19 upvotes, $0
    687. Stored XSS in calendar via UID parameter to Mail.ru - 19 upvotes, $0
    688. Stealing app credentials by reflected xss on Lark Suite to Lark Technologies - 19 upvotes, $0
    689. Reflected XSS on ███ to U.S. Dept Of Defense - 19 upvotes, $0
    690. Reflected XSS on mtnhottseat.mtn.com.gh to MTN Group - 19 upvotes, $0
    691. Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru to Mail.ru - 19 upvotes, $0
    692. Reflected xss в m.vk.com/chatjoin to VK.com - 19 upvotes, $0
    693. Cross-site Scripting (XSS) - Stored | forum.acronis.com to Acronis - 19 upvotes, $0
    694. Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage to Glassdoor - 19 upvotes, $0
    695. Reflected Cross site scripting via Swagger UI to Adobe - 19 upvotes, $0
    696. Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 18 upvotes, $5000
    697. XSS в выборе товара. to VK.com - 18 upvotes, $500
    698. XSS on opening a malicious OpenOffice text document to Open-Xchange - 18 upvotes, $400
    699. [com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies to EXNESS - 18 upvotes, $400
    700. stored xss in comments : driver exam to Grab - 18 upvotes, $250
    701. XSS on OAuth authorize/authenticate endpoint to X (Formerly Twitter) - 18 upvotes, $0
    702. Stored xss in ALBUM DESCRIPTION to Imgur - 18 upvotes, $0
    703. XSS at in instacart.com/store/partner_recipe to Instacart - 18 upvotes, $0
    704. XSS on vimeo.com/home after other user follows you to Vimeo - 18 upvotes, $0
    705. Stored xss в /lead_forms_app.php to VK.com - 18 upvotes, $0
    706. XSS on https://account.mail.ru/login via postMessage to Mail.ru - 18 upvotes, $0
    707. Reflected XSS using Header Injection to Semrush - 18 upvotes, $0
    708. XSS vulnerability in sanitize-method when parsing link's href to Ruby on Rails - 18 upvotes, $0
    709. DOM XSS on 1.1.1.1(one.one.one.one) to Cloudflare Vulnerability Disclosure - 18 upvotes, $0
    710. XSS Reflected at SEARCH >> to OLX - 18 upvotes, $0
    711. BUG XSS IN "ADD IMAGES" to Imgur - 18 upvotes, $0
    712. Reflected XSS on https://apps.topcoder.com/wiki/page/ to Topcoder - 18 upvotes, $0
    713. XSS Reflect to POST █████ to U.S. Dept Of Defense - 18 upvotes, $0
    714. XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) to Mail.ru - 18 upvotes, $0
    715. Self stored Xss + Login Csrf to U.S. Dept Of Defense - 18 upvotes, $0
    716. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
    717. Stored XSS for Grafana dashboard URL to GitLab - 18 upvotes, $0
    718. HTML injection that may lead to XSS on HackerOne.com through H1 Triage Wizard Chrome Extension to HackerOne - 18 upvotes, $0
    719. Reflected XSS in ████████████ to U.S. Dept Of Defense - 18 upvotes, $0
    720. XSS on partners.uber.com due to no user input sanitisation to Uber - 17 upvotes, $1000
    721. [Web ICQ Client] XSS-inj in polls to Mail.ru - 17 upvotes, $1000
    722. [IMP] - Blind XSS in the admin panel for reviewing comments to Rockstar Games - 17 upvotes, $650
    723. Хранимая XSS в группе VK to VK.com - 17 upvotes, $500
    724. Reflected XSS on molpay.com with cloudflare bypass to Razer - 17 upvotes, $375
    725. OX (Guard): Stored Cross-Site Scripting via Email Attachment to Open-Xchange - 17 upvotes, $300
    726. Reflected XSS on https://www.easytopup.in.th/store/product/return on parameter mref_id to Razer - 17 upvotes, $250
    727. Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv] to Mail.ru - 17 upvotes, $150
    728. Stored XSS on chaturbate.com (wish list) to Chaturbate - 17 upvotes, $100
    729. [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only to Nextcloud - 17 upvotes, $100
    730. Stored XSS Via Filename On https://partners.line.me/ to LY Corporation - 17 upvotes, $100
    731. DOM based XSS in store.acronis.com/<id>/purl-corporate-standard-IT [cfg parameter] to Acronis - 17 upvotes, $50
    732. Cross-site scripting on the main page of flickr by tagging a user. to Yahoo! - 17 upvotes, $0
    733. Stored XSS to Instacart - 17 upvotes, $0
    734. [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html to Ubiquiti Inc. - 17 upvotes, $0
    735. XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth to Mapbox - 17 upvotes, $0
    736. Store XSS on Informatica University via transcript (informatica.csod.com) to Informatica - 17 upvotes, $0
    737. Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption to Rockstar Games - 17 upvotes, $0
    738. Persistent XSS found on bin.pinion.gg due to outdated FlowPlayer SWF file with Remote File Inclusion vulnerability. to Unikrn - 17 upvotes, $0
    739. DOM-based XSS in store.starbucks.co.uk on IE 11 to Starbucks - 17 upvotes, $0
    740. XSS when clicking "Share to Twitter" at quora.com/widgets/embed_iframe?path=... to Quora - 17 upvotes, $0
    741. Reflected XSS vulnerability in Database name field on installation screen to Concrete CMS - 17 upvotes, $0
    742. Cross Site Scripting -> Reflected XSS to OLX - 17 upvotes, $0
    743. Reflected XSS to Informatica - 17 upvotes, $0
    744. [wallet.rapida.ru] XSS Cookie flashcookie to QIWI - 17 upvotes, $0
    745. Stored XSS in merge request pages to GitLab - 17 upvotes, $0
    746. Reflected XSS / Markup Injection in index.php/svg/core/logo/logo parameter color to Nextcloud - 17 upvotes, $0
    747. Self XSS combine CSRF at https://████████/index.php to U.S. Dept Of Defense - 17 upvotes, $0
    748. Stored XSS firing at the "Add chart to note" popup to New Relic - 17 upvotes, $0
    749. Stored XSS firing at transaction map (applicationName field) to New Relic - 17 upvotes, $0
    750. Probably unexploitable XSS via Header Injection to WHO COVID-19 Mobile App - 17 upvotes, $0
    751. Reflected XSS on dailydeals.mtn.co.za to MTN Group - 17 upvotes, $0
    752. Self XSS in attachments name to Acronis - 17 upvotes, $0
    753. [hta3] Chain of ESI Injection & Reflected XSS leading to Account Takeover on [███] to U.S. Dept Of Defense - 17 upvotes, $0
    754. xss and html injection on ( https://labs.history.state.gov) to U.S. Department of State - 17 upvotes, $0
    755. reflected XSS in [www.equifax.com] to Equifax-vdp - 17 upvotes, $0
    756. XSS в товарах to VK.com - 16 upvotes, $1000
    757. XSS в теле письма. to Mail.ru - 16 upvotes, $1000
    758. Blind Stored XSS to Mail.ru - 16 upvotes, $550
    759. stored xss in invited team member via email parameter to Shopify - 16 upvotes, $500
    760. Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ to Uber - 16 upvotes, $500
    761. DOM XSS vulnerability in search dialogue (NC-SA-2017-007) to Nextcloud - 16 upvotes, $250
    762. Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv] to Mail.ru - 16 upvotes, $150
    763. Reflected XSS at https://stories.showmax.com/wp-content/themes/theme-internal_ss/blocks/ajax/a.php via ss_country_filter param to
    Showmax - 16 upvotes, $150
    764. XSS on https://www.delivery-club.ru to Mail.ru - 16 upvotes, $100
    765. Reflected XSS when renaming a file with a vulnerable name which results in an error to Nextcloud - 16 upvotes, $100
    766. Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event to Imgur - 16 upvotes, $0
    767. Stored XSS at https://finance.owox.com/customer/accountList to OWOX, Inc. - 16 upvotes, $0
    768. [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS to Quora - 16 upvotes, $0
    769. Stored XSS on Files overview by abusing git submodule URL to GitLab - 16 upvotes, $0
    770. Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter to WordPress - 16 upvotes, $0
    771. [app.simplenote.com] Stored XSS via Markdown SVG filter bypass to Automattic - 16 upvotes, $0
    772. Stored XSS via Send crew invite to Rockstar Games - 16 upvotes, $0
    773. Stored XSS in dev-ucrm-billing-demo.ubnt.com In Client Custom Attribute to Ubiquiti Inc. - 16 upvotes, $0
    774. [airbnb.com] XSS via Cookie flash to Airbnb - 16 upvotes, $0
    775. Stored XSS in www.learnboost.com via ZIP codes. to Automattic - 16 upvotes, $0
    776. Authenticated reflected XSS on liberapay.com via the back_to parameter when leaving a team. to Liberapay - 16 upvotes, $0
    777. Reflective XSS at olx.ph to OLX - 16 upvotes, $0
    778. Reflected XSS to Ubiquiti Inc. - 16 upvotes, $0
    779. Blind XSS in the rocket.chat registration email to Rocket.Chat - 16 upvotes, $0
    780. DOM XSS on 50x.html page to DuckDuckGo - 16 upvotes, $0
    781. XSS in e.mail.ru to Mail.ru - 16 upvotes, $0
    782. [sms.qiwi.ru] XSS via Request-URI to QIWI - 16 upvotes, $0
    783. Cross Site Scripting at https://app.oberlo.com/ to Shopify - 16 upvotes, $0
    784. Dom based xss on https://www.rockstargames.com/ via returnUrl parameter to Rockstar Games - 16 upvotes, $0
    785. Stored XSS at [ https://app.lemlist.com/campaigns/cam_QRS5caF2ca7MJtiLS/leads ] in " LINKEDIN URL" Field. to lemlist - 16 upvotes, $0
    786. XSS in desktop client via invalid server address on login form to Nextcloud - 16 upvotes, $0
    787. Multiple Cross-Site Scripting vulnerability via the language parameter to TikTok - 16 upvotes, $0
    788. Reflected XSS on /www/delivery/afr.php (bypass of report #775693) to Revive Adserver - 16 upvotes, $0
    789. Reflected XSS on https://█████████/ to U.S. Dept Of Defense - 16 upvotes, $0
    790. Stored XSS on {https://calendar.mail.ru/} to Mail.ru - 16 upvotes, $0
    791. Reflected XSS at https://www.glassdoor.com/Interview/Accenturme-Interview-Questions-E9931.htm via filter.jobTitleFTS parameter to Glassdoor
    - 16 upvotes, $0
    792. New experimental query: Clipboard-based XSS to GitHub Security Lab - 16 upvotes, $0
    793. Stored XSS in files.slack.com to Slack - 16 upvotes, $0
    794. Stored xss on helpdesk using user's city to Lark Technologies - 16 upvotes, $0
    795. DOM XSS through ads to Urban Dictionary - 16 upvotes, $0
    796. DOM XSS on www.adobe.com to Adobe - 16 upvotes, $0
    797. Reflected XSS on ██████.mil to U.S. Dept Of Defense - 16 upvotes, $0
    798. ActionView sanitize helper bypass leading to XSS using SVG tag. to Ruby on Rails - 16 upvotes, $0
    799. XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) to Ruby - 16 upvotes, $0
    800. Self XSS when pasting HTML into Text app with Ctrl+Shift+V to Nextcloud - 16 upvotes, $0
    801. Stored XSS via "my recent queries" selector in NRQL dashboard builder to New Relic - 15 upvotes, $2500
    802. Another Stored XSS in mail app using Drive app to Open-Xchange - 15 upvotes, $500
    803. Reflected XSS at https://sea-web.gold.razer.com/cash-card/verify via channel parameter to Razer - 15 upvotes, $500
    804. XSS - Search - Unescaped contact job to Open-Xchange - 15 upvotes, $450
    805. Stored XSS on invoice, executing on any subdomain to Harvest - 15 upvotes, $350
    806. xss in Theme http://bztfashion.booztx.com to Boozt Fashion AB - 15 upvotes, $250
    807. Mobile Reflect XSS / CSRF at Advertisement Section on Search page to Pornhub - 15 upvotes, $200
    808. Stored XSS на странице "Изменить клиента" [city-mobil.ru/taxiserv] to Mail.ru - 15 upvotes, $150
    809. XSS in instacart.com/store/partner_recipe to Instacart - 15 upvotes, $100
    810. XSS Yahoo Messenger Via Calendar.Yahoo.Com to Yahoo! - 15 upvotes, $0
    811. Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer to Paragon Initiative Enterprises - 15 upvotes, $0
    812. XSS using javascript:alert(8007) to X (Formerly Twitter) - 15 upvotes, $0
    813. XSS on postal codes to Shopify - 15 upvotes, $0
    814. Dom Based Xss DIV.innerHTML parameters store.starbucks* to Starbucks - 15 upvotes, $0
    815. Stored XSS to Mail.ru - 15 upvotes, $0
    816. DOM XSS on teavana.com via "pr_zip_location" parameter to Starbucks - 15 upvotes, $0
    817. Cross-site Scripting (XSS) on [maximum.nl] to Radancy - 15 upvotes, $0
    818. Reflected XSS on teavana.com (Locale-Change) to Starbucks - 15 upvotes, $0
    819. XSS on pornhubselect.com to Pornhub - 15 upvotes, $0
    820. Stored self-XSS in mercantile.wordpress.org checkout to WordPress - 15 upvotes, $0
    821. Big XSS vulnerability! to Legal Robot - 15 upvotes, $0
    822. Double Stored Cross-Site scripting in the admin panel to GSA Bounty - 15 upvotes, $0
    823. Authenticated Cross-site Scripting in Template Name to WordPress - 15 upvotes, $0
    824. Stored CSS Injection to Coinbase - 15 upvotes, $0
    825. POST XSS in https://www.khanacademy.org.tr/ via page_search_query parameter to Khan Academy - 15 upvotes, $0
    826. Stored XSS on Issue details page to GitLab - 15 upvotes, $0
    827. [ibank.qiwi.ru] XSS via Request-URI to QIWI - 15 upvotes, $0
    828. Reflected XSS in the npm module express-cart. to Node.js third-party modules - 15 upvotes, $0
    829. Cross site scripting vulnerability in JW Player SWF to Mail.ru - 15 upvotes, $0
    830. DOM XSS via Shopify.API.remoteRedirect to Shopify - 15 upvotes, $0
    831. XSS на странице account.mail.ru/recovery to Mail.ru - 15 upvotes, $0
    832. Cross-site Scripting (XSS) - Stored in ru.mail.mailapp to Mail.ru - 15 upvotes, $0
    833. Reflected XSS: Taxonomy Converter via tax parameter to WordPress - 15 upvotes, $0
    834. Хранимая XSS в личных сообщениях новое место to ok.ru - 15 upvotes, $0
    835. [█████] — DOM-based XSS on endpoint /?s= to U.S. Dept Of Defense - 15 upvotes, $0
    836. Reflected xss on 8x8.vc to 8x8 Bounty - 15 upvotes, $0
    837. Reflected XSS on www/delivery/afr.php to Revive Adserver - 15 upvotes, $0
    838. Html Injection and Possible XSS in main nordvpn.com domain to Nord Security - 15 upvotes, $0
    839. Dom based xss on /reddeadredemption2/br/videos to Rockstar Games - 15 upvotes, $0
    840. Reflected XSS on http://info.ucs.ru/settings/check/ to Mail.ru - 15 upvotes, $0
    841. Self XSS in Timeline to Shopify - 15 upvotes, $0
    842. Cross Site Scripting (XSS) Stored - Private messaging to Concrete CMS - 15 upvotes, $0
    843. Reflected XSS at /category/ on a Atavis theme to Automattic - 15 upvotes, $0
    844. XSS in message attachment fileds. to Rocket.Chat - 15 upvotes, $0
    845. Blind stored XSS due to insecure contact form at https://█████.mil leads to leakage of session token and to U.S. Dept Of Defense - 15
    upvotes, $0
    846. Reflected XSS at https://www.glassdoor.co.in/Interview/BlackRock-Interview-Questions-E9331.htm via filter.jobTitleExact parameter to Glassdoor
    - 15 upvotes, $0
    847. XSS via X-Forwarded-Host header to U.S. Dept Of Defense - 15 upvotes, $0
    848. Reflected XSS on play.mtn.co.za to MTN Group - 15 upvotes, $0
    849. Reflected Xss in https://world.engelvoelkers.com/... to Engel & Völkers Technology GmbH - 15 upvotes, $0
    850. Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode to Acronis - 15 upvotes, $0
    851. Cross-site scripting via hardcoded front-end watched expression. to Quantopian - 14 upvotes, $1225
    852. Blind XSS in mapbox.com/contact to Mapbox - 14 upvotes, $750
    853. Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf) to Open-Xchange - 14 upvotes, $500
    854. XSS - Notes - Attribute injection through overlapping tags to Open-Xchange - 14 upvotes, $450
    855. xss reflected in littleguy.vanillastaging.com to Vanilla - 14 upvotes, $300
    856. XSS в нике при запросе в контакты. to Mail.ru - 14 upvotes, $250
    857. XSS при добавлении в чат пользователя to Mail.ru - 14 upvotes, $250
    858. XSS при Изменения машины на странице "Контроль" [city-mobil.ru/taxiserv] to Mail.ru - 14 upvotes, $150
    859. [github.algolia.com] DOM Based XSS github-btn.html to Algolia - 14 upvotes, $100
    860. Reflected XSS on https://www.delivery-club.ru/ to Mail.ru - 14 upvotes, $100
    861. xss vulnerability in http://ubermovement.com/community/daniel to Uber - 14 upvotes, $0
    862. Unauthenticated Stored xss to Nextcloud - 14 upvotes, $0
    863. Unauthenticated Stored XSS on <any>.myshopify.com via checkout page to Shopify - 14 upvotes, $0
