Stored XSS Vulnerability Discovered in OopsSec Store, a Deliberately Vulnerable Next.js E-Commerce App

19 Jan 2026

cybersecurityvulnerabilitystored_xsscross-site_scriptingnextjse-commerceweb_securityexploitpenetration_testingbug_bountygithubdom_injectionsanitizationethical_hacking

A Stored XSS (Cross-Site Scripting) vulnerability has been identified in the OopsSec Store application, a deliberately vulnerable e-commerce platform developed using Next.js. Exploitation allows an attacker to inject malicious JavaScript code via a product review, which is stored in the database and automatically executed by the browser of any user visiting the affected page. The code runs with the victim's session privileges, enabling access to protected endpoints such as /api/flags/cross-site-scripting-xss to retrieve a flag in the format OSS{cr0ss_s1t3_scr1pt1ng_xss}. The flaw stems from a lack of server-side sanitization (no user input cleaning) and direct injection of unescaped content into the client-side DOM. The application is available on GitHub for local testing in an isolated environment.