diff --git a/README.md b/README.md
index ba0777a24..388db71d5 100755
--- a/README.md
+++ b/README.md
@@ -157,7 +157,7 @@ Check the [GitHub Issues](https://github.com/netalertx/NetAlertX/issues) for the
 ## Everything else
 <!--- --------------------------------------------------------------------- --->
 
-<a href="https://trendshift.io/repositories/12670" target="_blank"><img src="https://trendshift.io/api/badge/repositories/12670" alt="jokob-sk%2FNetAlertX | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+<a href="https://trendshift.io/repositories/19712" target="_blank"><img src="https://trendshift.io/api/badge/repositories/19712" alt="jokob-sk%2FNetAlertX | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
 
 ### 📧 Get notified what's new
 
@@ -170,6 +170,7 @@ Get notified about a new release, what new functionality you can use and about b
 - [Fing](https://www.fing.com/) - Network scanner app for your Internet security (Commercial, Phone App, Proprietary hardware)
 - [NetBox](https://netboxlabs.com/) - The gold standard for Network Source of Truth (NSoT) and IPAM.
 - [Zabbix](https://www.zabbix.com/) or [Nagios](https://www.nagios.org/) - Strong focus on infrastructure monitoring.
+- [Domotz](https://www.domotz.com/) - Commercial network monitoring and remote management platform aimed at MSPs, IT teams, and multi-site environments.
 - [NetAlertX](https://netalertx.com) - The streamlined, discovery-focused choice for real-time asset intelligence and noise-free alerting.
 
 ### 💙 Donations
diff --git a/back/app.conf b/back/app.conf
index 95fcf24f9..4add3c212 100755
--- a/back/app.conf
+++ b/back/app.conf
@@ -30,6 +30,7 @@ REPORT_DASHBOARD_URL='update_REPORT_DASHBOARD_URL_setting'
 INTRNT_RUN='schedule'
 ARPSCAN_RUN='schedule'
 NSLOOKUP_RUN='before_name_updates'
+DIGSCAN_RUN='before_name_updates'
 AVAHISCAN_RUN='before_name_updates'
 NBTSCAN_RUN='before_name_updates'
 
diff --git a/docs/ADVISORY_EYES_ON_GLASS.md b/docs/ADVISORY_EYES_ON_GLASS.md
index ace8f0dcc..41803b762 100644
--- a/docs/ADVISORY_EYES_ON_GLASS.md
+++ b/docs/ADVISORY_EYES_ON_GLASS.md
@@ -4,6 +4,9 @@ For Managed Service Providers (MSPs) and Network Operations Centers (NOC), "Eyes
 
 ![filters](./img/ADVISORIES/filters.png)
 
+> [!TIP]
+> If you are using Grafana check the `/metrics` endpoint that exposes **Prometheus-compatible metrics** for NetAlertX, including aggregate device counts and per-device status. See the [Metrics API endpoint](./API_METRICS.md) documentation for details.
+
 ---
 
 ### 1. Configure Auto-Refresh for Live Monitoring
diff --git a/docs/ADVISORY_MULTI_NETWORK.md b/docs/ADVISORY_MULTI_NETWORK.md
index 7a0dd0948..b56f58aef 100644
--- a/docs/ADVISORY_MULTI_NETWORK.md
+++ b/docs/ADVISORY_MULTI_NETWORK.md
@@ -12,20 +12,25 @@ Effective multi-network monitoring starts with understanding how NetAlertX "sees
 * **Manual Entry:** For static assets where only ICMP (ping) status is needed.
 
 > [!TIP]
-> Explore the [remote networks](./REMOTE_NETWORKS.md) documentation for more details on how to set up the approaches menationed above.
+> Explore the [remote networks](./REMOTE_NETWORKS.md) documentation for more details on how to set up the approaches mentioned above.
 
 ---
 
 ### 2. Automating IT Asset Inventory with Workflows
 
-[Workflows](./WORKFLOWS.md) are the "engine" of NetAlertX, reducing manual overhead as your device list grows.
+[Workflows](./WORKFLOWS.md) are the "engine" of NetAlertX, reducing manual overhead as your device list grows. See some examples below:
+
+#### A. Logical Ownership & VLAN Tagging
+
+Create a workflow triggered on **Device Creation** to:
 
-* **A. Logical Ownership & VLAN Tagging:** Create a workflow triggered on **Device Creation** to:
 1. Inspect the IP/Subnet.
 2. Set `devVlan` or `devOwner` custom fields automatically.
 
+#### B. Auto-Grouping:
+
+Use conditional logic to categorize devices.
 
-* **B. Auto-Grouping:** Use conditional logic to categorize devices.
 * *Example:* If `devLastIP == 10.10.20.*`, then `Set devLocation = "BranchOffice"`.
 
 ```json
@@ -56,9 +61,9 @@ Effective multi-network monitoring starts with understanding how NetAlertX "sees
   ]
 }
 ```
+#### C. Sync Node Tracking
 
-
-* **C. Sync Node Tracking:** When using multiple instances, ensure all synchub nodes have a descriptive `SYNC_node_name` name to distinguish between sites.
+When using multiple instances, ensure all sync hub nodes have a descriptive `SYNC_node_name` name to distinguish between sites.
 
 > [!TIP]
 > Always test new workflows in a "Staging" instance. A misconfigured workflow can trigger thousands of unintended updates across your database.
@@ -107,6 +112,7 @@ As your environment grows, tuning the underlying engine is vital to maintain a s
 * **Plugin Scheduling:** Avoid "Scan Storms" by staggering plugin execution. Running intensive tasks like `NMAP` or `MASS_DNS` simultaneously can spike CPU and cause database locks.
 * **Database Health:** Large-scale monitoring generates massive event logs. Use the **[DBCLNP (Database Cleanup)](https://www.google.com/search?q=https://docs.netalertx.com/PLUGINS/%23dbclnp)** plugin to prune old records and keep the SQLite database performant.
 * **Resource Management:** For high-device counts, consider increasing the memory limit for the container and utilizing `tmpfs` for temporary files to reduce SD card/disk I/O bottlenecks.
+* Enable the `DEEP_SLEEP` setting.
 
 > [!IMPORTANT]
 > For a deep dive into hardware requirements, database vacuuming, and specific environment variables for high-load instances, refer to the full **[Performance Optimization Guide](https://docs.netalertx.com/PERFORMANCE/)**.
diff --git a/docs/PLUGINS_DEV_UI_COMPONENTS.md b/docs/PLUGINS_DEV_UI_COMPONENTS.md
index 663f52e0f..ef2d75fdf 100644
--- a/docs/PLUGINS_DEV_UI_COMPONENTS.md
+++ b/docs/PLUGINS_DEV_UI_COMPONENTS.md
@@ -7,6 +7,7 @@ Configure how your plugin's data is displayed in the NetAlertX web interface.
 Plugin results are displayed in the UI via the **Plugins page** and **Device details tabs**. You control the appearance and functionality of these displays by defining `database_column_definitions` in your plugin's `config.json`.
 