    864. XSS vulnerability on Audio and Video parsers to Discourse - 14 upvotes, $0
    865. XSS Vulnerability on Image link parser to Discourse - 14 upvotes, $0
    866. XSS in topics because of bandcamp preview engine vulnerability to Discourse - 14 upvotes, $0
    867. Reflected XSS to Algolia - 14 upvotes, $0
    868. XSS @ *.letgo.com to OLX - 14 upvotes, $0
    869. DOM-based XSS on youporn.com (main page) to Pornhub - 14 upvotes, $0
    870. Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) to Starbucks - 14
    upvotes, $0
    871. Stored XSS in the any user profile using website link to Pornhub - 14 upvotes, $0
    872. XSS в приглашении в группу to VK.com - 14 upvotes, $0
    873. Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE. to WordPress - 14 upvotes, $0
    874. Reflected XSS on https://www.zomato.com to Zomato - 14 upvotes, $0
    875. Stored XSS in partners dashboard to Shopify - 14 upvotes, $0
    876. XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window to Reverb.com - 14 upvotes, $0
    877. [contact-sys.com] XSS via Request-URI to QIWI - 14 upvotes, $0
    878. Reflected XSS on help.steampowered.com to Valve - 14 upvotes, $0
    879. XSS on www.██████ alerts and a number of other pages to U.S. Dept Of Defense - 14 upvotes, $0
    880. Stored XSS in Name of Team Member Invitation to Localize - 14 upvotes, $0
    881. Reflected XSS on am.ru and subdomains to Mail.ru - 14 upvotes, $0
    882. Reflected XSS via XML Namespace URI on https://go.mapbox.com/index.php/soap/ to Mapbox - 14 upvotes, $0
    883. Reflected cross-site scripting vulnerability on a DoD website to U.S. Dept Of Defense - 14 upvotes, $0
    884. Blind stored XSS due to insecure contact form at https://www.topcoder.com leads to leakage of session token and other PII to Topcoder - 14
    upvotes, $0
    885. XSS Challenge #2 Solution to BugPoC - 14 upvotes, $0
    886. XSS In https://docs.gocd.org/current/ to GoCD - 14 upvotes, $0
    887. self-xss with ClickJacking can leads to account takeover in Firefox to Imgur - 14 upvotes, $0
    888. Reflected XSS on a Atavist theme at external_import.php to Automattic - 14 upvotes, $0
    889. Download full backup and Cross site scripting to ImpressCMS - 14 upvotes, $0
    890. Reflected XSS on https://deti.mail.ru to Mail.ru - 14 upvotes, $0
    891. Reflected XSS at https://www.glassdoor.co.in/Job/pratt-whitney-jobs-SRCH_KE0,13.htm?initiatedFromCountryPicker=true&countryRedirect=true
    to Glassdoor - 14 upvotes, $0
    892. Reflected XSS on gamesclub.mtn.com.g to MTN Group - 14 upvotes, $0
    893. Reflected XSS at dailydeals.mtn.co.za to MTN Group - 14 upvotes, $0
    894. xss reflected on imgur.com to Imgur - 14 upvotes, $0
    895. cross site scripting in : mtn.bj to MTN Group - 14 upvotes, $0
    896. XSS in Widget Review Form Preview in settings to Judge.me - 14 upvotes, $0
    897. Cross-Site Request Forgery (CSRF) to xss to MTN Group - 14 upvotes, $0
    898. reflected xss in www.████████.gov to U.S. Dept Of Defense - 14 upvotes, $0
    899. Incorrect handling of certain characters passed to the redirection functionality in Rails can lead to a single-click XSS vulnerability. to Ruby on
    Rails - 14 upvotes, $0
    900. XSS в теле письма, в новой версии почты. to Mail.ru - 13 upvotes, $1000
    901. [www.dropboxforum.com] - reflected XSS in search to Dropbox - 13 upvotes, $512
    902. [m.vk.com] XSS на страницах /artist/ to VK.com - 13 upvotes, $500
    903. Reflected XSS in the shared note view on https://evernote.com to Evernote - 13 upvotes, $500
    904. [chatws25.stream.highwebmedia.com] - Reflected XSS in c parameter to Chaturbate - 13 upvotes, $350
    905. XSS on expenses attachments to Harvest - 13 upvotes, $250
    906. XSS at af.attachmail.ru to Mail.ru - 13 upvotes, $150
    907. Stored XSS в профиле водителя [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
    908. Stored XSS на странице "Почты" [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
    909. XSS на странице "Создать водителя" [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
    910. Zomato.com Reflected Cross Site Scripting to Zomato - 13 upvotes, $100
    911. lootdog.io XSS to Mail.ru - 13 upvotes, $100
    912. Store XSS Flicker main page to Yahoo! - 13 upvotes, $0
    913. Stored XSS via AngularJS Injection to drchrono - 13 upvotes, $0
    914. xss in link items (mopub.com) to X (Formerly Twitter) - 13 upvotes, $0
    915. Persistent XSS on public wiki pages to GitLab - 13 upvotes, $0
    916. Stored XSS in topics because of whitelisted_generic engine vulnerability to Discourse - 13 upvotes, $0
    917. Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section to Pornhub - 13 upvotes, $0
    918. Stored XSS in *.myshopify.com to Shopify - 13 upvotes, $0
    919. XSS on www.mapbox.com/authorize to Mapbox - 13 upvotes, $0
    920. Dom based xss affecting all pages from https://www.grab.com/. to Grab - 13 upvotes, $0
    921. Unauthenticated Reflected XSS in admin dashboard to Deconf - 13 upvotes, $0
    922. XSS at https://app.goodhire.com/member/GH.aspx to Inflection - 13 upvotes, $0
    923. SocialClub's Facebook OAuth Theft through Warehouse XSS. to Rockstar Games - 13 upvotes, $0
    924. XSS on redirection page( Bypassed) to Semrush - 13 upvotes, $0
    925. [mercantile.wordpress.org] Reflected XSS to WordPress - 13 upvotes, $0
    926. XSS in buying and selling pages, can created spoofed content (false login message) to Reverb.com - 13 upvotes, $0
    927. 3rd party shop admin panel blind XSS to Mail.ru - 13 upvotes, $0
    928. Stored Cross-site scripting to Vercel - 13 upvotes, $0
    929. Stored XSS in Rich editor via Embed datetime to Vanilla - 13 upvotes, $0
    930. [okmedia.insideok.ru] Web Cache Poisoing & XSS to ok.ru - 13 upvotes, $0
    931. Unrestricted File Upload To Xss Stored [ https://ideas.browser.mail.ru/ ] to Mail.ru - 13 upvotes, $0
    932. Content Injection on api.semrush.com to Reflected XSS to Semrush - 13 upvotes, $0
    933. XSS due to incomplete JS escaping to Ruby on Rails - 13 upvotes, $0
    934. [geekbrains.ru] Reflected XSS via Angular Template Injection to Mail.ru - 13 upvotes, $0
    935. Stored XSS at APM applications listing to New Relic - 13 upvotes, $0
    936. Stored XSS at APM key transactions list to New Relic - 13 upvotes, $0
    937. Stored XSS in Post Preview as Contributor to WordPress - 13 upvotes, $0
    938. Stored XSS at "Conditions " through "My Custom Rule" Field at [https://my.stripo.email/cabinet/#/template-editor/] in Template Editor. to Stripo
    Inc - 13 upvotes, $0
    939. DOM Based XSS on https://████ via backURL param to U.S. Dept Of Defense - 13 upvotes, $0
    940. XSS DUE TO CVE-2020-3580 to U.S. Dept Of Defense - 13 upvotes, $0
    941. stored XSS on AliExpress Review Importer/Products when delete product to Judge.me - 13 upvotes, $0
    942. xss on [developers.mtn.com] to MTN Group - 13 upvotes, $0
    943. Stored XSS at https://█████ to U.S. Dept Of Defense - 13 upvotes, $0
    944. Self XSS in https://linkpop.com/dashboard/admin to Shopify - 13 upvotes, $0
    945. Stored XSS in intensedebate.com via the Comments RSS to Automattic - 13 upvotes, $0
    946. Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag to Internet Bug Bounty - 12 upvotes, $2400
    947. XSS в письме, в поле отправителя. to Mail.ru - 12 upvotes, $1000
    948. Universal XSS through FIDO U2F register from subframe to Brave Software - 12 upvotes, $1000
    949. XSS @ store.steampowered.com via agecheck path name to Valve - 12 upvotes, $750
    950. Stored XSS at 'Buy Button' page to Shopify - 12 upvotes, $500
    951. reflected XSS on healt.mail.ru to Mail.ru - 12 upvotes, $500
    952. OX Guard: DOM Based Cross-Site Scripting (#2) to Open-Xchange - 12 upvotes, $500
    953. Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) to LocalTapiola - 12 upvotes, $450
    954. Post Based Reflected XSS on [https://investor.razer.com/s/ir_contact.php] to Razer - 12 upvotes, $375
    955. Stored XSS in Restoring Archived Tasks to Harvest - 12 upvotes, $250
    956. XSS в названии лайвчата to Mail.ru - 12 upvotes, $250
    957. store xss in calendar via upload filename to Open-Xchange - 12 upvotes, $250
    958. stored xss путём загрузки вредоносного файла + обход загрузки файлов. to Mail.ru - 12 upvotes, $200
    959. Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage() to Mail.ru - 12 upvotes, $200
    960. [stage-go.wepay.com] XSS via Request URI to WePay - 12 upvotes, $100
    961. Stored XSS using SVG to Paragon Initiative Enterprises - 12 upvotes, $0
    962. [bbPress] Stored XSS in any forum post. to Automattic - 12 upvotes, $0
    963. Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline to Shopify - 12 upvotes, $0
    964. XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline to Shopify - 12 upvotes, $0
    965. Follow Button XSS to Automattic - 12 upvotes, $0
    966. stored XSS in olx.pl - ogloszenie TITLE element - moderator acc can be hacked to OLX - 12 upvotes, $0
    967. DOM Based XSS on an Army website to U.S. Dept Of Defense - 12 upvotes, $0
    968. WordPress <= 4.6.1 Stored XSS Via Theme File to Nextcloud - 12 upvotes, $0
    969. Stored XSS in posts because of absence of oembed variables values escaping to Discourse - 12 upvotes, $0
    970. dom xss in https://www.slackatwork.com to Slack - 12 upvotes, $0
    971. Reflected XSS on blockchain.info to Blockchain - 12 upvotes, $0
    972. Stored Cross Site Scripting in Customer Name to Moneybird - 12 upvotes, $0
    973. Blind Stored XSS against Pornhub employees using Amateur Model Program to Pornhub - 12 upvotes, $0
    974. [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS to QIWI - 12 upvotes, $0
    975. Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ] to Concrete CMS - 12 upvotes, $0
    976. Stored XSS at Moneybird to Moneybird - 12 upvotes, $0
    977. dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) to Rockstar Games - 12 upvotes, $0
    978. Lazy Load stored XSS to Automattic - 12 upvotes, $0
    979. Unfiltered input allows for XSS in "Playtime Item Grants" fields to Valve - 12 upvotes, $0
    980. Reflected XSS (myynti.lahitapiolarahoitus.fi) to LocalTapiola - 12 upvotes, $0
    981. Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300 to Ubiquiti Inc. - 12 upvotes, $0
    982. Torrent extension: Cross-origin downloading + "URL spoofing" + CSP-blocked XSS to Brave Software - 12 upvotes, $0
    983. DOM XSS on 50x.html page on proxy.duckduckgo.com to DuckDuckGo - 12 upvotes, $0
    984. [rm.mail.ru] Request-Path XSS to Mail.ru - 12 upvotes, $0
    985. XSS to Mail.ru - 12 upvotes, $0
    986. Html Injection and Possible XSS via MathML to X (Formerly Twitter) - 12 upvotes, $0
    987. Reflected XSS on www.olx.co.id via ad_type parameter to OLX - 12 upvotes, $0
    988. stored xss in https://www.smule.com to Smule - 12 upvotes, $0
    989. Unauthenticated reflected XSS in preview_as_user function to Concrete CMS - 12 upvotes, $0
    990. [htmr] DOM-based XSS to Node.js third-party modules - 12 upvotes, $0
    991. Stored xss on https://go.mail.ru/ to Mail.ru - 12 upvotes, $0
    992. XSS in [community.my.games] to Mail.ru - 12 upvotes, $0
    993. [my.games] Stored XSS via untrusted bucket to Mail.ru - 12 upvotes, $0
    994. DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features to Rockstar Games - 12 upvotes, $0
    995. Reflected XSS on https://www.starbucks.co.uk/shop/paymentmethod/ (bypass for 227486) to Starbucks - 12 upvotes, $0
    996. Reflected DOM XSS on www.starbucks.co.uk to Starbucks - 12 upvotes, $0
    997. Reflected XSS to Mail.ru - 12 upvotes, $0
    998. XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024) to Endless Group - 12 upvotes, $0
    999. [m-server] XSS reflected because path does not escapeHtml to Node.js third-party modules - 12 upvotes, $0
    000. reflected xss on learn.city-mobil.ru via redirect_url parameter to Mail.ru - 12 upvotes, $0
    001. [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:
    [xss_payload] to Automattic - 12 upvotes, $0
    002. Stored XSS in markdown file with Nextcloud Talk using Internet Explorer to Nextcloud - 12 upvotes, $0
    003. Stored xss in larksuite internal helpdesk and other user's helpdesk. to Lark Technologies - 12 upvotes, $0
    004. DOM-based XSS in d.miwifi.com on IE 11 to Xiaomi - 12 upvotes, $0
    005. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 12 upvotes, $0
    006. Reflected XSS on /admin/stats.php to Revive Adserver - 12 upvotes, $0
    007. Reflected XSS through ClickJacking to U.S. Dept Of Defense - 12 upvotes, $0
    008. Reflected XSS at [████████] to U.S. Dept Of Defense - 12 upvotes, $0
    009. Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information to Mail.ru - 12 upvotes, $0
    010. Universal Cross-Site Scripting vulnerability to Proctorio - 12 upvotes, $0
    011. stand.pw.mail.ru xss to Mail.ru - 12 upvotes, $0
    012. Reflected XSS on ███ via jobid parameter to Sony - 12 upvotes, $0
    013. Reflected cross site scripting in https://███████ to U.S. Dept Of Defense - 12 upvotes, $0
    014. xss on reset password page to U.S. Dept Of Defense - 12 upvotes, $0
    015. DOM XSS at https://adobedocs.github.io/indesign-api-docs/?configUrl={site} due to outdated Swagger UI to Adobe - 12 upvotes, $0
    016. XSS on ( █████████.gov ) Via URL path to U.S. Dept Of Defense - 12 upvotes, $0
    017. Stored XSS via ' profile ' at https://www.miroyalcanin.cl/ to Mars - 12 upvotes, $0
    018. Stored-XSS in https://www.coinbase.com/ to Coinbase - 11 upvotes, $5000
    019. XSS in ubermovement.com via editable Google Sheets to Uber - 11 upvotes, $2000
    020. Stored cross-site scripting in dataset owner. to Quantopian - 11 upvotes, $1925
    021. Stored XSS on support.rockstargames.com to Rockstar Games - 11 upvotes, $1000
    022. XSS в теле письма, в блочных стилях. to Mail.ru - 11 upvotes, $1000
    023. Stored xss in calendar via call link to Mail.ru - 11 upvotes, $1000
    024. Reflective XSS on wholesale.shopify.com to Shopify - 11 upvotes, $500
    025. Xss в https://e.mail.ru/ to Mail.ru - 11 upvotes, $500
    026. [account.mail.ru] XSS на странице восстановления пароля to Mail.ru - 11 upvotes, $500
    027. Stored Blind XSS to Mail.ru - 11 upvotes, $500
    028. Stored XSS in mail app to Open-Xchange - 11 upvotes, $500
    029. XSS в названии звонка to VK.com - 11 upvotes, $500
    030. XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint to Pornhub - 11 upvotes, $250
    031. [theacademy.upserve.com] Reflected XSS Query-String to Upserve - 11 upvotes, $250
    032. Cross-site scripting on dashboard2.omise.co to Omise - 11 upvotes, $200
    033. XSS on https://www.delivery-club.ru/sd/test_330933/info/ to Mail.ru - 11 upvotes, $100
    034. DOM XSS on http://talks.lystit.com to Lyst - 11 upvotes, $100
    035. Self-XSS on Suggest Tag dialog box to XVIDEOS - 11 upvotes, $50
    036. Loadbalancer + URI XSS #3 to Yahoo! - 11 upvotes, $0
    037. Stored xss to Algolia - 11 upvotes, $0
    038. Stored XSS in unifi.ubnt.com to Ubiquiti Inc. - 11 upvotes, $0
    039. Reflected Xss on to Pushwoosh - 11 upvotes, $0
    040. [scores.ubnt.com] DOM based XSS at form.html to Ubiquiti Inc. - 11 upvotes, $0
    041. Reflected cross-site scripting vulnerability on a DoD website to U.S. Dept Of Defense - 11 upvotes, $0
    042. [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME to X (Formerly Twitter) - 11 upvotes, $0
    043. [app.mixmax.com] Stored XSS on Adding new enhancement. to Mixmax - 11 upvotes, $0
    044. Stored self-XSS pubg.mail.ru в нескольких местах to Mail.ru - 11 upvotes, $0
    045. XSS with needed user intervention to Zendesk - 11 upvotes, $0
    046. XSS через подгрузку ссылки. to Mail.ru - 11 upvotes, $0
    047. Stored XSS in the Custom Logo link (non-Basic plan required) to Infogram - 11 upvotes, $0
    048. Stored XSS on urbandictionary.com to Urban Dictionary - 11 upvotes, $0
