Stored XSS (persistent cross-site scripting) occurs when an attacker can save malicious JavaScript code within a web application — for example in a comment field, forum post, or user profile. Every user who loads the affected page unknowingly executes the code. Unlike reflected XSS, stored XSS is persistent and can potentially reach many victims. You prevent stored XSS through consistent output encoding and a Content Security Policy (CSP). In an ISMS, stored XSS is among the critical web-application vulnerabilities and is covered by SAST, DAST, and penetration testing.