 Each column definition specifies:
+
 - Which data field to display
 - How to render it (label, link, color-coded badge, etc.)
 - What CSS classes to apply
@@ -275,6 +276,7 @@ Replaces specific values with display strings or HTML.
 ```
 
 **Output Examples:**
+
 - `"online"` → 🟢 Online
 - `"offline"` → 🔴 Offline
 - `"idle"` → 🟡 Idle
diff --git a/docs/WORKFLOW_EXAMPLES.md b/docs/WORKFLOW_EXAMPLES.md
index a6c1b3f06..5f5da444b 100755
--- a/docs/WORKFLOW_EXAMPLES.md
+++ b/docs/WORKFLOW_EXAMPLES.md
@@ -45,22 +45,22 @@ Sometimes devices are manually archived (e.g., no longer expected on the network
   ],
   "enabled": "Yes"
 }
-```
+````
 
 ### 🔍 Explanation
 
-    - Trigger: Listens for updates to device records.
-    - Conditions:
-        - `devIsArchived` is `1` (archived).
-        - `devPresentLastScan` is `1` (device was detected in the latest scan).
-    - Action: Updates the device to set `devIsArchived` to `0` (unarchived).
+* **Trigger**: Listens for updates to device records.
+* **Conditions**:
 
-### ✅ Result
+  * `devIsArchived` is `1` (archived).
+  * `devPresentLastScan` is `1` (device was detected in the latest scan).
+* **Action**:
 
-Whenever a previously archived device shows up during a network scan, it will be automatically unarchived — allowing it to reappear in your device lists and dashboards.
+  * Updates the device to set `devIsArchived` to `0` (unarchived).
 
+### ✅ Result
 
-Here is your updated version of **Example 2** and **Example 3**, fully aligned with the format and structure of **Example 1** for consistency and professionalism:
+Whenever a previously archived device shows up during a network scan, it will be automatically unarchived — allowing it to reappear in your device lists and dashboards.
 
 ---
 
@@ -107,7 +107,7 @@ When new devices join your network, assigning them to the correct network node i
 ### 🔍 Explanation
 
 * **Trigger**: Activates when a new device is added.
-* **Condition**:
+* **Conditions**:
 
   * `devLastIP` contains `192.168.1.` (matches subnet).
 * **Action**:
@@ -173,12 +173,12 @@ You may want to automatically clear out newly detected Google devices (such as C
 * **Trigger**: Runs on device updates.
 * **Conditions**:
 
-  * Vendor contains `Google`.
-  * Device is marked as new (`devIsNew` is `1`).
+  * `devVendor` contains `Google`.
+  * `devIsNew` is `1` (device marked as new).
 * **Actions**:
 
-  1. Set `devIsNew` to `0` (mark as not new).
-  2. Delete the device.
+  1. Sets `devIsNew` to `0` (mark as not new).
+  2. Deletes the device.
 
 ### ✅ Result
 
diff --git a/front/css/app.css b/front/css/app.css
index df77fc02e..24bbdf6b6 100755
--- a/front/css/app.css
+++ b/front/css/app.css
@@ -1417,6 +1417,7 @@ textarea[readonly],
     grid-template-columns: repeat(auto-fit, minmax(125px, 1fr));
     gap: 0.75em;
     padding: 0.5em 0;
+    padding-top: 0;
 }
 
 #columnFilters::before,
diff --git a/front/deviceDetails.php b/front/deviceDetails.php
index 6c0a1180b..050672641 100755
--- a/front/deviceDetails.php
+++ b/front/deviceDetails.php
@@ -307,7 +307,10 @@ function updateChevrons(currentMac) {
       pos = refreshedList.findIndex(item => item.devMac === currentMac);
 
       if (pos === -1) {
-        console.error('Still not found after re-cache:', currentMac);
+        console.warn('Device not found in device list after re-cache — hiding navigation controls:', currentMac);
+        $('#txtRecord').hide();
+        $('#btnPrevious').hide();
+        $('#btnNext').hide();
         return;
       }
 
@@ -499,26 +502,9 @@ function initializeTabs () {
     }
 }
 
-function updateDevicePageName(mac) {
-  let name = getDevDataByMac(mac, "devName");
-  let owner = getDevDataByMac(mac, "devOwner");
-
-  // If data is missing, re-cache and retry once
-  if (mac != 'new' && (name === null|| owner === null)) {
-    console.warn("Device not found in cache, retrying after re-cache:", mac);
-    showSpinner();
-    cacheDevices(true).then(() => {
-      hideSpinner();
-      // Retry after successful cache
-      updateDevicePageName(mac);
-    }).catch((err) => {
-      hideSpinner();
-      console.error("Failed to refresh devices:", err);
-    });
-    return; // Exit early to avoid showing bad data
-  }
-
-  // Page title - Name
+// ----------------------------------------
+// Write device name/owner into page title DOM. Pure DOM side-effect, no data fetching.
+function applyDevicePageTitle(mac, name, owner) {
   let pageTitleText;
 
   if (mac === "new") {
@@ -530,12 +516,12 @@ function updateDevicePageName(mac) {
           `<i class="fa fa-circle-info"></i> ` + getString("Gen_create_new_device_info")
       );
       $('#devicePageInfoPlc').show();
-  } else if (!owner || name.toString().includes(owner)) {
-      pageTitleText = name;
+  } else if (!owner || (name && name.toString().includes(owner))) {
+      pageTitleText = encodeSpecialChars(name ?? getString("DevDetail_EveandAl_NewDevice"));
       $('#pageTitle').html(pageTitleText);
       $('#devicePageInfoPlc').hide();
   } else {
-      pageTitleText = `${name} (${owner})`;
+      pageTitleText = `${encodeSpecialChars(name ?? getString("DevDetail_EveandAl_NewDevice"))} (${encodeSpecialChars(owner)})`;
       $('#pageTitle').html(pageTitleText);
       $('#devicePageInfoPlc').hide();
   }
@@ -544,6 +530,53 @@ function updateDevicePageName(mac) {
   $('title').html(pageTitleText + ' - ' + $('title').html());
 }
 
+// ----------------------------------------
+// Resolve device name/owner for the page title.
+// Stage 1: localStorage cache (synchronous, fast path).
+// Stage 2: one forced re-cache from table_devices.json.
+// Stage 3: REST API fallback so a direct-link visit never loops.
+async function updateDevicePageName(mac) {
+  let name  = getDevDataByMac(mac, "devName");
+  let owner = getDevDataByMac(mac, "devOwner");
+
+  // Stage 2: one re-cache attempt
+  if (mac !== 'new' && name === null) {
+    console.warn("Device not in cache, attempting re-cache:", mac);
+    showSpinner();
+    try {
+      await cacheDevices(true);
+    } catch (err) {
+      console.error("Re-cache failed:", err);
+    } finally {
+      hideSpinner();
+    }
+    name  = getDevDataByMac(mac, "devName");
+    owner = getDevDataByMac(mac, "devOwner");
+  }
+
+  // Stage 3: REST fallback — same endpoint renderSmallBoxes uses, always DB-direct
+  if (mac !== 'new' && name === null) {
+    console.warn("Device not found in cache after re-cache, falling back to REST API:", mac);
+    try {
+      const { apiBase, authHeader } = getAuthContext();
+      const res = await fetch(`${apiBase}/device/${encodeURIComponent(mac)}`, {
+        headers: authHeader
+      });
+      if (res.ok) {
+        const data = await res.json();
+        name  = data.devName  ?? null;
+        owner = data.devOwner ?? null;
+      } else {
+        console.error("REST fallback for device name returned:", res.status);
+      }
+    } catch (err) {
+      console.error("REST fallback error:", err);
+    }
+  }
+
+  applyDevicePageTitle(mac, name, owner);
+}
+
 
 //-----------------------------------------------------------------------------------
 
diff --git a/front/deviceDetailsEdit.php b/front/deviceDetailsEdit.php
index 542f2a595..6c70ac4b3 100755
--- a/front/deviceDetailsEdit.php
+++ b/front/deviceDetailsEdit.php
@@ -236,6 +236,7 @@ function getDeviceData() {
                   // console.log(setting.setKey);
                   // console.log(fieldData);
 
+
                   // Additional form elements like the random MAC address button for devMac
                   let inlineControl = "";
                   // handle random mac
@@ -329,6 +330,11 @@ function getDeviceData() {
                     fieldOptionsOverride = fieldDataNew;
                   }
 
+                  // XSS prevention - encode special characters for string fields, but not for arrays (like children dynamic)
+                  // Don't move above the handle devChildrenDynamic block because it relies on the original fieldData to generate options
+                  fieldData = encodeSpecialChars(fieldData);
+                  // console.log(fieldData);
+
                   // Generate the input field HTML