    049. Post Based XSS On Upload Via CK Editor [semrush.com] to Semrush - 11 upvotes, $0
    050. Session ID is accessible via XSS to Inflection - 11 upvotes, $0
    051. [web.icq.com] Stored XSS in link when sending message to Mail.ru - 11 upvotes, $0
    052. Disclosure of user email address and Deanonymization [mail.ru] + Blind | Stored XSS pets.mail.ru to Mail.ru - 11 upvotes, $0
    053. Reflected XSS of bbe-child-starter Theme via "value"-GET-parameter to LocalTapiola - 11 upvotes, $0
    054. Stored XSS via Create Project (Add new translation project) to Weblate - 11 upvotes, $0
    055. xss in /users/[id]/set_tier endpoint to RATELIMITED - 11 upvotes, $0
    056. Reflected XSS on https://apps.topcoder.com/wiki/ to Topcoder - 11 upvotes, $0
    057. Warehouse dom based xss may lead to Social Club Account Taker Over. to Rockstar Games - 11 upvotes, $0
    058. Unrestricted File Upload Leads to XSS & Potential RCE to U.S. Dept Of Defense - 11 upvotes, $0
    059. stored xss via Campaign Name. to lemlist - 11 upvotes, $0
    060. Stored self XSS at auto.mail.ru using add_review functionality to Mail.ru - 11 upvotes, $0
    061. xss while uploading a file to Mail.ru - 11 upvotes, $0
    062. Cross-account stored XSS at notes (through "swf" note parameter) to New Relic - 11 upvotes, $0
    063. pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment to WordPress - 11 upvotes, $0
    064. Stored-Xss at connect.topcoder.com/projects/ affected on project chat members to Topcoder - 11 upvotes, $0
    065. Session Hijack via Self-XSS to Rocket.Chat - 11 upvotes, $0
    066. XSS в обработчике ссылок to VK.com - 11 upvotes, $0
    067. Reflected XSS https://tracker.my.com to Mail.ru - 11 upvotes, $0
    068. Blind Stored XSS on ███████ leads to takeover admin account to U.S. Dept Of Defense - 11 upvotes, $0
    069. Cross site scripting to Informatica - 11 upvotes, $0
    070. Improper Sanitization leads to XSS Fire on admin panel to Informatica - 11 upvotes, $0
    071. Reflected Xss https://██████/ to U.S. Dept Of Defense - 11 upvotes, $0
    072. Blind XSS via Digital Ocean Partner account creation form. to DigitalOcean - 11 upvotes, $0
    073. XSS Reflected - ██████████ to U.S. Dept Of Defense - 11 upvotes, $0
    074. Reflected XSS due to vulnerable version of sockjs to Automattic - 11 upvotes, $0
    075. Able to bypass the fix on DOM XSS at [www.adobe.com] to Adobe - 11 upvotes, $0
    076. Self-XSS due to image URL can be eploited via XSSJacking techniques in review email to Judge.me - 11 upvotes, $0
    077. Reflected XSS on Admin Login Page to TD Bank - 11 upvotes, $0
    078. Reflected XSS vulnerability with full CSP bypass in Nextcloud installations using recommended bundle to Nextcloud - 11 upvotes, $0
    079. XSS в письме, в теле письма. to Mail.ru - 10 upvotes, $2000
    080. XSS by clicking Jira's link to GitLab - 10 upvotes, $1130
    081. HTML Injection / Reflected Cross-Site Scripting with CSP on https://accounts.firefox.com/settings to Mozilla Critical Services - 10 upvotes, $1000
    082. Xss в https://e.mail.ru/ to Mail.ru - 10 upvotes, $500
    083. Reflected XSS in https://e.mail.ru/ to Mail.ru - 10 upvotes, $500
    084. Хранимая XSS в функционале добавления аудио в WYSIWYG to VK.com - 10 upvotes, $500
    085. Dropbox Paper - Markdown XSS to Dropbox - 10 upvotes, $343
    086. Stored XSS in address on [corporate.city-mobil.ru] to Mail.ru - 10 upvotes, $300
    087. Stored XSS in eaccounting.stage.vismaonline.com to Visma Public - 10 upvotes, $250
    088. DOM-based XSS on https://zest.co.th/zestlinepay/ to Razer - 10 upvotes, $200
    089. CSS leaks SCSS debug info to HackerOne - 10 upvotes, $0
    090. XSS @ yaman.olx.ph to OLX - 10 upvotes, $0
    091. Reflected XSS in scores.ubnt.com to Ubiquiti Inc. - 10 upvotes, $0
    092. Multiple XSS in Camptix Event Ticketing Plugin to Ian Dunn - 10 upvotes, $0
    093. XSS On meta tags in profile page to GitLab - 10 upvotes, $0
    094. Cross-Site Scripting Stored On Rich Media to Pushwoosh - 10 upvotes, $0
    095. [uk.informatica.com] XSS on uk.informatica..com to Informatica - 10 upvotes, $0
    096. Reflected XSS in U2F plugin by shipping the example endpoints to Nextcloud - 10 upvotes, $0
    097. Reflected XSS in login redirection module to Pornhub - 10 upvotes, $0
    098. [kb.informatica.com] DOM based XSS in the bindBreadCrumb function to Informatica - 10 upvotes, $0
    099. [alpha.informatica.com] Expensive DOMXSS to Informatica - 10 upvotes, $0
    100. http://ht.pornhub.com/ stored XSS in widget stylesheet to Pornhub - 10 upvotes, $0
    101. Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= to Starbucks - 10 upvotes, $0
    102. Stored XSS in buy topup OLX Gold Credits to OLX - 10 upvotes, $0
    103. Stored XSS on player.vimeo.com to Vimeo - 10 upvotes, $0
    104. XSS в названии сервера to VK.com - 10 upvotes, $0
    105. Simple CSS line-height identifies platform to Tor - 10 upvotes, $0
    106. [informatica.com]- Cross Site scripting to Informatica - 10 upvotes, $0
    107. Stored XSS Using Media to Automattic - 10 upvotes, $0
    108. Stored xss via template injection to WordPress - 10 upvotes, $0
    109. reflected xss on cycloferon.health.mail.ru to Mail.ru - 10 upvotes, $0
    110. Отраженная XSS на cloud.mail.ru в URL в функционале создания и редактировании презентации. to Mail.ru - 10 upvotes, $0
    111. XSS bypass Script execute,Read any file,execute any javascript code--UXSS to Mail.ru - 10 upvotes, $0
    112. Reflected XSS on bbe_open_htmleditor_popup.php of BBE Theme via "value"-GET-parameter to LocalTapiola - 10 upvotes, $0
    113. Хранимая XSS ( API ) to Mail.ru - 10 upvotes, $0
    114. Persistent XSS - Selecting users as allowed merge request approvers to GitLab - 10 upvotes, $0
    115. xss - reflected to WordPress - 10 upvotes, $0
    116. Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS to Internet Bug Bounty - 10 upvotes, $0
    117. Reflected Cross Site Scripting (XSS) to Grammarly - 10 upvotes, $0
    118. Stored XSS in OAuth redirect URI to Nextcloud - 10 upvotes, $0
    119. Seven DOM-Based XSS Vulnerabilities | Execution in Login Sequence to Mail.ru - 10 upvotes, $0
    120. [http-file-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 10 upvotes, $0
    121. Reflected XSS on m.olx.co.id via ad_type parameter to OLX - 10 upvotes, $0
    122. Reflected XSS by changing url parameters on the user invite onboarding links. to Polymail, Inc. - 10 upvotes, $0
    123. XSS (leads to arbitrary file read in Rocket.Chat-Desktop) to Rocket.Chat - 10 upvotes, $0
    124. Reflected XSS with WAF Bypass https://pw.mail.ru to Mail.ru - 10 upvotes, $0
    125. Self xss to Nextcloud - 10 upvotes, $0
    126. Stored XSS in assets.txmblr.com to Automattic - 10 upvotes, $0
    127. Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action to Topcoder - 10 upvotes, $0
    128. Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7 to Ubiquiti Inc. - 10 upvotes, $0
    129. Cross-site Scripting (XSS) - Reflected to 8x8 - 10 upvotes, $0
    130. The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. to Zomato - 10 upvotes, $0
    131. XSS in image metadata field to Nextcloud - 10 upvotes, $0
    132. [panel.city-mobil.ru/admin/] Blind XSS via partner name (similar to #746505) to Mail.ru - 10 upvotes, $0
    133. Reflected XSS on https://████/ (Bypass of #1002977) to U.S. Dept Of Defense - 10 upvotes, $0
    134. Reflected XSS www.█████ search form to U.S. Dept Of Defense - 10 upvotes, $0
    135. Reflected XSS In https://███████ to U.S. Dept Of Defense - 10 upvotes, $0
    136. Reflected XSS on https://██████ to U.S. Dept Of Defense - 10 upvotes, $0
    137. Reflected XSS through clickjacking at https://████ to U.S. Dept Of Defense - 10 upvotes, $0
    138. Cross site scripting to U.S. Dept Of Defense - 10 upvotes, $0
    139. CSS injection via link tag whitelisted-domain bypass - https://www.glassdoor.com to Glassdoor - 10 upvotes, $0
    140. Stored XSS on the "www.intensedebate.com/extras-widgets" url at "Recent comments by" module with malicious blog url to Automattic - 10
    upvotes, $0
    141. Account takeover leading to PII chained with stored XSS to U.S. General Services Administration - 10 upvotes, $0
    142. Jolokia Reflected XSS to Mars - 10 upvotes, $0
    143. [XSS] Reflected XSS via POST request to U.S. Dept Of Defense - 10 upvotes, $0
    144. Stored XSS Via NRQL chartbuilder JSON view to New Relic - 9 upvotes, $2500
    145. Stored xss in editor to Mapbox - 9 upvotes, $1000
    146. XSS в отправителе, БЕТА-версия почты to Mail.ru - 9 upvotes, $500
    147. Stored XSS в выборе метки на странице списка заказов. to VK.com - 9 upvotes, $500
    148. XSS on opening malicious OpenOffice presentation document to Open-Xchange - 9 upvotes, $400
    149. Логи/sql запросы на http://mx36.ucs.ru/ и reflected XSS. to Mail.ru - 9 upvotes, $400
    150. Reflected XSS in eform.molpay.com to Razer - 9 upvotes, $375
    151. Stored XSS in Template Documents to Open-Xchange - 9 upvotes, $300
    152. Reflected XSS in city-mobil.ru/ to Mail.ru - 9 upvotes, $300
    153. Persistent XSS on ForecastApp to Harvest - 9 upvotes, $250
    154. XSS с помощью специально сформированного файла. to Mail.ru - 9 upvotes, $250
    155. XSS на e.mail.ru в мобильном приложении! to Mail.ru - 9 upvotes, $250
    156. XSS https://health.mail.ru/my/ через внешнее имя аккаунта to Mail.ru - 9 upvotes, $150
    157. XSS via login cookie to Pornhub - 9 upvotes, $100
    158. Reflected XSS on www.boozt.com to Boozt Fashion AB - 9 upvotes, $100
    159. fix(cmd-socketio-server): mitigate cross site scripting attack #2068 to Hyperledger - 9 upvotes, $100
    160. Reflected XSS by way of jQuery function to Pornhub - 9 upvotes, $50
    161. Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi) to LocalTapiola - 9 upvotes, $50
    162. Reflected XSS in cart at hardware.shopify.com to Shopify - 9 upvotes, $0
    163. XSS onmouseover to Zomato - 9 upvotes, $0
    164. [tanks.mail.ru] Internet Explorer XSS via Request-URI to Mail.ru - 9 upvotes, $0
    165. [realty.mail.ru] XSS, SSI Injection to Mail.ru - 9 upvotes, $0
    166. Reflected XSS on a DoD website to U.S. Dept Of Defense - 9 upvotes, $0
    167. Stored XSS on the http://ht.pornhub.com/widgets/ to Pornhub - 9 upvotes, $0
    168. [pokerist.mail.ru] XSS Request-URI to Mail.ru - 9 upvotes, $0
    169. Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter. to Ubiquiti Inc.
    - 9 upvotes, $0
    170. Stored XSS via Discussion Title and Send as Email attribute in [marketplace.informatica.com] to Informatica - 9 upvotes, $0
    171. [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters to Harvest - 9 upvotes, $0
    172. XSS to Radancy - 9 upvotes, $0
    173. Stored XSS in Adress Book (starbucks.com/account/profile) to Starbucks - 9 upvotes, $0
    174. Reflected XSS on business-blog.zomato.com - Part I to Zomato - 9 upvotes, $0
    175. Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0) to Concrete CMS - 9 upvotes, $0
    176. Stored XSS vulnerability in RSS Feeds Description field to Concrete CMS - 9 upvotes, $0
    177. dom based xss in https://www.rockstargames.com/GTAOnline/ to Rockstar Games - 9 upvotes, $0
    178. XSS on http://irc.parrotsec.org to Parrot Sec - 9 upvotes, $0
    179. Stored XSS / Bypassing .htaccess protection in http://nodebb.ubnt.com/ to Ubiquiti Inc. - 9 upvotes, $0
    180. Stored XSS in Draft Articles. to Zendesk - 9 upvotes, $0
    181. XSS on infogram.com to Infogram - 9 upvotes, $0
    182. [public-api.wordpress.com] Stored XSS via Crafted Developer App Description to Automattic - 9 upvotes, $0
    183. dom based xss in *.zendesk.com/external/zenbox/ to Zendesk - 9 upvotes, $0
    184. Stored XSS => community.ubnt.com to Ubiquiti Inc. - 9 upvotes, $0
    185. MediaElements XSS to WordPress - 9 upvotes, $0
    186. [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 to Zomato
    - 9 upvotes, $0
    187. [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser to Node.js third-party modules - 9
    upvotes, $0
    188. XSS account.mail.ru in state JSON script to Mail.ru - 9 upvotes, $0
    189. Persistent XSS via malicious license file to ExpressionEngine - 9 upvotes, $0
    190. Stored xss in shop name @ lp.reverb.com to Reverb.com - 9 upvotes, $0
    191. Blind XSS pets.mail.ru/admin/ to Mail.ru - 9 upvotes, $0
    192. Cross Site Scripting to GoCD - 9 upvotes, $0
    193. Stored XSS on Wordpress 5.3 via Title Post to WordPress - 9 upvotes, $0
    194. CSS injection in avito.ru via IE11 to Avito - 9 upvotes, $0
    195. [webpack-bundle-analyzer] Cross-site Scripting to Node.js third-party modules - 9 upvotes, $0
    196. Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
    197. Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB to Semrush - 9 upvotes, $0
    198. xss in ub.icq.net to Mail.ru - 9 upvotes, $0
    199. Xss (cross site scripting) on http://axa.dxi.eu/ to 8x8 - 9 upvotes, $0
    200. CVE-2019-19935 - DOM based XSS in the froala editor to lemlist - 9 upvotes, $0
    201. Reflected XSS on ███████ to U.S. Dept Of Defense - 9 upvotes, $0
    202. Reflected-XSS on https://www.topcoder.com/tc via pt parameter to Topcoder - 9 upvotes, $0
    203. DOM Based XSS at docs.8x8.com to 8x8 - 9 upvotes, $0
    204. Stored XSS on add project to Moneybird - 9 upvotes, $0
    205. XSS stored in the Shopify Email app to Shopify - 9 upvotes, $0
    206. XSS on https://o2.mail.ru/jsapi/button via PostMessage to Mail.ru - 9 upvotes, $0
    207. Reflected XSS on Lark Suite to Lark Technologies - 9 upvotes, $0
    208. Reflected XSS at https://████████/███/... to U.S. Dept Of Defense - 9 upvotes, $0
    209. ███ on https://████ enable ███ scraping, injection, stored XSS to U.S. Dept Of Defense - 9 upvotes, $0
    210. Reflected XSS to U.S. Dept Of Defense - 9 upvotes, $0
    211. Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress to
    Acronis - 9 upvotes, $0
    212. CSRF Based XSS @ https://██████████ to U.S. Dept Of Defense - 9 upvotes, $0
    213. Google storage bucket takeover which is used to load JS file in dashboard.html in "github.com/kubernetes/release" which can lead to XSS to
    Kubernetes - 9 upvotes, $0
    214. In orginization stored xss using location (Larksuite survey app) to Lark Technologies - 9 upvotes, $0
    215. Stored XSS in Question edit for product name (bypass #1416672) to Judge.me - 9 upvotes, $0
    216. Reflected XSS on [█████████] to U.S. Dept Of Defense - 9 upvotes, $0
    217. Site information's Display Name section vulnerable for XSS attacks and HTML Injections. to Automattic - 9 upvotes, $0
    218. Arbitrary file download via "Save .torrent file" option can lead to Client RCE and XSS to Brave Software - 9 upvotes, $0
    219. Reflected XSS on https://wwwapps.ups.com/ctc/request?loc= to UPS VDP - 9 upvotes, $0
    220. Cross Site Scripting Vulnerability in fabric-sdk-py source code to Hyperledger - 9 upvotes, $0
    221. Reflected XSS in chatbot to MTN Group - 9 upvotes, $0
    222. Moodle XSS on s-immerscio.comprehend.ibm.com to IBM - 9 upvotes, $0
    223. XSS via Vuln Rendertron Instance At ██████████.jetblue.com/render/* to JetBlue - 9 upvotes, $0
    224. Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 8 upvotes, $3000
    225. shopifyapps.com XSS on sales channels via currency formatting to Shopify - 8 upvotes, $1000
    226. pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss to Pornhub - 8 upvotes, $750
    227. a stored xss issue in https://files.slack.com to Slack - 8 upvotes, $500
    228. OX Guard: DOM Based Cross-Site Scripting to Open-Xchange - 8 upvotes, $500
    229. [account.mail.ru] XSS на странице удаления аккаунта через backUrl to Mail.ru - 8 upvotes, $500
    230. XSS - Calendar - Unescaped common name of appointment participant to Open-Xchange - 8 upvotes, $450
