diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md
index 0929162f25f..37e8108c1d2 100644
--- a/src/pentesting-web/xss-cross-site-scripting/README.md
+++ b/src/pentesting-web/xss-cross-site-scripting/README.md
@@ -1673,6 +1673,29 @@ When a backend **builds a shared SDK by concatenating JS strings with user-contr
 - Example pattern (Meta CAPIG): server appends `cbq.config.set("<pixel>","IWLParameters",{params: <user JSON>});` directly into `capig-events.js`.
 - Injecting `'` or `"]}` closes the literal/object and adds attacker JS, creating **stored XSS** in the distributed SDK for every site that loads it (first-party and third-party).
 
+### Stored XSS in generated reports when escaping is disabled
+
+If uploaded files are parsed and their metadata is printed into HTML reports with escaping disabled (`|safe`, custom renderers), that metadata is a **stored XSS sink**. Example flow:
+
+```python
+xmlhost = data.getAttribute(f'{ns}:host')
+ret_list.append(('dialer_code_found', (xmlhost,), ()))
+'title': a_template['title'] % t_name  # %s fed by xmlhost
+```
+
+A Django template renders `{{item|key:"title"|safe}}`, so attacker HTML runs.
+
+**Exploit:** place **entity-encoded HTML** in any manifest/config field that reaches the report:
+
+```xml
+<data android:scheme="android_secret_code"
+      android:host="&lt;img src=x onerror=alert(document.domain)&gt;"/>
+```
+
+Rendered with `|safe`, the report outputs `<img ...>` and fires JS on view.
+
+**Hunting:** look for report/notification builders that reuse parsed fields in `%s`/f-strings and disable auto-escape. One encoded tag in an uploaded manifest/log/archive persists XSS for every viewer.
+
 ### Abusing Service Workers
 
 
@@ -2036,5 +2059,6 @@ other-js-tricks.md
 - [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html)
 - [MDN eval()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)
 - [CAPIG XSS: postMessage origin trust becomes a script loader + backend JS concatenation enables supply-chain stored XSS](https://ysamm.com/uncategorized/2026/01/13/capig-xss.html)
+- [MobSF stored XSS via manifest analysis (unsafe Django safe sink)](https://github.com/advisories/GHSA-8hf7-h89p-3pqj)
 
 {{#include ../../banners/hacktricks-training.md}}