                   const inputFormHtml = `<div class="form-group col-xs-12">
                         <label id="${setting.setKey}_label" class="${obj.labelClasses}" > ${setting.setName}
diff --git a/front/deviceDetailsSessions.php b/front/deviceDetailsSessions.php
index 837a89717..0d8c7664c 100755
--- a/front/deviceDetailsSessions.php
+++ b/front/deviceDetailsSessions.php
@@ -56,9 +56,6 @@ function initializeSessionsDatatable (sessionsRows) {
 
             if (!cellData.includes("missing event") && !cellData.includes("..."))
             {
-              if (cellData.includes("+")) { // Check if timezone offset is present
-                cellData = cellData.split('+')[0]; // Remove timezone offset
-              }
               // console.log(cellData);
               result = localizeTimestamp(cellData);
             } else
diff --git a/front/devices.php b/front/devices.php
index ac88b622e..3a7b2cbde 100755
--- a/front/devices.php
+++ b/front/devices.php
@@ -883,40 +883,41 @@ function initializeDatatable (status) {
       {orderData: [mapIndx(COL.devIpLong)],  targets: mapIndx(COL.devLastIP) },
 
       // Device Name and FQDN
+      // Use `render` (not `createdCell`) so the HTML is built before DataTables
+      // sets td.innerHTML – preventing raw cellData from being parsed as HTML.
       {targets: [mapIndx(COL.devName), mapIndx(COL.devFQDN)],
-        'createdCell': function (td, cellData, rowData, row, col) {
-
-            // console.log(cellData)
+        'render': function (data, type, row) {
+            if (type !== 'display') {
+                return data; // raw value for sort / filter / type detection
+            }
 
-            var displayedValue = cellData;
+            var displayedValue = encodeSpecialChars(data);
 
-            if(isEmpty(displayedValue))
-            {
-              displayedValue = "N/A"
+            if (isEmpty(displayedValue)) {
+                displayedValue = "N/A";
             }
-            $(td).html (
-              `<b class="anonymizeDev "
-              >
-                <a href="deviceDetails.php?mac=${rowData[mapIndx(COL.devMac)]}" class="hover-node-info"
-                  data-name="${displayedValue}"
-                  data-ip="${rowData[mapIndx(COL.devLastIP)]}"
-                  data-mac="${rowData[mapIndx(COL.devMac)]}"
-                  data-vendor="${rowData[mapIndx(COL.devVendor)]}"
-                  data-type="${rowData[mapIndx(COL.devType)]}"
-                  data-firstseen="${rowData[mapIndx(COL.devFirstConnection)]}"
-                  data-lastseen="${rowData[mapIndx(COL.devLastConnection)]}"
-                  data-relationship="${rowData[mapIndx(COL.devParentRelType)]}"
-                  data-status="${rowData[mapIndx(COL.devStatus)]}"
-                  data-present="${rowData[mapIndx(COL.devPresentLastScan)]}"
-                  data-alertdown="${rowData[mapIndx(COL.devAlertDown)]}"
-                  data-flapping="${rowData[mapIndx(COL.devFlapping)]}"
-                  data-sleeping="${rowData[COL_EXTRA.devIsSleeping] || 0}"
-                  data-archived="${rowData[COL_EXTRA.devIsArchived] || 0}"
-                  data-isnew="${rowData[COL_EXTRA.devIsNew]    || 0}"
-                  data-icon="${rowData[mapIndx(COL.devIcon)]}">
-                ${displayedValue}
-                </a>
-              </b>`
+
+            return (
+              `<b class="anonymizeDev ">` +
+                `<a href="deviceDetails.php?mac=${row[mapIndx(COL.devMac)]}" class="hover-node-info"` +
+                  ` data-name="${displayedValue}"` +
+                  ` data-ip="${row[mapIndx(COL.devLastIP)]}"` +
+                  ` data-mac="${row[mapIndx(COL.devMac)]}"` +
+                  ` data-vendor="${row[mapIndx(COL.devVendor)]}"` +
+                  ` data-type="${row[mapIndx(COL.devType)]}"` +
+                  ` data-firstseen="${row[mapIndx(COL.devFirstConnection)]}"` +
+                  ` data-lastseen="${row[mapIndx(COL.devLastConnection)]}"` +
+                  ` data-relationship="${row[mapIndx(COL.devParentRelType)]}"` +
+                  ` data-status="${row[mapIndx(COL.devStatus)]}"` +
+                  ` data-present="${row[mapIndx(COL.devPresentLastScan)]}"` +
+                  ` data-alertdown="${row[mapIndx(COL.devAlertDown)]}"` +
+                  ` data-flapping="${row[mapIndx(COL.devFlapping)]}"` +
+                  ` data-sleeping="${row[COL_EXTRA.devIsSleeping] || 0}"` +
+                  ` data-archived="${row[COL_EXTRA.devIsArchived] || 0}"` +
+                  ` data-isnew="${row[COL_EXTRA.devIsNew] || 0}"` +
+                  ` data-icon="${row[mapIndx(COL.devIcon)]}"` +
+                `>${displayedValue}</a>` +
+              `</b>`
             );
       } },
 
diff --git a/front/events.php b/front/events.php
index 4aa943dd3..f31c988f5 100755
--- a/front/events.php
+++ b/front/events.php
@@ -167,9 +167,11 @@ function initializeDatatable() {
       { targets: [0,5,6,7,8,10,11,12,13], visible: false },
       { targets: [7], orderData: [8] },
       { targets: [9], orderData: [10] },
-      { targets: [1], createdCell: (td, cellData, rowData) => {
-          // Device column as link
-          $(td).html(`<b><a href="deviceDetails.php?mac=${rowData[13]}">${cellData}</a></b>`);
+      // Use `render` (not `createdCell`) so encodeSpecialChars runs before
+      // DataTables sets td.innerHTML, preventing devName XSS execution.
+      { targets: [1], render: function (data, type, row) {
+          if (type !== 'display') { return data; }
+          return `<b><a href="deviceDetails.php?mac=${row[13]}">${encodeSpecialChars(data)}</a></b>`;
       }},
       { targets: [3], createdCell: (td, cellData) => $(td).html(localizeTimestamp(cellData)) },
       { targets: [4,5,6,7], createdCell: (td, cellData) => $(td).html(translateHTMLcodes(cellData)) }
diff --git a/front/js/common.js b/front/js/common.js
index c72afb54a..3ae3803b3 100755
--- a/front/js/common.js
+++ b/front/js/common.js
@@ -357,23 +357,67 @@ function isValidJSON(jsonString) {
 }
 
 // ----------------------------------------------------
-// method to sanitize input so that HTML and other things don't break
+/**
+ * Encode special HTML characters into HTML entities.
+ *
+ * Prevents HTML injection/XSS when displaying untrusted text
+ * inside HTML content contexts.
+ *
+ * Example:
+ *   <script> -> &lt;script&gt;
+ *
+ * Note:
+ * - Intended for HTML text contexts only
+ * - Prefer using textContent or jQuery .text() when possible
+ * - Do NOT use as the sole protection for inline JS, URLs, CSS,
+ *   or unsafe innerHTML usage
+ *
+ * @param {*} str - Value to encode
+ * @returns {string} Encoded safe HTML string
+ */
 function encodeSpecialChars(str) {
-  return str
-      .replace(/&/g, '&amp;')
-      .replace(/</g, '&lt;')
-      .replace(/>/g, '&gt;')
-      .replace(/"/g, '&quot;')
-      .replace(/'/g, '&#039;');
+
+    if (str === null || str === undefined) {
+        return '';
+    }
+
+    str = String(str);
+
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#039;');
 }
 // ----------------------------------------------------
+/**
+ * Decode HTML entities back into normal characters.
+ *
+ * Example:
+ *   &lt;script&gt; -> <script>
+ *
+ * Warning:
+ * Decoding untrusted content and later inserting it into
+ * innerHTML or other HTML contexts can reintroduce XSS risks.
+ *
+ * @param {*} str - Value to decode
+ * @returns {string} Decoded string
+ */
 function decodeSpecialChars(str) {
-  return str
-      .replace(/&amp;/g, '&')
-      .replace(/&lt;/g, '<')
-      .replace(/&gt;/g, '>')
-      .replace(/&quot;/g, '"')
-      .replace(/&#039;/g, '\'');
+
+    if (str === null || str === undefined) {
+        return '';
+    }
+
+    str = String(str);
+
+    return str
+        .replace(/&amp;/g, '&')
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&quot;/g, '"')
+        .replace(/&#039;/g, '\'');
 }
 
 // ----------------------------------------------------
@@ -473,7 +517,7 @@ function createDeviceLink(input)
 {
   if(checkMacOrInternet(input))
   {