    231. Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover to EXNESS - 8 upvotes, $300
    232. Stored Xss to Mail.ru - 8 upvotes, $200
    233. Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi) to LocalTapiola - 8 upvotes, $150
    234. Stored XSS in wis.pr to Whisper - 8 upvotes, $100
    235. Stored XSS Found to Slack - 8 upvotes, $0
    236. Cross site scripting to Mail.ru - 8 upvotes, $0
    237. Stored XSS On Statement to Gratipay - 8 upvotes, $0
    238. Reflected XSS on Uber.com careers to Uber - 8 upvotes, $0
    239. Stored XSS via Angular Expression injection on developer.zendesk.com to Zendesk - 8 upvotes, $0
    240. Stored Cross site scripting to Zomato - 8 upvotes, $0
    241. [odnoklassniki.ru] XSS via Host to Mail.ru - 8 upvotes, $0
    242. Reflected XSS in www.olx.ph to OLX - 8 upvotes, $0
    243. Self-XSS via location cookie city field when getting suggestions for a new location to Yelp - 8 upvotes, $0
    244. [rubm.qiwi.com] Yui charts.swf XSS to QIWI - 8 upvotes, $0
    245. Reflected Xss in AirMax [Nanostation Loco M2] to Ubiquiti Inc. - 8 upvotes, $0
    246. Reflected XSS in a Navy website to U.S. Dept Of Defense - 8 upvotes, $0
    247. Reflected XSS on an Army website to U.S. Dept Of Defense - 8 upvotes, $0
    248. Reflected XSS on a Department of Defense website to U.S. Dept Of Defense - 8 upvotes, $0
    249. Reflected XSS on a Department of Defense website to U.S. Dept Of Defense - 8 upvotes, $0
    250. [marketplace.informatica.com] Persistent XSS through document title to Informatica - 8 upvotes, $0
    251. Reflected XSS vector to GoCD - 8 upvotes, $0
    252. [XSS/3dsecure.qiwi.com] 3DSecure XSS to QIWI - 8 upvotes, $0
    253. a stored xss in web widget chat to Zendesk - 8 upvotes, $0
    254. XSS on a DoD website to U.S. Dept Of Defense - 8 upvotes, $0
    255. [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect to Informatica - 8 upvotes, $0
    256. XSS via SVG file to Ubiquiti Inc. - 8 upvotes, $0
    257. Markdown based stored XSS (IE only) to GitLab - 8 upvotes, $0
    258. XSS to Ubiquiti Inc. - 8 upvotes, $0
    259. Reflected XSS on a DoD website to U.S. Dept Of Defense - 8 upvotes, $0
    260. Flash XSS on homepage fliptilescroller to General Motors - 8 upvotes, $0
    261. Xss on billing to QIWI - 8 upvotes, $0
    262. Stored but [SELF] XSS in mercantile.wordpress.org to WordPress - 8 upvotes, $0
    263. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 8 upvotes, $0
    264. Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains
    payload to Concrete CMS - 8 upvotes, $0
    265. XSS on Nanostation Loco M2 Airmax to Ubiquiti Inc. - 8 upvotes, $0
    266. Unauthenticated Cross-Site Scripting in Web Management Console to Ubiquiti Inc. - 8 upvotes, $0
    267. Reflective XSS to WebSummit - 8 upvotes, $0
    268. Self-XSS in WordPress Editor Link Modal to WordPress - 8 upvotes, $0
    269. Stored Cross-Site scripting in the infographics using links to Infogram - 8 upvotes, $0
    270. XSS when replying / forwarding to a malicious email on iOS to Mail.ru - 8 upvotes, $0
    271. self-xss ads_easy_promote vk.com to VK.com - 8 upvotes, $0
    272. XSS on account.mail.ru/login to Mail.ru - 8 upvotes, $0
    273. DOM-based Cross-Site Scripting in redirect url checkout to RBKmoney - 8 upvotes, $0
    274. [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML to Node.js
    third-party modules - 8 upvotes, $0
    275. XSS through document projects to Khan Academy - 8 upvotes, $0
    276. [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template to Node.js third-party modules - 8
    upvotes, $0
    277. Your page has 2 blocking CSS resources. This causes a delay in rendering your page. to Node.js - 8 upvotes, $0
    278. XSS (Persistent) - Selecting role(s) for protected branches to GitLab - 8 upvotes, $0
    279. XSS on support.wordcamp.org in ajax-quote.php to WordPress - 8 upvotes, $0
    280. X-XSS-Protection header has not been set at app.passit.io to Passit - 8 upvotes, $0
    281. Stored self-xss and its escalation to a victim account in e.mail.ru to Mail.ru - 8 upvotes, $0
    282. XSS in delivery club to Mail.ru - 8 upvotes, $0
    283. Stored XSS against all Chaturbate users using an application name to Chaturbate - 8 upvotes, $0
    284. Cross site scripting (content-sniffing) to Khan Academy - 8 upvotes, $0
    285. Reflected cross site scripting at https://auto.mail.ru/reviews/add_review/ via problems_text parameter. to Mail.ru - 8 upvotes, $0
    286. XSS при загрузке изображения на [games.mail.ru] to Mail.ru - 8 upvotes, $0
    287. Hidden Stored XSS in nested post embeds to Vanilla - 8 upvotes, $0
    288. [███] SQL injection & Reflected XSS to U.S. Dept Of Defense - 8 upvotes, $0
    289. The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS. to OWOX,
    Inc. - 8 upvotes, $0
    290. [atlasboard-atlassian-package] Cross-site Scripting (XSS) to Node.js third-party modules - 8 upvotes, $0
    291. XSS via HTTP request version in account.my.games to Mail.ru - 8 upvotes, $0
    292. xss on bittorrent.com to BTFS - 8 upvotes, $0
    293. Post based XSS (Cross site scripting) on https://apimgr.8x8.com to 8x8 - 8 upvotes, $0
    294. Stored XSS at Synthetics private locations (planted through location label or description) to New Relic - 8 upvotes, $0
    295. Stored XSS via Comment Form at ████████ to U.S. Dept Of Defense - 8 upvotes, $0
    296. DOM XSS on https://www.███████ to U.S. Dept Of Defense - 8 upvotes, $0
    297. XSS on kubernetes-csi.github.io (mdBook) to Kubernetes - 8 upvotes, $0
    298. Reflected XSS on /admin/stats.php to Revive Adserver - 8 upvotes, $0
    299. Dom XSS Rootkit on [https://www.glassdoor.com/] to Glassdoor - 8 upvotes, $0
    300. Reflected XSS at www.███████ at /██████████ via the ████████ parameter to U.S. Dept Of Defense - 8 upvotes, $0
    301. Stored unauth XSS in calendar event via CSRF to Concrete CMS - 8 upvotes, $0
    302. Blind XSS to Rocket.Chat - 8 upvotes, $0
    303. Cross-site Scripting (XSS) - Reflected at https://██████████/ to U.S. Dept Of Defense - 8 upvotes, $0
    304. Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag to Ruby on Rails - 8 upvotes, $0
    305. Reflected xss on videostore.mtnonline.com to MTN Group - 8 upvotes, $0
    306. SSRF & XSS (W3 Total Cache) to Pornhub - 7 upvotes, $1000
    307. touch.mail.ru/messages - Stored XSS to Mail.ru - 7 upvotes, $750
    308. VERY DANGEROUS XSS STORED inside emails to Mail.ru - 7 upvotes, $600
    309. "a stored xss issue in share post menu" to Slack - 7 upvotes, $500
    310. Stored XSS in Email attachment file name to Open-Xchange - 7 upvotes, $500
    311. XSS - Guard - Insufficient escaping of User-IDs from PGP Keys to Open-Xchange - 7 upvotes, $500
    312. Stored XSS on recruit.innogames.de to InnoGames - 7 upvotes, $500
    313. XSS on opening malicious OpenOffice presentation document to Open-Xchange - 7 upvotes, $400
    314. PornIQ Reflected Cross-Site Scripting to Pornhub - 7 upvotes, $250
    315. [connect.mail.ru] Memory Disclosure / IE XSS to Mail.ru - 7 upvotes, $250
    316. Stored XSS and html injection in biz.mail.ru to Mail.ru - 7 upvotes, $250
    317. DOM based XSS via postMessage at store.my.games to Mail.ru - 7 upvotes, $200
    318. XSS PoC for the wacky.buggywebsite.com challenge to BugPoC - 7 upvotes, $100
    319. XSS in Draft Orders in Timeline i SHOPIFY Admin Site! to Shopify - 7 upvotes, $0
    320. Adobe XSS to Adobe - 7 upvotes, $0
    321. Reflected XSS in Gallery App to Nextcloud - 7 upvotes, $0
    322. XSS and open redirect in verkkopalvelu.lahitapiola.fi to LocalTapiola - 7 upvotes, $0
    323. Reflected XSS on a Navy website to U.S. Dept Of Defense - 7 upvotes, $0
    324. Application XSS filter function Bypass may allow Multiple stored XSS to Vimeo - 7 upvotes, $0
    325. XSS on Meta Tag at https://m.olx.ph to OLX - 7 upvotes, $0
    326. [RDoc] XSS in project README files to GitLab - 7 upvotes, $0
    327. [reStructuredText] XSS in project README files to GitLab - 7 upvotes, $0
    328. CSRF bypass + XSS on verkkopalvelu.tapiola.fi to LocalTapiola - 7 upvotes, $0
    329. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
    330. Stored XSS thru SVG upload to Moneybird - 7 upvotes, $0
    331. Stored xss in agent.qiwi.com to QIWI - 7 upvotes, $0
    332. Stored passive XSS at scheduled posts (kitcrm.com) to Shopify - 7 upvotes, $0
    333. [kb.informatica.com] Stored XSS to Informatica - 7 upvotes, $0
    334. XSS on IOS app via HTML rendering to Nextcloud - 7 upvotes, $0
    335. Stored XSS in Express Objects - Concrete5 v8.1.0 to Concrete CMS - 7 upvotes, $0
    336. xss на нескольких форумах игр от mail.ru (Cross-Site Scripting) to Mail.ru - 7 upvotes, $0
    337. [compose.mixmax.com] Stored XSS on compose.mixmax.com in contact names. to Mixmax - 7 upvotes, $0
    338. Stored XSS in Templates>Enahance>Social Badges to Mixmax - 7 upvotes, $0
    339. Stored XSS on Admin Access Page - Email field to Revive Adserver - 7 upvotes, $0
    340. Stored XSS in Name field in User Groups/Group Details form to Concrete CMS - 7 upvotes, $0
    341. XSS on vimeo.com | "Search within these results" feature (requires user interaction) to Vimeo - 7 upvotes, $0
    342. XSS when using captions/subtitles on video player based on Flash (requires user interaction) to Vimeo - 7 upvotes, $0
    343. xss flash on http://presentatie.werkenbijmcdonalds.nl/ to Radancy - 7 upvotes, $0
    344. Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap] to Concrete CMS - 7 upvotes, $0
    345. Stored XSS in content when Graph is created via API to Infogram - 7 upvotes, $0
    346. Stored XSS using SVG on subdomain infra.mail.ru to Mail.ru - 7 upvotes, $0
    347. Stored Cross-Site scripting in the infographics using Data Objects links to Infogram - 7 upvotes, $0
    348. X-XSS-Protection -> Misconfiguration to U.S. Dept Of Defense - 7 upvotes, $0
    349. XSS работающая по всему сайту, где есть упоминания to VK.com - 7 upvotes, $0
    350. XSS in api_v1 to FormAssembly - 7 upvotes, $0
    351. Reflected Cross-site Scripting Vulnerability via JSON Error Message to Inflection - 7 upvotes, $0
    352. [metascraper] Stored XSS in Open Graph meta properties read by metascrapper to Node.js third-party modules - 7 upvotes, $0
    353. Flash-based XSS on mediaelement-flash-audio-ogg.swf of www.lahitapiolarahoitus.fi to LocalTapiola - 7 upvotes, $0
    354. XSS on e.mail.ru via postMessage to Mail.ru - 7 upvotes, $0
    355. XSS at https://icq.com/people to Mail.ru - 7 upvotes, $0
    356. XSS in OLX.pl ("title" in new advertisement) to OLX - 7 upvotes, $0
    357. Stored XSS in Node-Red to Node.js third-party modules - 7 upvotes, $0
    358. XSS e.mail.ru fixSpecialSymbols to Mail.ru - 7 upvotes, $0
    359. XSS via Cookie in e.mail.ru to Mail.ru - 7 upvotes, $0
    360. Stored XSS on Add Event in Calendar to Concrete CMS - 7 upvotes, $0
    361. Stored XSS on Add Calendar to Concrete CMS - 7 upvotes, $0
    362. Stored 'undefined' Cross-site Scripting to Khan Academy - 7 upvotes, $0
    363. Reflected XSS on ssl-ccstatic.highwebmedia.com via player.swf to Chaturbate - 7 upvotes, $0
    364. Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) to GitLab - 7 upvotes, $0
    365. Хранимая XSS в пожертованиях на dobro.mail.ru to Mail.ru - 7 upvotes, $0
    366. Browser Self XSS Protection not implemented to Weblate - 7 upvotes, $0
    367. Reflected xss in Serendipity's /index.php to Hanno's projects - 7 upvotes, $0
    368. Reflected XSS in delivery-club.ru to Mail.ru - 7 upvotes, $0
    369. Stored XSS in profile page to Vercel - 7 upvotes, $0
    370. XSS Reflect to TomTom - 7 upvotes, $0
    371. Stored XSS @ /engage/<project_slug> to Weblate - 7 upvotes, $0
    372. Corda Server XSS ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    373. [https://fleet.city-mobil.ru] Stored XSS into driver mailing to Mail.ru - 7 upvotes, $0
    374. Stored XSS in the file search filter to Concrete CMS - 7 upvotes, $0
    375. DOM based Cross-site Scripting to BugPoC - 7 upvotes, $0
    376. Stored XSS at Mobile (Versions tab) to New Relic - 7 upvotes, $0
    377. Passive stored XSS at Synthetics job result page (View resource) to New Relic - 7 upvotes, $0
    378. REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter to Mail.ru - 7 upvotes, $0
    379. Cross Site Scripting (XSS) – Reflected to U.S. Dept Of Defense - 7 upvotes, $0
    380. the same as #948259 - XSS at jsgames.mail.ru to Mail.ru - 7 upvotes, $0
    381. Reflected XSS on https://█████████html?url to U.S. Dept Of Defense - 7 upvotes, $0
    382. capsula.mail.ru - reflected xss to Mail.ru - 7 upvotes, $0
    383. Reflected XSS on /admin/campaign-zone-zones.php to Revive Adserver - 7 upvotes, $0
    384. Reflected XSS on ███████ to U.S. Dept Of Defense - 7 upvotes, $0
    385. [Swiftype] - Stored XSS via document field url triggers on https://app.swiftype.com/engines/\<engine\>/document_types/\
    <type\>/documents/\<id\> to Elastic - 7 upvotes, $0

    386. XSS on ███ to U.S. Dept Of Defense - 7 upvotes, $0


    387. XSS on ub.icq.net to Mail.ru - 7 upvotes, $0
    388. XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi to Ubiquiti Inc. - 7 upvotes, $0
    389. XSS to Reddit - 7 upvotes, $0
    390. Dom Xss vulnerability to Recorded Future - 7 upvotes, $0
    391. Open Akamai ARL XSS at ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    392. Open Akamai ARL XSS at ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    393. XSS in redditmedia.com can compromise data of reddit.com to Reddit - 7 upvotes, $0
    394. Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style) to Ruby on Rails - 7 upvotes, $0
    395. stored cross site scripting in https://███ to U.S. Dept Of Defense - 7 upvotes, $0
    396. Reflected XSS at ████████ to U.S. Dept Of Defense - 7 upvotes, $0
    397. Reflected XSS in ██████ to U.S. Dept Of Defense - 7 upvotes, $0
    398. DOM-XSS to U.S. Dept Of Defense - 7 upvotes, $0
    399. Stored XSS in drive.uber.com WordPress admin panel to Uber - 6 upvotes, $2000
    400. Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail to Open-Xchange - 6 upvotes, $500
    401. Persistent XSS: Editor link to Phabricator - 6 upvotes, $300
    402. Reflected XSS in Meta Tag to Pornhub - 6 upvotes, $250
    403. Reflected XSS Vulnerability in https://www.lahitapiola.fi/cs/Satellite to LocalTapiola - 6 upvotes, $250
    404. XSS в портальной навигации to Mail.ru - 6 upvotes, $150
    405. XSS to Boozt Fashion AB - 6 upvotes, $120
    406. Stored XSS in name selection to Algolia - 6 upvotes, $100
    407. Reflected XSS in LTContactFormReceiver (/cs/Satellite) to LocalTapiola - 6 upvotes, $50
    408. XSS at http://smarthistory.khanacademy.org to Khan Academy - 6 upvotes, $0
    409. XSS & HTML injection to Localize - 6 upvotes, $0
    410. XSS in invite approval to Localize - 6 upvotes, $0
    411. XSS in main page to Localize - 6 upvotes, $0
    412. XSS in private message to Concrete CMS - 6 upvotes, $0
    413. Stored XSS in www.slack-files.com to Slack - 6 upvotes, $0
    414. Here is another XSS i got for you to MoneyStream - 6 upvotes, $0
    415. Cross site scripting on ads.twitter.com to X (Formerly Twitter) - 6 upvotes, $0
    416. XSS by image file name to FanFootage - 6 upvotes, $0
    417. Persistent XSS on public project page to GitLab - 6 upvotes, $0
    418. Stored XSS in Financial Account executing in Bank tab to Moneybird - 6 upvotes, $0
    419. Stored Cross Site Scripting [SELF] in partners.uber.com to Uber - 6 upvotes, $0
    420. Stored XSS in comments to Paragon Initiative Enterprises - 6 upvotes, $0
    421. xss in group to ok.ru - 6 upvotes, $0
    422. XSS @ *.olx.com.ar to OLX - 6 upvotes, $0
    423. XSS yaman.olx.ph to OLX - 6 upvotes, $0
    424. Additonal stored XSS in Add note/Expected payment Date to Xero - 6 upvotes, $0
    425. XSS in the "Poll" Feature on Twitter.com to X (Formerly Twitter) - 6 upvotes, $0
