## Critical Stored XSS in Admin Panel: User Data Rendered via innerHTML Without Escaping
A critical stored cross-site scripting (XSS) vulnerability exists in the administrative interface, allowing an attacker with access to the admin panel to inject malicious JavaScript via user profile fields. The flaw is located in the `templates/users.html` file, where user data such as usernames and emails are rendered directly into `innerHTML` template literals without proper HTML escaping. This creates a persistent attack vector where injected code executes whenever another administrator views the compromised user list.

The vulnerability stems from the use of the `| safe` filter in the template, which explicitly marks the `user.username` field as safe for HTML rendering. An attacker can embed a payload like `<img src=x onerror=alert(document.cookie)>` into a username or email field. When the template renders this data into the JavaScript array for the user list, the payload is executed in the browser context of any admin viewing the page. This grants the attacker control over the admin session within the vulnerable panel.

The potential impact is severe, extending beyond simple defacement. Successful exploitation could lead to full session hijacking, allowing an attacker to impersonate an administrator. This access could be used for data exfiltration, sending sensitive information to an external domain, or for privilege escalation within the application. The vulnerability represents a direct path from a basic user profile edit function to a complete compromise of the administrative backend, highlighting a critical failure in output encoding and security-aware templating practices.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, xss, web-application, admin-panel
- **Credibility**: unverified
- **Published**: 2026-04-16 14:23:05
- **ID**: 67738
- **URL**: https://whisperx.ai/en/intel/67738