-    return `<span class="anonymizeMac"><a href="/deviceDetails.php?mac=${input}" target="_blank">${getDevDataByMac(input, "devName")}</a><span>`
+    return `<span class="anonymizeMac"><a href="/deviceDetails.php?mac=${input}" target="_blank">${encodeSpecialChars(getDevDataByMac(input, "devName"))}</a><span>`
   }
 
   return input;
diff --git a/front/js/network-api.js b/front/js/network-api.js
index ab3750053..598e04f2d 100644
--- a/front/js/network-api.js
+++ b/front/js/network-api.js
@@ -134,7 +134,7 @@ function loadDeviceTable({ sql, containerSelector, tableId, wrapperHtml = null,
           width: '15%',
           render: function (name, type, device) {
             return `<a href="./deviceDetails.php?mac=${device.devMac}" target="_blank">
-                      <b class="anonymize">${name || '-'}</b>
+                      <b class="anonymize">${encodeSpecialChars(name || '-')}</b>
                     </a>`;
           }
         },
diff --git a/front/js/network-tabs.js b/front/js/network-tabs.js
index 855ba9e08..708af6839 100644
--- a/front/js/network-tabs.js
+++ b/front/js/network-tabs.js
@@ -18,9 +18,9 @@ function renderNetworkTabs(nodes) {
 
     html += `
       <li class="networkNodeTabHeaders ${i === 0 ? 'active' : ''}">
-        <a href="#${id}" data-mytabmac="${node.devMac}" id="${id}_id" data-toggle="tab" title="${node.devName}">
+        <a href="#${id}" data-mytabmac="${node.devMac}" id="${id}_id" data-toggle="tab" title="${encodeSpecialChars(node.devName)}">
           <div class="icon ${iconClass}">${icon}</div>
-          <span class="node-name">${node.devName}</span>${portLabel}
+          <span class="node-name">${encodeSpecialChars(node.devName)}</span>${portLabel}
         </a>
       </li>`;
   });
@@ -66,7 +66,7 @@ function renderNetworkTabContent(nodes) {
                 <div class="mb-3 row">
                   <label class="col-sm-3 col-form-label fw-bold">${getString('DevDetail_Tab_Details')}</label>
                   <div class="col-sm-9">
-                    <a href="./deviceDetails.php?mac=${node.devMac}" target="_blank" class="anonymize">${node.devName}</a>
+                    <a href="./deviceDetails.php?mac=${node.devMac}" target="_blank" class="anonymize">${encodeSpecialChars(node.devName)}</a>
                   </div>
                 </div>
 
@@ -90,7 +90,7 @@ function renderNetworkTabContent(nodes) {
                   <div class="col-sm-9">
                     ${isRootNode ? '' : `<a class="anonymize" href="#">`}
                       <span my-data-mac="${node.devParentMAC}" data-mac="${node.devParentMAC}" data-devIsNetworkNodeDynamic="1" onclick="handleNodeClick(this)">
-                        ${isRootNode ? getString('Network_Root') : getDevDataByMac(node.devParentMAC, "devName")}
+                        ${isRootNode ? getString('Network_Root') : encodeSpecialChars(getDevDataByMac(node.devParentMAC, "devName"))}
                       </span>
                     ${isRootNode ? '' : `</a>`}
                   </div>
diff --git a/front/js/network-tree.js b/front/js/network-tree.js
index 77bb3f392..0f8f4f2f6 100644
--- a/front/js/network-tree.js
+++ b/front/js/network-tree.js
@@ -278,7 +278,7 @@ function initTree(myHierarchy)
                               onclick="handleNodeClick(this)"
                               data-mac="${nodeData.data.devMac}"
                               data-parentMac="${nodeData.data.devParentMAC}"
-                              data-name="${nodeData.data.devName}"
+                              data-name="${encodeSpecialChars(nodeData.data.devName)}"
                               data-ip="${nodeData.data.devLastIP}"
                               data-mac="${nodeData.data.devMac}"
                               data-vendor="${nodeData.data.devVendor}"
@@ -298,7 +298,7 @@ function initTree(myHierarchy)
                           >
                             <div class="netNodeText">
                               <strong><span>${devicePort}  <span class="${badgeConf.cssText}">${deviceIcon}</span></span>
-                                <span class="spanNetworkTree anonymizeDev" style="width:${nodeWidthPx-50}px">${nodeData.data.devName}</span>
+                                <span class="spanNetworkTree anonymizeDev" style="width:${nodeWidthPx-50}px">${encodeSpecialChars(nodeData.data.devName)}</span>
                                 ${networkHardwareIcon}
                               </strong>
                             </div>
diff --git a/front/js/settings_utils.js b/front/js/settings_utils.js
index 2c64e92a5..ec6d00bc1 100755
--- a/front/js/settings_utils.js
+++ b/front/js/settings_utils.js
@@ -770,7 +770,7 @@ function reverseTransformers(val, transformers) {
         break;
       case "deviceChip":
         mac = val  // value is mac
-        val =  `${getDevDataByMac(mac, "devName")}`
+        val =  encodeSpecialChars(getDevDataByMac(mac, "devName"))
         break;
       case "deviceRelType":
         val =  val; // nothing to do
@@ -961,7 +961,7 @@ function generateOptions(options, valuesArray, targetField, transformers, placeh
     // Always include selected if options are used as a source
     let selected = options.length !== 0 && valuesArray.includes(item.id) ? 'selected' : '';
 
-    optionsHtml += `<option class="${cssClass}" value="${item.id}" ${selected}>${labelName}</option>`;
+    optionsHtml += `<option class="${cssClass}" value="${encodeSpecialChars(item.id)}" ${selected}>${encodeSpecialChars(labelName)}</option>`;
   });
 
 
diff --git a/front/js/ui_components.js b/front/js/ui_components.js
index d7cb7f71f..1cd0a863d 100755
--- a/front/js/ui_components.js
+++ b/front/js/ui_components.js
@@ -997,7 +997,7 @@ function renderDeviceLink(data, container, useName = false) {
     <a href="${badge.url}" target="_blank">
       <span class="custom-chip">
         <span class="iconPreview">${atob(device.devIcon)}</span>
-        ${useName ? device.devName : data.text}
+        ${useName ? encodeSpecialChars(device.devName) : data.text}
         <span>
           (${badge.iconHtml})
         </span>
@@ -1063,7 +1063,7 @@ function initHoverNodeInfo() {
 
       const html = `
         <div>
-          <b> <div class="iconPreview">${atob(icon)}</div> </b><b class="devName"> ${name}</b><br>
+          <b> <div class="iconPreview">${atob(icon)}</div> </b><b class="devName"> ${encodeSpecialChars(name)}</b><br>
         </div>
         <hr/>
         <div class="line">
diff --git a/front/lib/datatables/datatables.js b/front/lib/datatables/datatables.js
index 2027407d0..168f9fe85 100755
--- a/front/lib/datatables/datatables.js
+++ b/front/lib/datatables/datatables.js
@@ -10832,7 +10832,8 @@ if (typeof jQuery === 'undefined') {
       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
     }
 
-    var $parent = $(selector === '#' ? [] : selector)
+    selector    = selector === '#' ? [] : selector
+    var $parent = $(document).find(selector)
 
     if (e) e.preventDefault()
 
@@ -11228,9 +11229,15 @@ if (typeof jQuery === 'undefined') {
   // =================
 
   var clickHandler = function (e) {
-    var href
     var $this   = $(this)
-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var href    = $this.attr('href')
+    if (href) {
+      href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+    }
+
+    var target  = $this.attr('data-target') || href
+    var $target = $(document).find(target)
+
     if (!$target.hasClass('carousel')) return
     var options = $.extend({}, $target.data(), $this.data())
     var slideIndex = $this.attr('data-slide-to')
@@ -11420,7 +11427,7 @@ if (typeof jQuery === 'undefined') {
     var target = $trigger.attr('data-target')
       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
 
-    return $(target)
+    return $(document).find(target)
   }
 
 
@@ -11502,7 +11509,7 @@ if (typeof jQuery === 'undefined') {
       selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
     }
 
-    var $parent = selector && $(selector)
+    var $parent = selector && $(document).find(selector)
 
     return $parent && $parent.length ? $parent : $this.parent()
   }
@@ -11961,7 +11968,10 @@ if (typeof jQuery === 'undefined') {