    426. newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf to Uber - 6 upvotes, $0
    427. Stored XSS triggered by json key during UI generation to Algolia - 6 upvotes, $0
    428. XSS on Home page olx.com.ar via auto save search text to OLX - 6 upvotes, $0
    429. Reflective XSS at m.olx.ph to OLX - 6 upvotes, $0
    430. [now.informatica.com] Reflective Xss to Informatica - 6 upvotes, $0
    431. Stored XSS in Filters to Pushwoosh - 6 upvotes, $0
    432. Public profile is vulnerable to stored XSS / Facebook Token can be stolen to DigitalSellz - 6 upvotes, $0
    433. Reflected XSS in [olx.qa] to OLX - 6 upvotes, $0
    434. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 6 upvotes, $0
    435. Reflected XSS on frag.mail.ru to Mail.ru - 6 upvotes, $0
    436. [network.informatica.com] The login form XSS via the referer value to Informatica - 6 upvotes, $0
    437. Reflected XSS in a DoD Website to U.S. Dept Of Defense - 6 upvotes, $0
    438. Reflected XSS in Zomato Mobile - category parameter to Zomato - 6 upvotes, $0
    439. Reflected XSS on Zones > Invocation Code to Revive Adserver - 6 upvotes, $0
    440. XSS on mobile version of vimeo.com where the button "Follow" appears to Vimeo - 6 upvotes, $0
    441. XSS в комментариях от имени сообщества to VK.com - 6 upvotes, $0
    442. XSS during presentation to Zaption - 6 upvotes, $0
    443. XSS when Shared to Infogram - 6 upvotes, $0
    444. Multiple xss on infogram templates to Infogram - 6 upvotes, $0
    445. Stored XSS On Wordpress Infogram plugin to Infogram - 6 upvotes, $0
    446. Persistent Cross-Site Scripting in WooCommerce WordPress plugin to Automattic - 6 upvotes, $0
    447. Persistent XSS in share button to Infogram - 6 upvotes, $0
    448. [marketplace.informatica.com]-Reflected XSS to Informatica - 6 upvotes, $0
    449. Хранимая XSS на странице "Виджет для авторизации" to VK.com - 6 upvotes, $0
    450. [uppy] Stored XSS due to crafted SVG file to Node.js third-party modules - 6 upvotes, $0
    451. XSS уязвимость to Mail.ru - 6 upvotes, $0
    452. Stored Cross Site Scripting to Y Combinator - 6 upvotes, $0
    453. XSS touch.mail.ru compose Body to Mail.ru - 6 upvotes, $0
    454. XSS ( Работа с письмами ) to Mail.ru - 6 upvotes, $0
    455. [tianma-static] Stored xss on filename to Node.js third-party modules - 6 upvotes, $0
    456. [hs.mail.ru] XSS play_now.php to Mail.ru - 6 upvotes, $0
    457. [hs.mail.ru] CRLF Injection / XSS to Mail.ru - 6 upvotes, $0
    458. [new.wf.mail.ru] XSS Request-URI to Mail.ru - 6 upvotes, $0
    459. [evo2.my.com] Internet Explorer XSS to Mail.ru - 6 upvotes, $0
    460. [█████] Reflected GET XSS (/personnel.php?...&rcnum=*) with mouse action to U.S. Dept Of Defense - 6 upvotes, $0
    461. Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter to Starbucks - 6 upvotes, $0
    462. Double linking cause XSS (but blokeced by CSP in gitlab.com) to GitLab - 6 upvotes, $0
    463. XSS на сайте https://warofdragons.my.games/. to Mail.ru - 6 upvotes, $0
    464. [reveal.js] XSS by calling arbitrary method via postMessage to Node.js third-party modules - 6 upvotes, $0
    465. xss to Stellar.org - 6 upvotes, $0
    466. XSS on remote.bittorrent.com to BTFS - 6 upvotes, $0
    467. Stored XSS on go.mail.ru to Mail.ru - 6 upvotes, $0
    468. DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter to Rockstar Games - 6 upvotes, $0
    469. Stored XSS at ██████userprofile.aspx to U.S. Dept Of Defense - 6 upvotes, $0
    470. Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters to Starbucks - 6 upvotes, $0
    471. [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser to Node.js third-party modules - 6 upvotes, $0
    472. [self?] XSS в адресе пользователя [sbermarket.ru] to Mail.ru - 6 upvotes, $0
    473. [delivery.city-mobil.ru] Stored XSS into support request comment to Mail.ru - 6 upvotes, $0
    474. Stored XSS at Template Editor in "Section Name" Field of Block element 'Accordion'. to Stripo Inc - 6 upvotes, $0
    475. [BugPOC and Amazon XSS CTF writeup] A CSP Bypass Story to BugPoC - 6 upvotes, $0
    476. [aw.mail.ru] XSS on /quiztank page to Mail.ru - 6 upvotes, $0
    477. Stored XSS at https://www.█████████.mil to U.S. Dept Of Defense - 6 upvotes, $0
    478. Stored XSS via 64(?) vulnerable fields in ███ leads to credential theft/account takeover to U.S. Dept Of Defense - 6 upvotes, $0
    479. [MY.GAMES] XSS в мессенджере to Mail.ru - 6 upvotes, $0
    480. Second Order XSS via █████ to U.S. Dept Of Defense - 6 upvotes, $0
    481. Reflected XSS on █████████ to U.S. Dept Of Defense - 6 upvotes, $0
    482. DOM XSS в learning.ozon.ru to Ozon - 6 upvotes, $0
    483. XSS reflected to Engel & Völkers Technology GmbH - 6 upvotes, $0
    484. [www.███] Reflected Cross-Site Scripting to U.S. Dept Of Defense - 6 upvotes, $0
    485. Stored-XSS in merge requests to GitLab - 6 upvotes, $0
    486. ███████ - XSS - CVE-2020-3580 to U.S. Dept Of Defense - 6 upvotes, $0
    487. Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru] to Mail.ru - 6 upvotes, $0
    488. Reflected XSS at https://█████ via "██████████" parameter to U.S. Dept Of Defense - 6 upvotes, $0
    489. Stored XSS in Question edit from product name to Judge.me - 6 upvotes, $0
    490. XSS on https://████/ via ███████ parameter to U.S. Dept Of Defense - 6 upvotes, $0
    491. XSS at http://nextapps.mtnonline.com/search/suggest/q/{xss payload} to MTN Group - 6 upvotes, $0
    492. Reflected XSS via ████████ parameter to U.S. Dept Of Defense - 6 upvotes, $0
    493. Cross-site scripting (DOM-based) to OneWeb - 6 upvotes, $0
    494. [doc.rt.informaticacloud.com] Reflected XSS via Stack Strace to Informatica - 6 upvotes, $0
    495. XSS DUE TO CVE-2022-38463 in https://████████ to U.S. Dept Of Defense - 6 upvotes, $0
    496. XSS in Acronis Cloud Manager Admin Portal to Acronis - 6 upvotes, $0
    497. stored cross site scripting in https://██████████ to U.S. Dept Of Defense - 6 upvotes, $0
    498. Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) to Uber - 5 upvotes, $3000
    499. Reflected XSS via Livefyre Media Wall in newsroom.uber.com to Uber - 5 upvotes, $2000
    500. [h1-2102] Stored XSS in product description via productUpdate GraphQL query leads to XSS at handshake-web-
    internal.shopifycloud.com/products/[ID] to Shopify - 5 upvotes, $1600
    501. Persistent cross-site scripting (XSS) in map attribution to Mapbox - 5 upvotes, $1000
    502. XSS on internal: privileged origin through reader mode to Brave Software - 5 upvotes, $500
    503. Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML. to Pornhub - 5 upvotes,
    $200
    504. Store Cross-Site Scripting - www.razer.ru to Razer - 5 upvotes, $200
    505. XSS на странице "Платежи водителей" [city-mobil.ru/taxiserv] to Mail.ru - 5 upvotes, $150
    506. Stored XSS at Udemy to Udemy - 5 upvotes, $50
    507. Cross Site Scripting – Album Page to Pornhub - 5 upvotes, $50
    508. Stored XSS from ticket messages in admin table in SupportFlow to Ian Dunn - 5 upvotes, $50
    509. Stored XSS in SupportFlow Ticket Subject to Ian Dunn - 5 upvotes, $50
    510. XSS in Groups to Localize - 5 upvotes, $0
    511. Stored XSS in Slackbot Direct Messages to Slack - 5 upvotes, $0
    512. XSS 1 to StopTheHacker - 5 upvotes, $0
    513. reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean to Yahoo! - 5 upvotes, $0
    514. XSS on [/concrete/concrete/elements/dashboard/sitemap.php] to Concrete CMS - 5 upvotes, $0
    515. Stored XSS on this link https://sehacure.slack.com/help/requests/ to Slack - 5 upvotes, $0
    516. Reflected XSS connect.mail.ru (IE6-IE8) to Mail.ru - 5 upvotes, $0
    517. XSS on any site that includes the moogaloop flash player | deprecated embed code to Vimeo - 5 upvotes, $0
    518. Tweet Deck XSS- Persistent- Group DM name to X (Formerly Twitter) - 5 upvotes, $0
    519. Potential XSS on sanitize/Rails::Html::WhiteListSanitizer to Ruby on Rails - 5 upvotes, $0
    520. XSS via React element spoofing to Imgur - 5 upvotes, $0
    521. XSS on hardware.shopify.com to Shopify - 5 upvotes, $0
    522. XSS via Fabrico Account Name to X (Formerly Twitter) - 5 upvotes, $0
    523. Several XSS affecting Zomato.com and developers.zomato.com to Zomato - 5 upvotes, $0
    524. Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
    525. refelected Xss on https://gmid.gm.com/gmid/jsp/GMIDInitialLogin.jsp to General Motors - 5 upvotes, $0
    526. XSS in https://www.coursera.org/courses/ to Coursera - 5 upvotes, $0
    527. DOM XSS в /activation.php?act=activate_mobile to VK.com - 5 upvotes, $0
    528. Xss in m.ok.ru to ok.ru - 5 upvotes, $0
    529. [mrgs.mail.ru] Internet Explorer XSS via Request-URI to Mail.ru - 5 upvotes, $0
    530. Stored XSS on contact name to OLX - 5 upvotes, $0
    531. Reflected XSS at m.olx.ph to OLX - 5 upvotes, $0
    532. [now.informatica.com] Reflective XSS to Informatica - 5 upvotes, $0
    533. XSS vulnerability on an Army website to U.S. Dept Of Defense - 5 upvotes, $0
    534. Wordpress flashmediaelement.swf XSS on stopthehacker.com to StopTheHacker - 5 upvotes, $0
    535. Stored XSS in albums on http://m.imgur.com/ to Imgur - 5 upvotes, $0
    536. [Textile] XSS in project README files to GitLab - 5 upvotes, $0
    537. Reflected XSS on Signup Page to New Relic - 5 upvotes, $0
    538. Stored XSS в имени песни (2) на платёжном гейте. to ok.ru - 5 upvotes, $0
    539. [allods.mail.ru] Reflected XSS to Mail.ru - 5 upvotes, $0
    540. Reflected XSS in olx.pt to OLX - 5 upvotes, $0
    541. [careers.informatica.com] XSS on "isJTN" to Informatica - 5 upvotes, $0
    542. [marketplace.informatica.com]- Stored XSS on Image title and Edit Property to Informatica - 5 upvotes, $0
    543. [marketplace.informatica.com] Search XSS to Informatica - 5 upvotes, $0
    544. self xss in to Quora - 5 upvotes, $0
    545. Self-XSS can be achieved in the editor link using filter bypass to Weblate - 5 upvotes, $0
    546. Reflected XSS on Branch domain to Cuvva - 5 upvotes, $0
    547. Reflected XSS and something more Store XSS too to General Motors - 5 upvotes, $0
    548. Flash XSS on global nav to General Motors - 5 upvotes, $0
    549. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
    550. Reflected XSS on business-blog.zomato.com - Part 2 to Zomato - 5 upvotes, $0
    551. Reflected cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
    552. Cross-site Scripting (XSS) in /updates-pro/archive/ to MapsMarker.com e.U. - 5 upvotes, $0
    553. Reflected XSS на https://aw.mail.ru/news/ to Mail.ru - 5 upvotes, $0
    554. Reflected XSS in Step 2 of the Installation to Revive Adserver - 5 upvotes, $0
    555. XSS on player.vimeo.com without user interaction and vimeo.com with user interaction to Vimeo - 5 upvotes, $0
    556. Reflected XSS on vimeo.com/musicstore to Vimeo - 5 upvotes, $0
    557. Reflected XSS on www.bookfresh.com/index.html?view=upload_form to Bookfresh - 5 upvotes, $0
    558. XSS on Report Classic to Infogram - 5 upvotes, $0
    559. Stored XSS via transloadit.com and imageproxy to Coursera - 5 upvotes, $0
    560. Report Design Critical Stored DOM XSS Vulnerability to Infogram - 5 upvotes, $0
    561. [marketplace.informatica.com] - Stored XSS to Informatica - 5 upvotes, $0
    562. muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 5
    upvotes, $0
    563. [html-janitor] Passing user-controlled data to clean() leads to XSS to Node.js third-party modules - 5 upvotes, $0
    564. Reflected XSS { support.mycrypto.com } to MyCrypto - 5 upvotes, $0
    565. Outdated MediaElement.js Reflected Cross-Site Scripting (XSS) to Zomato - 5 upvotes, $0
    566. [public] Stored XSS in filenames in directory served by public to Node.js third-party modules - 5 upvotes, $0
    567. [maps.me] Reflected XSS to Mail.ru - 5 upvotes, $0
    568. The react-marked-markdown module allows XSS injection in href values. to Node.js third-party modules - 5 upvotes, $0
    569. [public] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
    570. [html-pages] Stored XSS in the filename when directories listing to Node.js third-party modules - 5 upvotes, $0
    571. stored xss in scrape-metadata when reading metadata from an html page to Node.js third-party modules - 5 upvotes, $0
    572. XSS (stored) Wizard is saving executable code to Rocket.Chat - 5 upvotes, $0
    573. XSS in http://localhost:8153/go/admin/config/server/update to GoCD - 5 upvotes, $0
    574. Stored XSS in Profile Comments to Vanilla - 5 upvotes, $0
    575. Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████ to U.S. Dept Of Defense - 5 upvotes, $0
    576. Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS to Node.js third-party modules - 5 upvotes, $0
    577. HTML injection and limited XSS via logo image upload - Nextcloud 12.0.0 to Nextcloud - 5 upvotes, $0
    578. [share.polymail.io] XSS when uploading a file to the server to Polymail, Inc. - 5 upvotes, $0
    579. Stored XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 5 upvotes, $0
    580. Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action to Topcoder - 5 upvotes, $0
    581. Reflected XSS and HTML Injectionon a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
    582. Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode to Rockstar Games - 5 upvotes, $0
    583. Stored XSS on express entries to Concrete CMS - 5 upvotes, $0
    584. Stored XSS on Company Logo to 8x8 - 5 upvotes, $0
    585. Reflected XSS in "keywords" parameter at "https://sbermarket.ru/metro/search" to Mail.ru - 5 upvotes, $0
    586. xss on [storehouse5.ucs.ru] to Mail.ru - 5 upvotes, $0
    587. Stored XSS at APM transaction map (transactionName field) to New Relic - 5 upvotes, $0
    588. XSS via "gp" cookie reflected in source code to Mail.ru - 5 upvotes, $0
    589. xss on polaris.shopify.com/demo using postMessage to Shopify - 5 upvotes, $0
    590. Arbitrary file upload and stored XSS via ███ support request to U.S. Dept Of Defense - 5 upvotes, $0
    591. HTML Injection + XSS Vulnerability - https://████████/ | Proof of Concept [PoC] to U.S. Dept Of Defense - 5 upvotes, $0
    592. Blind Stored XSS on https://█████████ after filling a request at https://█████ to U.S. Dept Of Defense - 5 upvotes, $0
    593. reflected xss @ www.█████████ to U.S. Dept Of Defense - 5 upvotes, $0
    594. Reflected XSS in https://██████████ via "████████" parameter to U.S. Dept Of Defense - 5 upvotes, $0
    595. Cross-site Scripting (XSS) possible at https://sifchain.finance// via CVE-2019-8331 exploitation to Sifchain - 5 upvotes, $0
    596. CSS-Reflected to Engel & Völkers Technology GmbH - 5 upvotes, $0
    597. [█████████] Reflected Cross-Site Scripting Vulnerability to U.S. Dept Of Defense - 5 upvotes, $0
    598. XSS DUE TO CVE-2020-3580 to U.S. Dept Of Defense - 5 upvotes, $0
    599. Stored XSS on https://community.my.games/ (Add Post) to Mail.ru - 5 upvotes, $0
    600. 8x8pilot.com: Reflected XSS in Apache Tomcat /jsp-examples example directory to 8x8 - 5 upvotes, $0
    601. Reflected XSS on https://www.glassdoor.com/parts/header.htm to Glassdoor - 5 upvotes, $0
    602. Reflected Cross Site Scripting at http://www.grouplogic.com/files/glidownload/verify3.asp [Uppercase Filter Bypass] to Acronis - 5 upvotes, $0
    603. Shop - Reflected XSS With Clickjacking Leads to Steal User's Cookie In Two Domain to Meredith - 5 upvotes, $0
    604. Reflected XSS | https://████████ to U.S. Dept Of Defense - 5 upvotes, $0
    605. XSS via Client Side Template Injection on www.███/News/Speeches to U.S. Dept Of Defense - 5 upvotes, $0
    606. stored cross site scripting in https://███ to U.S. Dept Of Defense - 5 upvotes, $0
    607. Reflected XSS in ██████████ to U.S. Dept Of Defense - 5 upvotes, $0
    608. XSS in twitter.com/safety/unsafe_link_warning to X (Formerly Twitter) - 4 upvotes, $1400
    609. Stored XSS in the Shopify Discussion Forums to Shopify - 4 upvotes, $500