   $(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function (e) {
     var $this   = $(this)
     var href    = $this.attr('href')
-    var $target = $($this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+    var target  = $this.attr('data-target') ||
+      (href && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+
+    var $target = $(document).find(target)
     var option  = $target.data('bs.modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data())
 
     if ($this.is('a')) e.preventDefault()
diff --git a/front/lib/moment/moment.js b/front/lib/moment/moment.js
index 1b129716a..a7eb86dee 100755
--- a/front/lib/moment/moment.js
+++ b/front/lib/moment/moment.js
@@ -1842,11 +1842,16 @@
         return globalLocale;
     }
 
+    function isLocaleNameSane(name) {
+        // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+        return name.match('^[^/\\\\]*$') != null;
+    }
+
     function loadLocale(name) {
         var oldLocale = null;
         // TODO: Find a better way to register and load all the locales in Node
         if (!locales[name] && (typeof module !== 'undefined') &&
-                module && module.exports) {
+                module && module.exports && isLocaleNameSane(name)) {
             try {
                 oldLocale = globalLocale._abbr;
                 var aliasedRequire = require;
@@ -2294,7 +2299,7 @@
 
     function preprocessRFC2822(s) {
         // Remove comments and folding whitespace and replace multiple-spaces with a single space
-        return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').replace(/^\s\s*/, '').replace(/\s\s*$/, '');
+        return s.replace(/\((?:(?!\().)*\)|[\n\t]/gs, ' ').replace(/(\s\s+)/g, ' ').replace(/^\s\s*/, '').replace(/\s\s*$/, '');
     }
 
     function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/front/multiEditCore.php b/front/multiEditCore.php
index 99be41cba..2e447431d 100755
--- a/front/multiEditCore.php
+++ b/front/multiEditCore.php
@@ -251,7 +251,7 @@ function initDeviceSelectors() {
         $select.append(
             devicesList
                 .filter(d => d.devMac && d.devName)
-                .map(d => `<option value="${d.devMac}">${d.devName}</option>`)
+                .map(d => `<option value="${d.devMac}">${encodeSpecialChars(d.devName)}</option>`)
                 .join('')
         ).trigger('change');
     }
diff --git a/front/plugins/dig_scan/config.json b/front/plugins/dig_scan/config.json
index fb39b55df..9c176e7fd 100755
--- a/front/plugins/dig_scan/config.json
+++ b/front/plugins/dig_scan/config.json
@@ -52,7 +52,7 @@
           { "elementType": "select", "elementOptions": [], "transformers": [] }
         ]
       },
-      "default_value": "before_name_updates",
+      "default_value": "disabled",
       "options": [
         "disabled",
         "before_name_updates",
diff --git a/front/plugins/icmp_scan/icmp.py b/front/plugins/icmp_scan/icmp.py
index e5955cd11..91be53111 100755
--- a/front/plugins/icmp_scan/icmp.py
+++ b/front/plugins/icmp_scan/icmp.py
@@ -209,53 +209,83 @@ def expand_subnets(targets):
 
     def run_fping(targets):
         targets = expand_subnets(targets)
+
         if not targets:
             return []
 
-        is_ipv6 = any(':' in t for t in targets)
-        cmd = ["fping", "-a"] + args.split() + targets
-        if is_ipv6:
-            cmd.insert(1, "-6")  # insert -6 after "fping"
+        ipv4_targets = [t for t in targets if ':' not in t]
+        ipv6_targets = [t for t in targets if ':' in t]
 
-        if interfaces:
-            cmd += ["-I", ",".join(interfaces)]
+        def run_family(family_targets, ipv6=False):
+            if not family_targets:
+                return []
 
-        mylog("verbose", [f"[{pluginName}] fping cmd: {' '.join(cmd)}"])
+            interface_list = interfaces if interfaces else [None]
 
-        try:
-            output = subprocess.check_output(
-                cmd,
-                stderr=subprocess.DEVNULL,
-                timeout=timeout,
-                text=True
-            )
-        except subprocess.CalledProcessError as e:
-            output = e.output
-            mylog("none", [f"[{pluginName}] fping returned non-zero exit code, reading alive hosts anyway"])
-        except subprocess.TimeoutExpired:
-            mylog("none", [f"[{pluginName}] fping timeout"])
-            return []
+            all_results = []
+            seen_ips = set()
 
-        results = []
-        for line in output.splitlines():
-            line = line.strip()
-            if not line:
-                continue
-
-            # Skip unreachable, timed out, or 100% packet loss
-            if "unreachable" in line.lower() or "timed out" in line.lower() or "100% loss" in line.lower():
-                mylog("debug", [f"[{pluginName}] fping skipping {line}"])
-                continue
-
-            match = ip_regex.search(line)
-            if match:
-                ip = match.group(0)
-                mylog("debug", [f"[{pluginName}] adding {ip} from {line}"])
-                results.append((ip, line))
-            else:
-                mylog("verbose", [f"[{pluginName}] fping non-parseable {line}"])
+            for interface in interface_list:
+
+                cmd = ["fping", "-a"]
+
+                if ipv6:
+                    cmd.append("-6")
+
+                cmd += args.split()
+
+                if interface:
+                    cmd += ["-I", interface]
+
+                cmd += family_targets
+
+                mylog("verbose", [f"[{pluginName}] fping cmd: {' '.join(cmd)}"])
+
+                try:
+                    output = subprocess.check_output(
+                        cmd,
+                        stderr=subprocess.DEVNULL,
+                        timeout=timeout,
+                        text=True
+                    )
+
+                except subprocess.CalledProcessError as e:
+                    output = e.output
+                    mylog("none", [
+                        f"[{pluginName}] fping returned non-zero exit code "
+                        f"on interface {interface}, reading alive hosts anyway"
+                    ])
+
+                except subprocess.TimeoutExpired:
+                    mylog("none", [
+                        f"[{pluginName}] fping timeout on interface {interface}"
+                    ])
+                    continue
+
+                for line in output.splitlines():
+                    line = line.strip()
+                    if not line:
+                        continue
+
+                    lower_line = line.lower()
+
+                    if "unreachable" in lower_line or "timed out" in lower_line or "100% loss" in lower_line:
+                        continue
+
+                    match = ip_regex.search(line)
+
+                    if match:
+                        ip = match.group(0)
+
+                        if ip in seen_ips:
+                            continue
+
+                        seen_ips.add(ip)
+                        all_results.append((ip, line))
+
+            return all_results
 
-        return results
+        return run_family(ipv4_targets, ipv6=False) + run_family(ipv6_targets, ipv6=True)
 
     # Scan subnets
     mylog("verbose", [f"[{pluginName}] run_fping: subnets {subnets}"])
diff --git a/front/plugins/sync/config.json b/front/plugins/sync/config.json
index 7179071b1..e364c339a 100755
--- a/front/plugins/sync/config.json
+++ b/front/plugins/sync/config.json
@@ -613,7 +613,8 @@
       "options": [
         "devMac",
         "devName",
-        "devVendor"
+        "devVendor",
+        "devLastIP"
       ],
       "localized": ["name", "description"],
       "name": [
@@ -810,7 +811,7 @@
       "column": "Dummy",
       "mapped_to_column": "scanSourcePlugin",
       "mapped_to_column_data": {
-        "value": "sync"
+        "value": "SYNC"
       },
       "css_classes": "col-sm-2",
       "show": false,
diff --git a/front/presence.php b/front/presence.php
index 46c66e4fd..986989473 100755
--- a/front/presence.php
+++ b/front/presence.php
@@ -321,7 +321,7 @@ function initializeCalendar () {
 
     resourceRender: function (resourceObj, labelTds, bodyTds) {