    610. Strored Cross Site Scripting to Shopify - 4 upvotes, $500
    611. a stored xss in slack integration https://onerror.slack.com/services/import to Slack - 4 upvotes, $500
    612. XSS in my.shopify.com in widget to Shopify - 4 upvotes, $500
    613. Reflected Cross-Site Scripting on French subdomain to Pornhub - 4 upvotes, $250
    614. Cross Site Scripting - On Mouse Over, Blog page to Pornhub - 4 upvotes, $250
    615. Reflected XSS Vulnerability in www.lahitapiola.fi/cs/Satellite to LocalTapiola - 4 upvotes, $250
    616. [0.vk.com] Reflected XSS на странице подтверждения. to VK.com - 4 upvotes, $200
    617. [reflected xss, pornhub.com] /blog, any to Pornhub - 4 upvotes, $100
    618. XSS on 3rd party service Localtapiola is using to LocalTapiola - 4 upvotes, $100
    619. Vulnerability found, XSS (Cross site Scripting) to Yahoo! - 4 upvotes, $0
    620. Persistent class XSS [the fuck] to Khan Academy - 4 upvotes, $0
    621. XSS IN member List (Because of City Textbox) to Concrete CMS - 4 upvotes, $0
    622. XSS in main page (invitation) to Localize - 4 upvotes, $0
    623. XSS Vulnerability (my.yahoo.com) to Yahoo! - 4 upvotes, $0
    624. https://caldav.calendar.yahoo.com/ - XSS (STORED) to Yahoo! - 4 upvotes, $0
    625. XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use) to Mail.ru - 4 upvotes, $0
    626. XSS in original referrer after follow to X (Formerly Twitter) - 4 upvotes, $0
    627. Stored XSS in Slack.com to Slack - 4 upvotes, $0
    628. Stored XSS in api key of operator wallet to Enter - 4 upvotes, $0
    629. Stored Cross Site Scripting Vulnerability in Yahoo Mail to Yahoo! - 4 upvotes, $0
    630. Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc. to HackerOne - 4 upvotes, $0
    631. apps.owncloud.com: XSS via referrer to ownCloud - 4 upvotes, $0
    632. Persistent XSS in image title to Imgur - 4 upvotes, $0
    633. Reflected XSS via. search to Adobe - 4 upvotes, $0
    634. xss in DM group name in twitter to X (Formerly Twitter) - 4 upvotes, $0
    635. Dom Based Xss to Uber - 4 upvotes, $0
    636. [tz.mail.ru] XSS в функционале авторизации to Mail.ru - 4 upvotes, $0
    637. Stored XSS on [your_zendesk].zendesk.com in Facebook Channel to Zendesk - 4 upvotes, $0
    638. Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay to Zomato - 4 upvotes, $0
    639. Reflected XSS at yaman.olx.ph to OLX - 4 upvotes, $0
    640. Template stored XSS to drchrono - 4 upvotes, $0
    641. XSS in uber oauth to Uber - 4 upvotes, $0
    642. XSS via password recovering to Uber - 4 upvotes, $0
    643. XSS in people.uber.com to Uber - 4 upvotes, $0
    644. XSS in Tagregator plugin to Ian Dunn - 4 upvotes, $0
    645. Arbitrary SQL query execution and reflected XSS in the "SQL Query Form" to ExpressionEngine - 4 upvotes, $0
    646. these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1:
    https://www.youtube.com/w to OLX - 4 upvotes, $0
    647. stored SELF xss on Basic Google Maps Placemarks Settings plugin to Ian Dunn - 4 upvotes, $0
    648. [support.my.com] Internet Explorer XSS to Mail.ru - 4 upvotes, $0
    649. [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS to Nextcloud - 4 upvotes, $0
    650. Reflected XSS in OLX.in to OLX - 4 upvotes, $0
    651. REFLECTED CROSS SITE SCRIPTING IN OLX to OLX - 4 upvotes, $0
    652. Stored XSS on new Calling plugin (spreed) to Nextcloud - 4 upvotes, $0
    653. Persistent XSS vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    654. Cross-site scripting vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    655. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    656. Stored cross-site scripting (XSS) on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    657. Stored xss to ownCloud - 4 upvotes, $0
    658. [marketplace.informatica.com] Profile stored XSS to Informatica - 4 upvotes, $0
    659. XSS on username when register to proffesional account to FormAssembly - 4 upvotes, $0
    660. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    661. Cross-Site Scripting (XSS) on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    662. Cross-site-Scripting to Paragon Initiative Enterprises - 4 upvotes, $0
    663. [demo.weblate.org] Stored Self-XSS via Editor Link in Profile to Weblate - 4 upvotes, $0
    664. Stored XSS in RSS Feeds Title (Concrete5 v8.1.0) to Concrete CMS - 4 upvotes, $0
    665. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    666. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    667. Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf to General Motors - 4 upvotes, $0
    668. Stored XSS templates -> 'call for action' feature to Mixmax - 4 upvotes, $0
    669. Reflected XSS on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    670. MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) to Zomato - 4 upvotes, $0
    671. XSS in flashmediaelement.swf (business-blog.zomato.com) to Zomato - 4 upvotes, $0
    672. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    673. Reflective XSS vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    674. Stored cross site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    675. xss found in zomato to Zomato - 4 upvotes, $0
    676. Reflected XSS on hi-tech.mail.ru to Mail.ru - 4 upvotes, $0
    677. Reflected XSS. to Mail.ru - 4 upvotes, $0
    678. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    679. Cross-site scripting (XSS) on a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
    680. XSS Vulnerability in WooCommerce Product Vendors plugin to Automattic - 4 upvotes, $0
    681. Reflective XSS to ExpressionEngine - 4 upvotes, $0
    682. Cross site scripting in a subdomain of newrelic.com to New Relic - 4 upvotes, $0
    683. Stored XSS on BillingCountry parameter to New Relic - 4 upvotes, $0
    684. Non Critical Code Quality Bug / Self XSS on Map Editor to Infogram - 4 upvotes, $0
    685. [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component to Node.js third-party modules - 4 upvotes, $0
    686. Self-xss via drag&drop in email form to Mail.ru - 4 upvotes, $0
    687. [afisha.mail.ru] HTML-инъекция через XSS на портале виджета to Mail.ru - 4 upvotes, $0
    688. [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server to Node.js third-party modules - 4 upvotes, $0
    689. [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec to RubyGems - 4 upvotes, $0
    690. [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser to Node.js third-party modules
    - 4 upvotes, $0
    691. Airship: Persistent XSS via Comment to Paragon Initiative Enterprises - 4 upvotes, $0
    692. [exceljs] Possible XSS via cell value when worksheet is displayed in browser to Node.js third-party modules - 4 upvotes, $0
    693. Browser Self XSS Protection not implemented to PortSwigger Web Security - 4 upvotes, $0
    694. [serve] XSS via HTML tag injection in directory lisiting page to Node.js third-party modules - 4 upvotes, $0
    695. [serve] Stored XSS in the filename when directories listing to Node.js third-party modules - 4 upvotes, $0
    696. [target.my.com] CRLF Injection -> XSS to Mail.ru - 4 upvotes, $0
    697. [beta.tracker.my.com] XSS Request-URI to Mail.ru - 4 upvotes, $0
    698. XSS in Bootbox to Node.js third-party modules - 4 upvotes, $0
    699. XSS to Mail.ru - 4 upvotes, $0
    700. xss to Mail.ru - 4 upvotes, $0
    701. Reflected Cross Site Scripting vuln in tomtom.com to TomTom - 4 upvotes, $0
    702. self XSS на странице https://aw.mail.ru/pin/ to Mail.ru - 4 upvotes, $0
    703. Stored XSS in embedded posts containing images to Vanilla - 4 upvotes, $0
    704. [████████] Reflected XSS to U.S. Dept Of Defense - 4 upvotes, $0
    705. [███████] Reflected GET XSS (/mission.php?...&missionDate=*) to U.S. Dept Of Defense - 4 upvotes, $0
    706. Stored XSS on scan.nextcloud.com to Nextcloud - 4 upvotes, $0
    707. potential RCE and XSS via file upload requiring user account and default settings to Nextcloud - 4 upvotes, $0
    708. Unrestricted file upload leads to stored xss on https://████████/ to U.S. Dept Of Defense - 4 upvotes, $0
    709. XSS (Cross site scripting) on https://apimgr.8x8.com to 8x8 - 4 upvotes, $0
    710. Stored XSS agent_status to 8x8 - 4 upvotes, $0
    711. HTML Injection leads to XSS on███ to U.S. Dept Of Defense - 4 upvotes, $0
    712. Stored XSS firing if the error occurs when trying to delete the APM app to New Relic - 4 upvotes, $0
    713. CSTI fix (#587829) bypass leading to stored XSS at plugins again to New Relic - 4 upvotes, $0
    714. Cross Site Scripting and Open Redirect in affiliate-preview.php file to Revive Adserver - 4 upvotes, $0
    715. Stored XSS through name / last name on https://██████████/ to U.S. Dept Of Defense - 4 upvotes, $0
    716. Self XSS + CSRF Leads to Reflected XSS in https://████/ to U.S. Dept Of Defense - 4 upvotes, $0
    717. Cross-site Scripting (XSS) - Reflected to Zivver - 4 upvotes, $0
    718. XSS by MathML at Active Storage to Ruby on Rails - 4 upvotes, $0
    719. Cross-Site Scripting thorough XSSJacking/PasteJacking Technique to Zivver - 4 upvotes, $0
    720. Post-Auth Stored XSS with User Interaction leads to Remote Code Execution to Rocket.Chat - 4 upvotes, $0
    721. xss on https://███████(█████████ parameter) to U.S. Dept Of Defense - 4 upvotes, $0
    722. XSS due to CVE-2020-3580 [██████] to U.S. Dept Of Defense - 4 upvotes, $0
    723. Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text" to Concrete CMS - 4 upvotes, $0
    724. Stored XSS вирус в al_video.php?act=a_choose_video_box to VK.com - 4 upvotes, $0
    725. Reflected XSS at https://█████████ via "███" parameter to U.S. Dept Of Defense - 4 upvotes, $0
    726. XSS Stored on https://seedr.ru to Mail.ru - 4 upvotes, $0
    727. XSS at videostore.mtnonline.com/GL/*.aspx via all parameters to MTN Group - 4 upvotes, $0
    728. Reflected Cross Site Scripting at ColdFusion Debugging Panel http://www.grouplogic.com/CFIDE/debug/cf_debugFr.cfm to Acronis - 4 upvotes,
    $0
    729. stored cross site scripting in https://███████ to U.S. Dept Of Defense - 4 upvotes, $0
    730. stored cross site scripting in https://██████████ to U.S. Dept Of Defense - 4 upvotes, $0
    731. stored cross site scripting in https://█████████ to U.S. Dept Of Defense - 4 upvotes, $0
    732. stored cross site scripting in https://███ to U.S. Dept Of Defense - 4 upvotes, $0
    733. Reflected XSS in ██████████ to U.S. Dept Of Defense - 4 upvotes, $0
    734. Cross-Site-Scripting in "Search Messages" to Rocket.Chat - 4 upvotes, $0
    735. XSS in ServiceNow logout https://████:443 to U.S. Dept Of Defense - 4 upvotes, $0
    736. XSS exploit of RDoc documentation generated by rdoc to Ruby - 4 upvotes, $0
    737. Stored XSS in RDoc hyperlinks through javascript scheme to Ruby - 4 upvotes, $0
    738. XSS in getrush.uber.com to Uber - 3 upvotes, $3000
    739. XSS in L.mapbox.shareControl in mapbox.js to Mapbox - 3 upvotes, $1000
    740. JavaScript: Add some new XSS sinks and sources of Next.js (and some extra improvements) to GitHub Security Lab - 3 upvotes, $1000
    741. Persistent Cross Site Scripting within the IRCCloud Pastebin to IRCCloud - 3 upvotes, $500
    742. XSS on partners.uber.com to Uber - 3 upvotes, $500
    743. [e.mail.ru] XSS на странице отправки денежного перевода to Mail.ru - 3 upvotes, $500
    744. XSS by file (Active Storage Proxying ) to Ruby on Rails - 3 upvotes, $500
    745. Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) to LocalTapiola - 3 upvotes, $400
    746. XSS Reflected incategories*p to Pornhub - 3 upvotes, $250
    747. XSS ReflectedGET /embed_player? to Pornhub - 3 upvotes, $250
    748. Reflective XSS can be triggered in IE to Slack - 3 upvotes, $150
    749. Reflected Self-XSS Vulnerability in the Comment section of Files Information to Nextcloud - 3 upvotes, $100
    750. csp bypass leads to xss on wacky.buggywebsite.com to BugPoC - 3 upvotes, $100
    751. Solution for XSS challenge wacky.buggywebsite.com to BugPoC - 3 upvotes, $100
    752. Cross site scripting to Deriv.com - 3 upvotes, $75
    753. Dom based XSS https://www.khanacademy.org/ to Khan Academy - 3 upvotes, $0
    754. http://smarthistory.khanacademy.org/search-results.html XSS to Khan Academy - 3 upvotes, $0
    755. Stored XSS {dangerous?} https://www.khanacademy.org/coach/roster/?listId=allStudents to Khan Academy - 3 upvotes, $0
    756. XSS via Email to Respondly - 3 upvotes, $0
    757. XSS via Email Link to Respondly - 3 upvotes, $0
    758. XSS in password to Localize - 3 upvotes, $0
    759. /index.php/dashboard/sitemap/explore/ Cross-site scripting to Concrete CMS - 3 upvotes, $0
    760. XSS in Yahoo! Web Analytics to Yahoo! - 3 upvotes, $0
    761. Yahoo! Reflected XSS to Yahoo! - 3 upvotes, $0
    762. Flash XSS in http://go.mail.ru to Mail.ru - 3 upvotes, $0
    763. XSS in editor by any user to Phabricator - 3 upvotes, $0
    764. XSS ON MOPUB.COM to X (Formerly Twitter) - 3 upvotes, $0
    765. Flash XSS in http://lingvo.mail.ru to Mail.ru - 3 upvotes, $0
    766. stored xss in transaction to Enter - 3 upvotes, $0
    767. Vulnerability type xss uncovered in airbnb.es to Airbnb - 3 upvotes, $0
    768. Xss in website's link to Shopify - 3 upvotes, $0
    769. XSS - URL Redirects to Shopify - 3 upvotes, $0
    770. XSS in experts.shopify.com to Shopify - 3 upvotes, $0
    771. XSS at importing Product List to Shopify - 3 upvotes, $0
    772. XSS at Bulk editing products to Shopify - 3 upvotes, $0
    773. [persistent cross-site scripting] customers can target admins to Shopify - 3 upvotes, $0
    774. XSS using yql and developers console proxy to Yahoo! - 3 upvotes, $0
    775. XSS in my yahoo to Yahoo! - 3 upvotes, $0
    776. XSS Reflected - Yahoo Travel to Yahoo! - 3 upvotes, $0
    777. [ishop.qiwi.com] XSS + Misconfiguration to QIWI - 3 upvotes, $0
    778. Reflected XSS in chat. to Shopify - 3 upvotes, $0
    779. Reflective Xss Vulnerability to Urban Dictionary - 3 upvotes, $0
    780. XSS in WordPress to Automattic - 3 upvotes, $0
    781. [start.icq.com] Reflected XSS via Cookies to Mail.ru - 3 upvotes, $0
    782. xss to Keybase - 3 upvotes, $0
    783. Stored XSS in Slack (weird, trial and error) to Slack - 3 upvotes, $0
    784. Stored XSS in comments to Zendesk - 3 upvotes, $0
    785. Stored XSS on vimeo.com and player.vimeo.com to Vimeo - 3 upvotes, $0
    786. Sql injection And XSS to Khan Academy - 3 upvotes, $0
    787. Stored XSS in comments to Zendesk - 3 upvotes, $0
    788. XSS m.imgur.com to Imgur - 3 upvotes, $0
    789. XSS vulnerability in "/coach/roster/" ( create your first class) to Khan Academy - 3 upvotes, $0
    790. Cross site scripting On api Calculator API requests to ok.ru - 3 upvotes, $0
    791. XSS at www.woothemes.com to Automattic - 3 upvotes, $0
    792. Reflected XSS in owncloud.com to ownCloud - 3 upvotes, $0
    793. Cross site scripting in apps.owncloud.com to ownCloud - 3 upvotes, $0
    794. Vulnerability : XSS Vulnerability to Xero - 3 upvotes, $0
    795. doc.owncloud.org: XSS via Referrer to ownCloud - 3 upvotes, $0
    796. Stored Cross-Site Scripting in Map Share Page to Mapbox - 3 upvotes, $0
    797. Possible XSS to HackerOne - 3 upvotes, $0
    798. www.veris.in DOM based XSS to Veris - 3 upvotes, $0
    799. stored XSS in concrete5 5.7.2.1 to Concrete CMS - 3 upvotes, $0
    800. XSS on www.wordpress.com to Automattic - 3 upvotes, $0
    801. XSS on gmchat.gm.com to General Motors - 3 upvotes, $0
    802. Self-XSS Vulnerability on Password Reset Form to Uber - 3 upvotes, $0
    803. XSS on codex.wordpress.org to Automattic - 3 upvotes, $0
    804. Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 to Concrete CMS - 3 upvotes, $0
    805. XSS on zomato.com to Zomato - 3 upvotes, $0
    806. [github.algolia.com] XSS to Algolia - 3 upvotes, $0
    807. Stored XSS from Display Settings triggered on Save and viewing realtime search demo to Algolia - 3 upvotes, $0