       labelTds.find('span.fc-cell-text').html (
-      '<b><a href="deviceDetails.php?mac='+ resourceObj.id+ '" class="">'+ resourceObj.title +'</a></b>');
+      '<b><a href="deviceDetails.php?mac='+ resourceObj.id+ '" class="">'+ encodeSpecialChars(resourceObj.title) +'</a></b>');
 
       // Resize heihgt
       // $(".fc-content table tbody tr .fc-widget-content div").addClass('fc-resized-row');
diff --git a/server/api_server/api_server_start.py b/server/api_server/api_server_start.py
index 484e19f0d..f13423979 100755
--- a/server/api_server/api_server_start.py
+++ b/server/api_server/api_server_start.py
@@ -185,9 +185,6 @@ def is_authorized():
     return is_authorized_result
 
 
-
-
-
 @app.route('/mcp/sse', methods=['GET', 'POST', 'OPTIONS'])
 def api_mcp_sse():
     if not is_authorized():
diff --git a/server/api_server/sync_endpoint.py b/server/api_server/sync_endpoint.py
index 235291613..51d1704bf 100755
--- a/server/api_server/sync_endpoint.py
+++ b/server/api_server/sync_endpoint.py
@@ -1,13 +1,15 @@
 import os
 import base64
 from flask import jsonify, request
-from logger import mylog
+from logger import mylog, Logger
 from helper import get_setting_value
 from utils.datetime_utils import timeNowUTC
 from messaging.in_app import write_notification
 
 INSTALL_PATH = os.getenv("NETALERTX_APP", "/app")
 
+# Make sure log level is initialized correctly
+lggr = Logger(get_setting_value('LOG_LEVEL'))
 
 def handle_sync_get():
     """Handle GET requests for SYNC (NODE → HUB)."""
@@ -28,7 +30,11 @@ def handle_sync_get():
 
     response_data = base64.b64encode(raw_data).decode("utf-8")
 
-    write_notification("[Plugin: SYNC] Data sent", "info", timeNowUTC())
+    message = "[Plugin: SYNC] Data sent"
+    mylog('verbose', [message])
+    if lggr.isAbove('verbose'):
+        write_notification(message, 'info', timeNowUTC())
+
     return jsonify({
         "node_name": get_setting_value("SYNC_node_name"),
         "status": 200,
diff --git a/server/initialise.py b/server/initialise.py
index 2414aa080..bf53c4942 100755
--- a/server/initialise.py
+++ b/server/initialise.py
@@ -488,7 +488,7 @@ def importConfigs(pm, db, all_plugins):
     # Plugins START
     # -----------------
 
-    # necessary_plugins = ['UI', 'CUSTPROP', 'CLOUD' ,'DBCLNP', 'INTRNT','MAINT','NEWDEV', 'SETPWD', 'SYNC', 'VNDRPDT', 'WORKFLOWS']
+    # necessary_plugins = ['UI', 'CUSTPROP', 'HEARTBEAT' ,'DBCLNP', 'INTRNT','MAINT','NEWDEV', 'SETPWD', 'SYNC', 'VNDRPDT', 'WORKFLOWS']
     necessary_plugins = [
         "UI",
         "CUSTPROP",
@@ -724,13 +724,13 @@ def importConfigs(pm, db, all_plugins):
 
         write_notification(
             f"""[Upgrade]: App upgraded from <code>{prev_version}</code> to \
-            <code>{new_version}</code> 🚀 Please clear the cache: \
+            <code>{new_version}</code> <i class="fa-solid fa-rocket"></i> Please clear the cache: \
             <ol> <li>Click OK below</li>  \
             <li>Clear the browser cache (shift + browser refresh button)</li> \
             <li> Clear app cache with the <i class="fa-solid fa-rotate"></i> (reload) button in the header</li>\
             <li>Go to Settings and click Save</li> </ol>\
             Check out new features and what has changed in the \
-            <a href="https://github.com/netalertx/NetAlertX/releases" target="_blank">📓 release notes</a>.""",
+            <a href="https://github.com/netalertx/NetAlertX/releases" target="_blank"><i class="fa-solid fa-file-pen"></i> release notes</a>.""",
             'interrupt',
             timeNowUTC()
         )
diff --git a/server/messaging/reporting.py b/server/messaging/reporting.py
index dfe9f0872..52cbf4751 100755
--- a/server/messaging/reporting.py
+++ b/server/messaging/reporting.py
@@ -35,11 +35,10 @@
 )
 import conf  # noqa: E402 [flake8 lint suppression]
 
+
 # ===============================================================================
 # Timezone conversion
 # ===============================================================================
-
-
 def get_datetime_fields_from_columns(column_names):
     return [
         col for col in column_names
@@ -81,6 +80,7 @@ def apply_timezone(data, fields):
 
         for field in fields:
             value = row.get(field)
+
             if not value:
                 continue
 
@@ -226,11 +226,24 @@ def get_section_condition(section):
 
         try:
             json_obj = db.get_table_as_json(sqlQuery, parameters)
+            data = apply_timezone_to_json(json_obj, section)
         except Exception as e:
-            mylog("minimal", [f"[Notification] DB error in section {section}: ", e])
+            mylog("none", [f"[Notification] apply_timezone failed for section {section}: ", e])
+
+            # fallback: preserve raw DB payload instead of dropping section
+            try:
+                data = json_obj.json.get("data", [])
+            except Exception:
+                data = []
+
+            final_json[section] = data
+            final_json[f"{section}_meta"] = {
+                "title": SECTION_TITLES.get(section, section),
+                "columnNames": getattr(json_obj, "columnNames", [])
+            }
             continue
 
-        final_json[section] = json_obj.json.get("data", [])
+        final_json[section] = data
         final_json[f"{section}_meta"] = {
             "title": SECTION_TITLES.get(section, section),
             "columnNames": getattr(json_obj, "columnNames", [])
diff --git a/server/utils/datetime_utils.py b/server/utils/datetime_utils.py
index df125b391..4366e7c06 100644
--- a/server/utils/datetime_utils.py
+++ b/server/utils/datetime_utils.py
@@ -206,17 +206,18 @@ def format_date_iso(date_val: str) -> Optional[str]:
         else:
             dt = date_val
 
-        # 2. If it has no timezone, assume it's UTC (our DB storage format)
-        #    then CONVERT to user's configured timezone
+        # 2. Normalize to UTC first, then convert to target timezone
         if dt.tzinfo is None:
-            # Mark as UTC first — critical: localize() would label without converting
             dt = dt.replace(tzinfo=datetime.UTC)
-            # Resolve target timezone; fall back to UTC if conf.tz is missing/invalid
-            try:
-                target_tz = conf.tz if isinstance(conf.tz, datetime.tzinfo) else ZoneInfo(conf.tz)
-            except (ZoneInfoNotFoundError, ValueError, TypeError):
-                target_tz = datetime.UTC
-            dt = dt.astimezone(target_tz)
+        else:
+            dt = dt.astimezone(datetime.UTC)
+
+        try:
+            target_tz = conf.tz if isinstance(conf.tz, datetime.tzinfo) else ZoneInfo(str(conf.tz))
+        except Exception:
+            target_tz = datetime.UTC
+
+        dt = dt.astimezone(target_tz)
 
         # 3. Return the string. .isoformat() will now include the +11:00 or +10:00
         return dt.isoformat()
diff --git a/server/workflows/actions.py b/server/workflows/actions.py
index 429da0f59..6169ee49a 100755
--- a/server/workflows/actions.py
+++ b/server/workflows/actions.py
@@ -14,8 +14,16 @@ class Action:
     def __init__(self, trigger):
         self.trigger = trigger
 
-    def execute(self, obj):
-        """Executes the action on the given object."""
+    def get_object(self):
+        """Safely get and normalize the trigger object."""
+        obj = getattr(self.trigger, "object", None)
+
+        if isinstance(obj, sqlite3.Row):
+            obj = dict(obj)
+
+        return obj
+
+    def execute(self):
         raise NotImplementedError("Subclasses must implement execute()")
 
 
@@ -23,7 +31,7 @@ class UpdateFieldAction(Action):
     """Action to update a specific field of an object."""
 
     def __init__(self, db, field, value, trigger):
-        super().__init__(trigger)  # Call the base class constructor
+        super().__init__(trigger)
         self.field = field
         self.value = value
         self.db = db
@@ -31,83 +39,93 @@ def __init__(self, db, field, value, trigger):
     def execute(self):
         mylog("verbose", f"[WF] Updating field '{self.field}' to '{self.value}' for event object {self.trigger.object_type}")
 