    808. XSS in Subtitles of Vimeo Flash Player and Hubnut to Vimeo - 3 upvotes, $0
    809. Reflected xss on websummit.net to WebSummit - 3 upvotes, $0
    810. Reflected Cross site scripting to Veris - 3 upvotes, $0
    811. Stored XSS на street-combats.mail.ru to Mail.ru - 3 upvotes, $0
    812. Critical : Malware and XSS file can be uploaded and executed on udemy to Udemy - 3 upvotes, $0
    813. Web Browser XSS Protection Not Enabled to Open-Xchange - 3 upvotes, $0
    814. xss for admin of https://newsletter.nextcloud.com to Nextcloud - 3 upvotes, $0
    815. Reflective XSS at dubai.dubizzle.com to OLX - 3 upvotes, $0
    816. [api.login.icq.net] Reflected XSS to Mail.ru - 3 upvotes, $0
    817. Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi) to LocalTapiola - 3 upvotes, $0
    818. XSS vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    819. XSS in a newrelic.com site to New Relic - 3 upvotes, $0
    820. stored xss issue in folder name on go.xero.com/Docs/Folders to Xero - 3 upvotes, $0
    821. cross-site scripting in get request to OLX - 3 upvotes, $0
    822. Self XSS at translation page through Editor Link at demo.weblate.org to Weblate - 3 upvotes, $0
    823. Reflected XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    824. Reflected XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    825. DOM Based XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    826. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    827. Reflected XSS. to Mail.ru - 3 upvotes, $0
    828. Reflected XSS vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    829. Reflected XSS on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
    830. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
    831. SSL-protected Reflected XSS in m.uber.com to Uber - 3 upvotes, $0
    832. SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3 upvotes, $0
    833. udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3
    upvotes, $0
    834. lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint to Uber - 3
    upvotes, $0
    835. Stored XSS in WordPress to WordPress - 3 upvotes, $0
    836. [aw.my.com] Reflected XSS to Mail.ru - 3 upvotes, $0
    837. [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name
    to Node.js third-party modules - 3 upvotes, $0
    838. XSS in express-useragent through HTTP User-Agent to Node.js third-party modules - 3 upvotes, $0
    839. Reflected Cross-Site Scripting in Serendipity (serendipity.SetCookie) to Hanno's projects - 3 upvotes, $0
    840. Reflected XSS to GoCD - 3 upvotes, $0
    841. Stored XSS на странице pubg.mail.ru/community to Mail.ru - 3 upvotes, $0
    842. Reflected DOM-Based XSS On Due Lack Filter On Parameter ?next to Vercel - 3 upvotes, $0
    843. Reflected XSS on www.tomtom.com to TomTom - 3 upvotes, $0
    844. [min-http-server] Stored XSS in the filename when directories listing to Node.js third-party modules - 3 upvotes, $0
    845. Reflected XSS on https://merchant.kartpay.com/payment_settings [status] to Kartpay - 3 upvotes, $0
    846. █████ - DOM-based XSS to U.S. Dept Of Defense - 3 upvotes, $0
    847. █████ - DOM-based XSS to U.S. Dept Of Defense - 3 upvotes, $0
    848. [██████] Reflected GET XSS (/personnel.php?..&folder=*) with mouse action to U.S. Dept Of Defense - 3 upvotes, $0
    849. Persistent XSS on favorite via filename to Nextcloud - 3 upvotes, $0
    850. Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter to Starbucks - 3 upvotes, $0
    851. [node-red] Stored XSS within Flow's - "Name" field to Node.js third-party modules - 3 upvotes, $0
    852. Stored XSS in template comments. to Stripo Inc - 3 upvotes, $0
    853. Post Based Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 3 upvotes, $0
    854. Reflected XSS on error page on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 3 upvotes, $0
    855. Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 3 upvotes, $0
    856. [████████] — XSS on /███████_flight/images via advanced_val parameter to U.S. Dept Of Defense - 3 upvotes, $0
    857. XSS Reflected to U.S. Dept Of Defense - 3 upvotes, $0
    858. XSS on https://deti.mail.ru/ to Mail.ru - 3 upvotes, $0
    859. Reflected XSS on http://axa.dxi.eu to 8x8 - 3 upvotes, $0
    860. [service.engelvoelkers.com] XSS in /video/id to Engel & Völkers Technology GmbH - 3 upvotes, $0
    861. Stored XSS in app.lemlist.com to lemlist - 3 upvotes, $0
    862. Reflected XSS on ███████ page to U.S. Dept Of Defense - 3 upvotes, $0
    863. Stored XSS at APM apps labels autocomplete dropdown (apps listing) to New Relic - 3 upvotes, $0
    864. Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin to New Relic - 3 upvotes, $0
    865. [snekserve] Stored XSS via filenames HTML formatted to Node.js third-party modules - 3 upvotes, $0
    866. Reflected XSS in https://███████ via search parameter to U.S. Dept Of Defense - 3 upvotes, $0
    867. Reflected XSS at wacky.buggywebsite.com/frame.html to BugPoC - 3 upvotes, $0
    868. reflected xss in ██████ to Engel & Völkers Technology GmbH - 3 upvotes, $0
    869. Reflected XSS at ████ via ██████████= parameter to U.S. Dept Of Defense - 3 upvotes, $0
    870. Stored XSS в m.vk.com/video to VK.com - 3 upvotes, $0
    871. Reflected XSS at https://██████/██████████ via "████████" parameter to U.S. Dept Of Defense - 3 upvotes, $0
    872. Reflected XSS at https://██████/██████ via "██████" parameter to U.S. Dept Of Defense - 3 upvotes, $0
    873. XSS Reflected - ███ to U.S. Dept Of Defense - 3 upvotes, $0
    874. XSS on https://██████/███ via █████ parameter to U.S. Dept Of Defense - 3 upvotes, $0
    875. Reflected XSS [██████] to U.S. Dept Of Defense - 3 upvotes, $0
    876. Reflected Xss in [██████] to U.S. Dept Of Defense - 3 upvotes, $0
    877. Reflected XSS [██████] to U.S. Dept Of Defense - 3 upvotes, $0
    878. XSS in Desktop Client via user status and information to Nextcloud - 3 upvotes, $0
    879. XSS in Desktop Client in call notification popup to Nextcloud - 3 upvotes, $0
    880. stored cross site scripting in https://████ to U.S. Dept Of Defense - 3 upvotes, $0
    881. stored cross site scripting in https://███ to U.S. Dept Of Defense - 3 upvotes, $0
    882. Reflected Cross-Site Scripting(CVE-2022-32770 ) to Rocket.Chat - 3 upvotes, $0
    883. DOM Cross-Site Scripting ( XSS ) to X (Formerly Twitter) - 2 upvotes, $1400
    884. XSS platform.twitter.com to X (Formerly Twitter) - 2 upvotes, $1120
    885. Reflected Xss to Slack - 2 upvotes, $500
    886. touch.mail.ru XSS via message id to Mail.ru - 2 upvotes, $500
    887. XSS https://www.shopify.com/signup to Shopify - 2 upvotes, $500
    888. www.shopify.com XSS on blog pages via sharing buttons to Shopify - 2 upvotes, $500
    889. Stored XSS in https://checkout.shopify.com/ to Shopify - 2 upvotes, $500
    890. XSS on https://app.shopify.com/ to Shopify - 2 upvotes, $500
    891. Home page reflected XSS to Mail.ru - 2 upvotes, $250
    892. an xss issue to Algolia - 2 upvotes, $100
    893. Unauthenticated Stored XSS in API Panel to WePay - 2 upvotes, $100
    894. Cross Site Scripting to Deriv.com - 2 upvotes, $50
    895. Stored XSS in all fields in Basic Google Maps Placemarks Settings to Ian Dunn - 2 upvotes, $25
    896. XSS in www.eobot.com(IE9 only) to Eobot - 2 upvotes, $10
    897. Stored XSS to Slack - 2 upvotes, $0
    898. https://www.khanacademy.org/coach/reports/activity XSS to Khan Academy - 2 upvotes, $0
    899. XSS in Localize.io to Localize - 2 upvotes, $0
    900. Xss in CampTix Event Ticketing to Ian Dunn - 2 upvotes, $0
    901. Dangerous Persistent xss to IRCCloud - 2 upvotes, $0
    902. Stored XSS in Channel Chat to Slack - 2 upvotes, $0
    903. Persistent XSS in afisha.mail.ru to Mail.ru - 2 upvotes, $0
    904. Reflected XSS in Pastebin-view to IRCCloud - 2 upvotes, $0
    905. Flash XSS - http://hi-tech.mail.ru/ to Mail.ru - 2 upvotes, $0
    906. XSS in "About Video" to Mail.ru - 2 upvotes, $0
    907. XSS in Team Only Area to Localize - 2 upvotes, $0
    908. https://polldaddy.com storage.swf XSS to Automattic - 2 upvotes, $0
    909. xss in app.simplenote.com to Automattic - 2 upvotes, $0
    910. XSS in the input to Respondly - 2 upvotes, $0
    911. XSS in Stopthehacker support to StopTheHacker - 2 upvotes, $0
    912. Flash XSS on swfupload.swf showing at app.mavenlink.com to Mavenlink - 2 upvotes, $0
    913. Reflected XSS to Mail.ru - 2 upvotes, $0
    914. Unchecking hidden parameter is vulnerable to XSS-attack to Khan Academy - 2 upvotes, $0
    915. rs.mail.ru - Flash Based XSS to Mail.ru - 2 upvotes, $0
    916. Cross Site Scripting (XSS) - app.relateiq.com to RelateIQ - 2 upvotes, $0
    917. Stored XSS in username.slack.com to Slack - 2 upvotes, $0
    918. http://cdnjs.cloudflare.com/ Cross-site scripting 2 to Cloudflare Vulnerability Disclosure - 2 upvotes, $0
    919. XSS in https://hk.user.auctions.yahoo.com to Yahoo! - 2 upvotes, $0
    920. XSS on Every sports.yahoo.com page to Yahoo! - 2 upvotes, $0
    921. Reflected cross site scripting in login page to StopTheHacker - 2 upvotes, $0
    922. Suffix of url-path is vulnerable to XSS-attack to Khan Academy - 2 upvotes, $0
    923. Stored xss to X (Formerly Twitter) - 2 upvotes, $0
    924. Browser cross-site scripting filter misconfiguration to ReddAPI - 2 upvotes, $0
    925. ads.twitter.com xss to X (Formerly Twitter) - 2 upvotes, $0
    926. Stored XSS on http://cards.mail.ru to Mail.ru - 2 upvotes, $0
    927. [qiwi.com] /oauth/confirm.action XSS to QIWI - 2 upvotes, $0
    928. XSS in fabric.io to X (Formerly Twitter) - 2 upvotes, $0
    929. [static.qiwi.com] XSS proxy.html to QIWI - 2 upvotes, $0
    930. Stored XSS on http://top.mail.ru to Mail.ru - 2 upvotes, $0
    931. Vimeo Search - XSS Vulnerability [http://vimeo.com/search] to Vimeo - 2 upvotes, $0
    932. XSS on Vimeo to Vimeo - 2 upvotes, $0
    933. Stored XSS in Direct debit name to Mobile Vikings - 2 upvotes, $0
    934. Stored xss in user name to Mobile Vikings - 2 upvotes, $0
    935. Reflected xss in user name thru cookie to Mobile Vikings - 2 upvotes, $0
    936. Stored xss in user name (2) affected another user. to Mobile Vikings - 2 upvotes, $0
    937. Reflected Cross Site Scripting - 'puser' Parameter in login page to Adobe - 2 upvotes, $0
    938. Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her] to Adobe - 2 upvotes, $0
    939. XSS in myshopify.com Admin site in TAX Overrides to Shopify - 2 upvotes, $0
    940. XSS on support.shopify.com to Shopify - 2 upvotes, $0
    941. XSS at Bulk editing ProductVariants to Shopify - 2 upvotes, $0
    942. xss profile to Udemy - 2 upvotes, $0
    943. XSS in Myshopify Admin Site in DISCOUNTS to Shopify - 2 upvotes, $0
    944. Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS to Shopify - 2 upvotes, $0
    945. Reflected XSS in chat to Shopify - 2 upvotes, $0
    946. Reflected XSS in mail.yahoo.com to Yahoo! - 2 upvotes, $0
    947. XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) to Shopify - 2 upvotes, $0
    948. No CSRF protection when creating new community points actions, and related stored XSS to Concrete CMS - 2 upvotes, $0
    949. Stored Cross site scripting In developer.zendesk.com to Zendesk - 2 upvotes, $0
    950. XSS on ecommerce.shopify.com to Shopify - 2 upvotes, $0
    951. files.mail.ru: XSS to Mail.ru - 2 upvotes, $0
    952. /surveys/2auth: DOM-based XSS to Mail.ru - 2 upvotes, $0
    953. help2.m.smailru.net: XSS to Mail.ru - 2 upvotes, $0
    954. XSS on https://www.udemy.com/asset/export.html to Udemy - 2 upvotes, $0
    955. apps.owncloud.com: Stored XSS in profile page to ownCloud - 2 upvotes, $0
    956. Cross-site Scripting in all Zopim to Zendesk - 2 upvotes, $0
    957. XSS at http://vk.com on IE using flash files to VK.com - 2 upvotes, $0
    958. apps.owncloud.com: Potential XSS to ownCloud - 2 upvotes, $0
    959. XSS Vulnerability to Udemy - 2 upvotes, $0
    960. XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо to
    Mail.ru - 2 upvotes, $0
    961. Cookie securing your "Opening soon" store is not secured against XSS to Shopify - 2 upvotes, $0
    962. XSS in creating tweets to Shopify - 2 upvotes, $0
    963. Cross-site Scripting https://www.zendesk.com/product/pricing/ to Zendesk - 2 upvotes, $0
    964. Reflective Xss on news.mail.ru and admin.news.mail.ru to Mail.ru - 2 upvotes, $0
    965. Flash XSS на old.corp.mail.ru to Mail.ru - 2 upvotes, $0
    966. XSS in imgur mobile to Imgur - 2 upvotes, $0
    967. XSS in imgur mobile 3 to Imgur - 2 upvotes, $0
    968. XSS at forum : to Mail.ru - 2 upvotes, $0
    969. Stored XSS on https://www.algolia.com/realtime-search-demo/* to Algolia - 2 upvotes, $0
    970. Self-XSS in mails sent by [email protected] to ownCloud - 2 upvotes, $0
    971. Stored XSS in /admin/orders to Shopify - 2 upvotes, $0
    972. Stored XSS in adding fileset to Concrete CMS - 2 upvotes, $0
    973. Cross-Site Scripting Vulnerability in urbandictionary.com to Urban Dictionary - 2 upvotes, $0
    974. Cross-Site Scripting Vulnerability in dovecot.fi to Open-Xchange - 2 upvotes, $0
    975. Stored Cross-Site Scripting via Angular Template Injection to New Relic - 2 upvotes, $0
    976. Reflected XSS на games.mail.ru to Mail.ru - 2 upvotes, $0
    977. Stored XSS in member book to Veris - 2 upvotes, $0
    978. XSS in Asset name to Veris - 2 upvotes, $0
    979. [login.newrelic.com] XSS via return_to to New Relic - 2 upvotes, $0
    980. xss yaman.olx.ph to OLX - 2 upvotes, $0
    981. XSS, Unvalidated redirects & phishing website hosting on dropbox servers to Dropbox - 2 upvotes, $0
    982. XSS in GM to General Motors - 2 upvotes, $0
    983. [forum.owncloud.org] IE, Edge XSS via Request-URI to ownCloud - 2 upvotes, $0
    984. Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) to Nextcloud - 2 upvotes, $0
    985. XSS Via Method injection to Gratipay - 2 upvotes, $0
    986. XSS and Open Redirect on https://jobs.dubizzle.com/ to OLX - 2 upvotes, $0
    987. XSS and HTML Injection https://sharjah.dubizzle.com/ to OLX - 2 upvotes, $0
    988. Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page to LocalTapiola - 2 upvotes, $0
    989. Reflected XSS vulnerability in a DoD website to U.S. Dept Of Defense - 2 upvotes, $0
    990. hosted.weblate.org: X-XSS-Protection not enabled to Weblate - 2 upvotes, $0
    991. weblate.org: X-XSS-Protection not enabled to Weblate - 2 upvotes, $0
    992. CSS to Zomato - 2 upvotes, $0
    993. Stored XSS vulnerability on a DoD website to U.S. Dept Of Defense - 2 upvotes, $0
    994. Reflected XSS on a DoD website to U.S. Dept Of Defense - 2 upvotes, $0
    995. Stored XSS in Gallery application (NC-SA-2017-010) to Nextcloud - 2 upvotes, $0
    996. IE search XSS to General Motors - 2 upvotes, $0
    997. XSS Vulnerability in developer.gm.com to General Motors - 2 upvotes, $0
    998. xss to Gratipay - 2 upvotes, $0
    999. [cloudcmd] Stored XSS in the filename when directories listing to Node.js third-party modules - 2 upvotes, $0
    000. [legal.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    001. [allods.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    002. [id.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    003. [furry.aw.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    004. [evo2.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    005. [evo.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    006. [mg.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    007. [support.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    008. [wos.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    009. [account.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    010. [lucky-fields.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    011. [sf.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    012. [games.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