-        obj = self.trigger.object
-
-        # convert to dict for easeir handling
-        if isinstance(obj, sqlite3.Row):
-            obj = dict(obj)  # Convert Row object to a standard dictionary
+        obj = self.get_object()
 
-        processed = False
+        if obj is None:
+            mylog("none", "[WF] Object no longer exists")
+            return None
 
-        # currently unused
         if isinstance(obj, dict) and "objectGuid" in obj:
-            mylog("debug", f"[WF] Updating Object '{obj}' ")
-            plugin_instance = PluginObjectInstance()
-            plugin_instance.updateField(obj["objectGuid"], self.field, self.value)
-            processed = True
+            mylog("debug", f"[WF] Updating Object '{obj}'")
 
-        elif isinstance(obj, dict) and "devGUID" in obj:
-            mylog("debug", f"[WF] Updating Device '{obj}' ")
-            device_instance = DeviceInstance()
-            device_instance.updateField(obj["devGUID"], self.field, self.value)
-            processed = True
+            PluginObjectInstance().updateField(
+                obj["objectGuid"],
+                self.field,
+                self.value,
+            )
 
-        if not processed:
-            mylog("none", f"[WF] Could not process action for object: {obj}")
+            return obj
 
-        return obj
+        if isinstance(obj, dict) and "devGUID" in obj:
+            mylog("debug", f"[WF] Updating Device '{obj}'")
+
+            DeviceInstance().updateField(
+                obj["devGUID"],
+                self.field,
+                self.value,
+            )
+
+            return obj
+
+        mylog("none", f"[WF] Unsupported object format: {obj}")
+
+        return None
 
 
 class DeleteObjectAction(Action):
     """Action to delete an object."""
 
     def __init__(self, db, trigger):
-        super().__init__(trigger)  # Call the base class constructor
+        super().__init__(trigger)
         self.db = db
 
     def execute(self):
         mylog("verbose", f"[WF] Deleting event object {self.trigger.object_type}")
 
-        obj = self.trigger.object
-
-        # convert to dict for easeir handling
-        if isinstance(obj, sqlite3.Row):
-            obj = dict(obj)  # Convert Row object to a standard dictionary
+        obj = self.get_object()
 
-        processed = False
+        if obj is None:
+            mylog("none", "[WF] Object no longer exists")
+            return None
 
-        # currently unused
         if isinstance(obj, dict) and "objectGuid" in obj:
-            mylog("debug", f"[WF] Updating Object '{obj}' ")
-            plugin_instance = PluginObjectInstance()
-            plugin_instance.delete(obj["objectGuid"])
-            processed = True
+            mylog("debug", f"[WF] Deleting Object '{obj}'")
 
-        elif isinstance(obj, dict) and "devGUID" in obj:
-            mylog("debug", f"[WF] Updating Device '{obj}' ")
-            device_instance = DeviceInstance()
-            device_instance.delete(obj["devGUID"])
-            processed = True
+            PluginObjectInstance().delete(obj["objectGuid"])
 
-        if not processed:
-            mylog("none", f"[WF] Could not process action for object: {obj}")
+            return obj
 
-        return obj
+        if isinstance(obj, dict) and "devGUID" in obj:
+            mylog("debug", f"[WF] Deleting Device '{obj}'")
+
+            DeviceInstance().delete(obj["devGUID"])
+
+            return obj
+
+        mylog("none", f"[WF] Unsupported object format: {obj}")
+
+        return None
 
 
 class RunPluginAction(Action):
     """Action to run a specific plugin."""
 
-    def __init__(self, plugin_name, params, trigger):  # Add trigger
-        super().__init__(trigger)  # Call parent constructor
+    def __init__(self, plugin_name, params, trigger):
+        super().__init__(trigger)
         self.plugin_name = plugin_name
         self.params = params
 
     def execute(self):
-        obj = self.trigger.object
+        obj = self.get_object()
+
+        if obj is None:
+            mylog("none", "[WF] Object no longer exists")
+            return None
+
+        mylog("verbose", f"[WF] Executing plugin '{self.plugin_name}' with parameters {self.params} for object {obj}")
+
+        # PluginManager.run(self.plugin_name, self.params)
 
-        mylog("verbose", f"Executing plugin '{self.plugin_name}' with parameters {self.params} for object {obj}")
-        # PluginManager.run(self.plugin_name, self.parameters)
         return obj
 
 
@@ -115,14 +133,21 @@ class SendNotificationAction(Action):
     """Action to send a notification."""
 
     def __init__(self, method, message, trigger):
-        super().__init__(trigger)  # Call parent constructor
-        self.method = method  # Fix attribute name
+        super().__init__(trigger)
+        self.method = method
         self.message = message
 
     def execute(self):
-        obj = self.trigger.object
-        mylog("verbose", f"Sending notification via '{self.method}': {self.message} for object {obj}")
+        obj = self.get_object()
+
+        if obj is None:
+            mylog("none", "[WF] Object no longer exists")
+            return None
+
+        mylog("verbose", f"[WF] Sending notification via '{self.method}': {self.message} for object {obj}")
+
         # NotificationManager.send(self.method, self.message)
+
         return obj
 
 
@@ -132,7 +157,6 @@ class ActionGroup:
     def __init__(self, actions):
         self.actions = actions
 
-    def execute(self, obj):
+    def execute(self):
         for action in self.actions:
-            action.execute(obj)
-        return obj
+            action.execute()
\ No newline at end of file
diff --git a/server/workflows/triggers.py b/server/workflows/triggers.py
index ed8ec4b92..86e305ec3 100755
--- a/server/workflows/triggers.py
+++ b/server/workflows/triggers.py
@@ -48,7 +48,11 @@ def __init__(self, triggerJson, event, db):
             mylog("debug", [query])
 
             result = db.sql.execute(query).fetchall()
-            self.object = result[0]
+            
+            if len(result) > 0:
+                self.object = result[0]
+            else:
+                self.object = None
         else:
             self.object = None
 
diff --git a/test/ui/test_ui_xss_devname.py b/test/ui/test_ui_xss_devname.py
new file mode 100644
index 000000000..0832c2c7d
--- /dev/null
+++ b/test/ui/test_ui_xss_devname.py
@@ -0,0 +1,335 @@
+#!/usr/bin/env python3
+"""
+Stored-XSS regression tests for devName / devFQDN rendering.
+
+Scenario
+--------
+A LAN-controlled scanner (e.g. DHCPLSS / nmap) can supply arbitrary hostnames
+that end up stored as `devName` or `devFQDN` in the database.  If these values
+are injected into jQuery `.html()` calls or template-literal HTML strings
+without HTML-entity escaping, a stored XSS payload executes in the
+authenticated operator's browser.
+
+These tests verify that no page listed in the "affected surfaces" table renders
+the raw payload as executable HTML.
+
+Canary mechanism
+----------------
+The XSS payload sets `window.__xss_canary = true` if executed:
+    <img src=x onerror="window.__xss_canary=true">
+
+Before each page navigation we reset the canary to `false`.  After the page
+fully loads (and after any async device-list fetches have had time to run) we
+assert that the canary is still `false`.
+
+Note: these tests require a running NetAlertX backend and frontend (use the
+devcontainer startup tasks or the Docker compose stack).  They are Selenium-
+based (headless Chromium) and are skipped when a browser is unavailable.
+"""
+
+import time
+import requests
+import pytest
+import sys
+import os
+
+sys.path.insert(0, os.path.dirname(__file__))
+
+from selenium.webdriver.common.by import By  # noqa: E402
+
+from .test_helpers import (  # noqa: E402
+    BASE_URL, API_BASE_URL,
+    get_driver, get_api_token,
+    wait_for_page_load,
+)
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+# XSS payload: sets the window canary if the string is parsed as HTML.
+# We keep the payload simple and deterministic.
+XSS_PAYLOAD = '<img src=x onerror="window.__xss_canary=true">'