    013. XSS in "explore-keywords-dropdown" results. to Zomato - 2 upvotes, $0
    014. Cross site scripting (content-sniffing) to Liberapay - 2 upvotes, $0
    015. [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser to Node.js third-party modules - 2 upvotes, $0
    016. XSS on New contact to Mail.ru - 2 upvotes, $0
    017. Reflected Xss bypass Content-Type: text/plain to Python Cryptographic Authority - 2 upvotes, $0
    018. xss to Mail.ru - 2 upvotes, $0
    019. XSS On Nextcloud Integrated with zimbra drive to Nextcloud - 2 upvotes, $0
    020. Stored XSS at branded site in .mail.ru domain to Mail.ru - 2 upvotes, $0
    021. Strored Xss on https://my.stripo.email/ ( multiple inputs) to Stripo Inc - 2 upvotes, $0
    022. Prevent XSS when passing a parameter directly into link_to to Ruby on Rails - 2 upvotes, $0
    023. Reflected XSS on https://███████/ to U.S. Dept Of Defense - 2 upvotes, $0
    024. [garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/" to Mail.ru - 2 upvotes, $0
    025. Stored XSS in agoric-sdk - malicious iframes, malicious svg to Agoric - 2 upvotes, $0
    026. Reflected XSS - https://███ to U.S. Dept Of Defense - 2 upvotes, $0
    027. Reflected Cross-Site Scripting/HTML Injection to Informatica - 2 upvotes, $0
    028. Reflected XSS in https://███████ via hidden parameter "████████" to U.S. Dept Of Defense - 2 upvotes, $0
    029. Reflected XSS at https://██████████/████████ via "███████" parameter to U.S. Dept Of Defense - 2 upvotes, $0
    030. XSS trigger via HTML Iframe injection in ( https://██████████ ) due to unfiltered HTML tags to U.S. Dept Of Defense - 2 upvotes, $0
    031. CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████ to U.S. Dept Of Defense - 2 upvotes, $0
    032. [www.█████] Path-based reflected Cross Site Scripting to U.S. Dept Of Defense - 2 upvotes, $0
    033. Reflected XSS [███] to U.S. Dept Of Defense - 2 upvotes, $0
    034. XSS DUE TO CVE-2020-3580 to U.S. Dept Of Defense - 2 upvotes, $0
    035. STORED XSS in █████████/nlc/login.aspx via "edit" GET parameter through markdown editor [HtUS] to U.S. Dept Of Defense - 2 upvotes, $0
    036. Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat to Rocket.Chat - 2 upvotes, $0
    037. Reflected XSS | https://████ to U.S. Dept Of Defense - 2 upvotes, $0
    038. XSS platform.twitter.com | video-js metadata to X (Formerly Twitter) - 1 upvotes, $1120
    039. XSS In archive.uber.com Due to Mime Sniffing in IE to Uber - 1 upvotes, $750
    040. XSS in dropbox main domain to Dropbox - 1 upvotes, $512
    041. XSS in a file or folder name to Mail.ru - 1 upvotes, $500
    042. e.mail.ru stored XSS in agent via sticker (smile) to Mail.ru - 1 upvotes, $500
    043. auth.mail.ru: XSS in login form to Mail.ru - 1 upvotes, $500
    044. www.shopify.com XSS via third-party script to Shopify - 1 upvotes, $500
    045. many xss in widgets.shopifyapps.com to Shopify - 1 upvotes, $500
    046. XSS on hardware.shopify.com to Shopify - 1 upvotes, $500
    047. xss in the all widgets of shopifyapps.com to Shopify - 1 upvotes, $500
    048. File upload XSS (Java applet) on http://slackatwork.com/ to Slack - 1 upvotes, $200
    049. cloud.mail.ru: File upload XSS using Content-Type header to Mail.ru - 1 upvotes, $150
    050. xss in /browse/contacts/ to Openfolio - 1 upvotes, $100
    051. DOM Based XSS in Checkout to LeaseWeb - 1 upvotes, $100
    052. an xss issue in https://hunter22.slack.com/help/requests/793043 to Slack - 1 upvotes, $100
    053. www.lahitapiola.fi DOM XSS by choosing regional company to LocalTapiola - 1 upvotes, $100
    054. Stored XSS to Localize - 1 upvotes, $0
    055. Import emails from Gmail are activate XSS to Respondly - 1 upvotes, $0
    056. Find, private notes Cross-site scripting. to Respondly - 1 upvotes, $0
    057. Persistent Cross-site scripting vulnerability settings. to Respondly - 1 upvotes, $0
    058. XSS - http://js.cloudflare.com to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
    059. Stored XSS in slack.com (integrations) to Slack - 1 upvotes, $0
    060. XSS 01 on staging.fct.li to Factlink - 1 upvotes, $0
    061. Xss On http://my.mail.ru/ to Mail.ru - 1 upvotes, $0
    062. genericons.com - DOM based XSS. to Automattic - 1 upvotes, $0
    063. http://jetpack.me/ Self XSS to Automattic - 1 upvotes, $0
    064. email field doesn't filtered against XSS to Uzbey - 1 upvotes, $0
    065. Cross-site scripting vulnerability detected to Uzbey - 1 upvotes, $0
    066. Album image XSS to Uzbey - 1 upvotes, $0
    067. XSS to jsDelivr - 1 upvotes, $0
    068. XSS vulnerability in video player page to X (Formerly Twitter) - 1 upvotes, $0
    069. Cross site scripting in type parameter to Uzbey - 1 upvotes, $0
    070. jplayer.swf Cross-site scripting to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
    071. XSS Reflected - https://www.stopthehacker.com/ to StopTheHacker - 1 upvotes, $0
    072. xss in simperium.com to Automattic - 1 upvotes, $0
    073. Cross-Site Scripting in getMarketplacePurchaseFrame to Concrete CMS - 1 upvotes, $0
    074. TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) to Yahoo! - 1 upvotes, $0
    075. XSS in Theme Preview Tools File to Concrete CMS - 1 upvotes, $0
    076. XSS on gravatar to Automattic - 1 upvotes, $0
    077. Reflected XSS to Mail.ru - 1 upvotes, $0
    078. Reflected XSS in User-Agent to Mail.ru - 1 upvotes, $0
    079. Cross Site Scripting (Stored) to ExpressionEngine - 1 upvotes, $0
    080. XSS in 3rd party plugin (not affecting Uzbey's users) to Uzbey - 1 upvotes, $0
    081. [send.qiwi.ru] XSS at auth?login= to QIWI - 1 upvotes, $0
    082. Cross-site Scripting in mailing (username) to RelateIQ - 1 upvotes, $0
    083. APIs for channels allow HTML entities that may cause XSS issue to Vimeo - 1 upvotes, $0
    084. Vimeo.com - reflected xss vulnerability to Vimeo - 1 upvotes, $0
    085. player.vimeo.com - Reflected XSS Vulnerability to Vimeo - 1 upvotes, $0
    086. Stored XSS in concrete5 5.7.0.4. to Concrete CMS - 1 upvotes, $0
    087. XSS Vulnerability in cfire.mail.ru/screen/1/ to Mail.ru - 1 upvotes, $0
    088. Vimeo.com - Reflected XSS Vulnerability to Vimeo - 1 upvotes, $0
    089. files.acrobat.com stored XSS via send file to Adobe - 1 upvotes, $0
    090. XSS with Time-of-Day Format to Phabricator - 1 upvotes, $0
    091. XSS in realty.mail.ru to Mail.ru - 1 upvotes, $0
    092. XSS in ad.mail.ru to Mail.ru - 1 upvotes, $0
    093. XSS Vulnerability on all pages to Mobile Vikings - 1 upvotes, $0
    094. Pretty Photo Dom XSS to jsDelivr - 1 upvotes, $0
    095. XSS in touch.sports.mail.ru to Mail.ru - 1 upvotes, $0
    096. Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 to Concrete CMS - 1 upvotes, $0
    097. XSS in https://app.mavenlink.com/workspaces/ to Mavenlink - 1 upvotes, $0
    098. XSS on added name album on videos. to VK.com - 1 upvotes, $0
    099. Stored XSS on Title of Page List in edit page list to Concrete CMS - 1 upvotes, $0
    100. Stored XSS on Search Title to Concrete CMS - 1 upvotes, $0
    101. Stored XSS in Contact Form to Concrete CMS - 1 upvotes, $0
    102. Stored XSS in Title of the topic List to Concrete CMS - 1 upvotes, $0
    103. Stored XSS in title of date navigation to Concrete CMS - 1 upvotes, $0
    104. Stored XSS in Feature tile to Concrete CMS - 1 upvotes, $0
    105. Stored Xss in Feature Paragraph to Concrete CMS - 1 upvotes, $0
    106. Stored XSS in Testimonial name to Concrete CMS - 1 upvotes, $0
    107. Stored XSS in testimonial Company to Concrete CMS - 1 upvotes, $0
    108. Stored XSS in Testimonial Position to Concrete CMS - 1 upvotes, $0
    109. Stored XSS In Company URL to Concrete CMS - 1 upvotes, $0
    110. Stored XSS in Image Alt. Text to Concrete CMS - 1 upvotes, $0
    111. Stored XSS in Message to Display When No Pages Listed. to Concrete CMS - 1 upvotes, $0
    112. Stored XSS in Bio/Quote to Concrete CMS - 1 upvotes, $0
    113. Stored XSS on Blog's page Tile to Concrete CMS - 1 upvotes, $0
    114. Self Xss on File Replace to Concrete CMS - 1 upvotes, $0
    115. Cross site scripting to Enter - 1 upvotes, $0
    116. Multiple XSS Vulnerabilities in Concrete5 5.7.3.1 to Concrete CMS - 1 upvotes, $0
    117. xss on autoserch to Udemy - 1 upvotes, $0
    118. XSS in Search Communities Function to Informatica - 1 upvotes, $0
    119. XSS - Gallery Search Listing to Zaption - 1 upvotes, $0
    120. api.video.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    121. touch.afisha.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    122. target.mail.ru: XSS через Referer to Mail.ru - 1 upvotes, $0
    123. target.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    124. 3k.mail.ru: XSS to Mail.ru - 1 upvotes, $0
    125. GET /surveys/2auth: XSS to Mail.ru - 1 upvotes, $0
    126. owncloud.com: DOM Based XSS to ownCloud - 1 upvotes, $0
    127. [riot.mail.ru] Reflected XSS in debug-mode to Mail.ru - 1 upvotes, $0
    128. Flash XSS on img.mail.ru to Mail.ru - 1 upvotes, $0
    129. Reflected Self-XSS in Slack to Slack - 1 upvotes, $0
    130. Self-XSS in posts by formatting text as code to Slack - 1 upvotes, $0
    131. Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics to Imgur - 1 upvotes, $0
    132. XSS Reflected in test.qiwi.ru to QIWI - 1 upvotes, $0
    133. owncloud.com: Persistent XSS In Account Profile to ownCloud - 1 upvotes, $0
    134. reflected in xss to Mail.ru - 1 upvotes, $0
    135. XSS at wordpress.com to Automattic - 1 upvotes, $0
    136. Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 1 upvotes, $0
    137. Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification to Udemy - 1 upvotes, $0
    138. Cross Site Scripting - type Patameter to Zomato - 1 upvotes, $0
    139. Xss via Dropbox to ThisData - 1 upvotes, $0
    140. apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only) to ownCloud - 1 upvotes, $0
    141. Cross Site Scripting to Mail.ru - 1 upvotes, $0
    142. Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/ to Uber - 1 upvotes, $0
    143. Stored XSS via "Free Shipping" option (Discounts) to Shopify - 1 upvotes, $0
    144. doc.owncloud.org: X-XSS-Protection not enabled to ownCloud - 1 upvotes, $0
    145. Synthetics Xss to New Relic - 1 upvotes, $0
    146. Stored XSS in Access Rules to Veris - 1 upvotes, $0
    147. STORED XSS FOUND to ThisData - 1 upvotes, $0
    148. Cross-site Scripting (XSS) to Uber - 1 upvotes, $0
    149. XSS on love.uber.com to Uber - 1 upvotes, $0
    150. Stored XSS on 'Badges' page to Veris - 1 upvotes, $0
    151. Stored XSS through Angular Expression Sandbox Escape to New Relic - 1 upvotes, $0
    152. XSS to Deriv.com - 1 upvotes, $0
    153. XSS and CSRF in Zomato Contact form to Zomato - 1 upvotes, $0
    154. XSS In /zuora/ functionality to Zendesk - 1 upvotes, $0
    155. DOM based XSS on to Uber - 1 upvotes, $0
    156. Reflected XSS on Zomato API to Zomato - 1 upvotes, $0
    157. Persistent XSS on Reservation / Booking Page to Zomato - 1 upvotes, $0
    158. Reflected XSS in Backend search to Moneybird - 1 upvotes, $0
    159. Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App to Veris - 1 upvotes, $0
    160. Multiple Stored XSS to Veris - 1 upvotes, $0
    161. Stored XSS to Veris - 1 upvotes, $0
    162. XSS in Blog to drchrono - 1 upvotes, $0
    163. Reflected XSS in domain www.veris.in to Veris - 1 upvotes, $0
    164. Self-XSS in Partners Profile to Uber - 1 upvotes, $0
    165. Stored self-XSS at m.uber.com to Uber - 1 upvotes, $0
    166. Self-XSS on partners.uber.com to Uber - 1 upvotes, $0
    167. Two XSS vulns in widget parameters (all_collections.php and o2.php) to Zomato - 1 upvotes, $0
    168. [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal ) to Moneybird - 1 upvotes, $0
    169. DOM XSS bypassing in Regional Office -selector to LocalTapiola - 1 upvotes, $0
    170. Google Authenticator - Cross Site Scripting to Ian Dunn - 1 upvotes, $0
    171. Reflected XSS @ games.mail.ru to Mail.ru - 1 upvotes, $0
    172. Stored Xss in rpm.newrelic.com to New Relic - 1 upvotes, $0
    173. DOM based XSS in search functionality to SecNews - 1 upvotes, $0
    174. xss on demo.nextcloud.com due to outdated version to Nextcloud - 1 upvotes, $0
    175. Full Page Caching Stored XSS Vulnerability to Concrete CMS - 1 upvotes, $0
    176. Cross Site Scripting to Nextcloud - 1 upvotes, $0
    177. Reflected XSS on ht.pornhub.com - /export/GetPreview to Pornhub - 1 upvotes, $0
    178. Cross-site scripting (XSS) vulnerability on a DoD website to U.S. Dept Of Defense - 1 upvotes, $0
    179. XSS found In Your Web to Gratipay - 1 upvotes, $0
    180. XSS on app.legalrobot.com to Legal Robot - 1 upvotes, $0
    181. Reflected XSS in admin settings to Deconf - 1 upvotes, $0
    182. XSS to Mail.ru - 1 upvotes, $0
    183. XSS in https://merchant.kartpay.com/settlements to Kartpay - 1 upvotes, $0
    184. [dy-server2] - stored Cross-Site Scripting to Node.js third-party modules - 1 upvotes, $0
    185. xss on setup config page to Nextcloud - 1 upvotes, $0
    186. Reflected XSS on https://█████ to U.S. Dept Of Defense - 1 upvotes, $0
    187. xss reflected on https://███████- (███ parameters) to U.S. Dept Of Defense - 1 upvotes, $0
    188. XSS Reflected on https://███ (███ parameter) to U.S. Dept Of Defense - 1 upvotes, $0
    189. XSS due to CVE-2020-3580 [███] to U.S. Dept Of Defense - 1 upvotes, $0
    190. 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290) to Ubiquiti Inc. - 1 upvotes, $0
    191. 4 xss vulnerability dom based cwe 79 ; wordpress bootstrap.min.js is vulnerable to Sifchain - 1 upvotes, $0
    192. Reflected XSS on https://███/████via hidden parameter "█████████" to U.S. Dept Of Defense - 1 upvotes, $0
    193. XSS because of Akamai ARL misconfiguration on ████ to U.S. Dept Of Defense - 1 upvotes, $0
    194. Reflected XSS - in Email Input to U.S. Dept Of Defense - 1 upvotes, $0
    195. XSS on https://███████/██████████ parameter to U.S. Dept Of Defense - 1 upvotes, $0
    196. XSS on https://████████/████' parameter to U.S. Dept Of Defense - 1 upvotes, $0
    197. Reflected XSS via File Upload to Reddit - 1 upvotes, $0
    198. XSS via .eml file to Mail.ru - 0 upvotes, $1337
    199. XSS in https://hackpad.com/ to Dropbox Acquisitions - 0 upvotes, $216
    200. Stored XSS through fileupload to Mail.ru - 0 upvotes, $200
    201. Flash-based XSS in cdnjs.cloudflare.com subdomain to Cloudflare Vulnerability Disclosure - 0 upvotes, $0
    202. Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration to ExpressionEngine - 0 upvotes, $0
    203. Unvalidated Redirects and Stored XSS to Dropbox - 0 upvotes, $0
    204. XSS in version history of an HTML file in a shared folder to Dropbox - 0 upvotes, $0
    205. otrs.owncloud.com: Reflected Cross-Site Scripting to ownCloud - 0 upvotes, $0
    206. Stored XSS to Udemy - 0 upvotes, $0
    207. XSS via modified Zomato widget (res_search_widget.php) to Zomato - 0 upvotes, $0
    208. Reflected Cross Site scripting Attack (XSS) to OLX - 0 upvotes, $0
    209. Improper parsing of input could lead to future XSS vulnerabilities in Sequences to Mixmax - 0 upvotes, $0
    210. self cross site scripting to Gratipay - 0 upvotes, $0
    211. x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
    212. XSS (Reflected) to New Relic - 0 upvotes, $0
    213. Self XSS via help.mail.ru interface to Mail.ru - 0 upvotes, $0
    214. Stored XSS on ████████helpdesk to U.S. Dept Of Defense - 0 upvotes, $0
    215. [flsaba] Stored XSS in the file and directory name when directories listing to Node.js third-party modules - 0 upvotes, $0
    216. [tianma-static] Security issue with XSS. to Node.js third-party modules - 0 upvotes, $0
    217. XSS DI BIODATA to Bumble - 0 upvotes, $0
    218. XSS due to CVE-2020-3580 [███.mil] to U.S. Dept Of Defense - 0 upvotes, $0

    You might also like