+
+# A second, attribute-break variant that escapes unquoted attribute contexts
+XSS_ATTR_BREAK = '" onmouseover="window.__xss_canary=true" data-x="'
+
+# The fake MAC used for our synthetic test device (FA:CE prefix = recognised as
+# "fake" by isFakeMac() in ui_components.js, so it won't affect real scanning).
+XSS_TEST_MAC = "fa:ce:00:00:00:01"
+
+# Seconds to wait after page load for async device-list fetches to complete.
+ASYNC_WAIT_S = 4
+
+# Pages to exercise (relative URLs; all are authenticated but devcontainer
+# skips auth by default).
+PAGES_UNDER_TEST = [
+    ("/devices.php", "Device list table (devName / devFQDN columns)"),
+    ("/network.php", "Network tabs and tree"),
+    (f"/deviceDetails.php?mac={XSS_TEST_MAC}", "Device detail page title"),
+    ("/presence.php", "FullCalendar presence view"),
+    ("/multiEditCore.php", "Multi-edit device selector"),
+    ("/events.php", "Events table device name column"),
+]
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+def _auth_headers(token):
+    return {"Authorization": f"Bearer {token}"}
+
+
+def _create_xss_device(token: str):
+    """Create a synthetic device whose devName is the XSS payload."""
+    payload = {
+        "createNew": True,
+        "devName": XSS_PAYLOAD,
+        "devFQDN": XSS_PAYLOAD,
+        "devOwner": "XSS-test",
+        "devType": "Other",
+        "devVendor": "XSS-test",
+        "devLastIP": "192.168.99.99",
+    }
+    resp = requests.post(
+        f"{API_BASE_URL}/device/{XSS_TEST_MAC}",
+        json=payload,
+        headers=_auth_headers(token),
+        timeout=10,
+    )
+    return resp
+
+
+def _create_xss_event(token: str):
+    """Create an event for the XSS test device so events.php renders its name."""
+    requests.post(
+        f"{API_BASE_URL}/events/create/{XSS_TEST_MAC}",
+        json={"event_type": "Device Down", "ip": "192.168.99.99", "additional_info": "xss-test"},
+        headers=_auth_headers(token),
+        timeout=10,
+    )
+
+
+def _delete_xss_device(token: str):
+    """Delete the synthetic XSS test device and its events."""
+    requests.delete(
+        f"{API_BASE_URL}/events/{XSS_TEST_MAC}",
+        headers=_auth_headers(token),
+        timeout=10,
+    )
+    requests.delete(
+        f"{API_BASE_URL}/devices",
+        json={"macs": [XSS_TEST_MAC]},
+        headers=_auth_headers(token),
+        timeout=10,
+    )
+
+
+def _read_canary(driver) -> bool:
+    """Return True if the XSS canary was tripped."""
+    return bool(driver.execute_script("return window.__xss_canary || false;"))
+
+
+def _navigate_with_canary(driver, url, timeout=15):
+    """Navigate to *url* with window.__xss_canary pre-initialised to false.
+
+    Uses CDP Page.addScriptToEvaluateOnNewDocument so the canary is set
+    *before* any page script runs.  If we reset it after driver.get() instead,
+    a payload that fires during page load would set the canary and we would
+    immediately clear the evidence.
+    """
+    result = driver.execute_cdp_cmd(
+        "Page.addScriptToEvaluateOnNewDocument",
+        {"source": "window.__xss_canary = false;"},
+    )
+    script_id = result.get("identifier")
+    try:
+        driver.get(url)
+        wait_for_page_load(driver, timeout=timeout)
+    finally:
+        if script_id:
+            driver.execute_cdp_cmd(
+                "Page.removeScriptToEvaluateOnNewDocument",
+                {"identifier": script_id},
+            )
+
+
+def _force_cache_refresh(driver):
+    """Clear localStorage to force a fresh device-list fetch on next page load."""
+    driver.execute_script("if(window.localStorage){ localStorage.clear(); }")
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+@pytest.fixture(scope="module")
+def xss_token():
+    """Retrieve the API token; skip the module if unavailable."""
+    token = get_api_token()
+    if not token:
+        pytest.skip("API token not available – is the backend running?")
+    return token
+
+
+@pytest.fixture(scope="module")
+def xss_device(xss_token):
+    """Create the XSS test device (and one event) before the module; clean up after."""
+    resp = _create_xss_device(xss_token)
+    if resp.status_code not in (200, 201):
+        pytest.skip(f"Could not create XSS test device (HTTP {resp.status_code}). "
+                    "Is the backend running?")
+    # Create an event so events.php actually renders this device's name.
+    _create_xss_event(xss_token)
+    yield XSS_TEST_MAC
+    _delete_xss_device(xss_token)
+
+
+@pytest.fixture(scope="module")
+def xss_driver(xss_device):   # depend on xss_device so device exists before browser starts
+    """Single headless browser instance shared across all XSS tests in this module."""
+    driver = get_driver()
+    if not driver:
+        pytest.skip("Headless browser (Chromium) not available")
+
+    # Warm the localStorage device cache so later pages can render the device.
+    driver.get(f"{BASE_URL}/devices.php")
+    wait_for_page_load(driver, timeout=15)
+    time.sleep(ASYNC_WAIT_S)   # let async API fetch populate localStorage
+
+    yield driver
+    driver.quit()
+
+
+# ---------------------------------------------------------------------------
+# Tests
+# ---------------------------------------------------------------------------
+
+@pytest.mark.parametrize("path,description", PAGES_UNDER_TEST)
+def test_devname_xss_not_executed(xss_driver, path, description):
+    """
+    Verify that the XSS canary is NOT tripped when a page renders the XSS
+    device name.
+
+    Pass criterion: window.__xss_canary remains false after the page loads
+    and the async device list fetch has had time to complete.
+    """
+    driver = xss_driver
+
+    # Pre-initialise canary via CDP so it is false before any page JS runs.
+    # Resetting after driver.get() would erase evidence of early-firing payloads.
+    _navigate_with_canary(driver, f"{BASE_URL}{path}")
+
+    # Give async JS (DataTables, FullCalendar, network tree) time to render
+    time.sleep(ASYNC_WAIT_S)
+
+    # Final canary check
+    fired = _read_canary(driver)
+    assert not fired, (
+        f"XSS canary was tripped on {description} ({path}). "
+        f"The raw payload '{XSS_PAYLOAD}' was executed as HTML. "
+        "Check that encodeSpecialChars() is applied at all render sites."
+    )
+
+
+@pytest.mark.parametrize("path,description", PAGES_UNDER_TEST)
+def test_devname_raw_payload_not_in_html_source(xss_driver, path, description):
+    """
+    Verify that the XSS payload was NOT injected as a real HTML element.
+
+    A properly escaped devName ends up as text content in the DOM, e.g.:
+        &lt;img src=x onerror="..."&gt;
+    The browser's DOM serialiser encodes < and > but NOT ", so page_source
+    still contains the literal string  onerror="..."  — that is expected and
+    safe.  What must NOT appear is an actual unescaped opening tag:
+        <img src=x
+    which would indicate the payload was inserted as real HTML.
+    """
+    driver = xss_driver
+
+    driver.get(f"{BASE_URL}{path}")
+    wait_for_page_load(driver, timeout=15)
+    time.sleep(ASYNC_WAIT_S)
+
+    page_source = driver.page_source
+
+    # An actual injected <img src=x tag would appear as-is in the serialised DOM.
+    # Escaped text content would appear as &lt;img src=x — no literal "<img src=x".
+    assert "<img src=x" not in page_source, (
+        f"XSS payload injected as real HTML on {description} ({path}): "
+        "'<img src=x' found literally in page source. "
+        "Ensure encodeSpecialChars() wraps all devName/devFQDN render sites."
+    )
+
+
+def test_devname_xss_device_shows_as_escaped_text(xss_driver):
+    """
+    On devices.php, confirm the XSS payload is displayed as visible escaped text
+    ('&lt;img' or just '<img' as textContent) rather than as an injected element.
+
+    We check the page text (what the user reads) includes part of the payload as
+    literal characters, and that NO <img> element with src=x was injected.
+    """
+    driver = xss_driver
+
+    driver.get(f"{BASE_URL}/devices.php")
+    wait_for_page_load(driver, timeout=15)
+    time.sleep(ASYNC_WAIT_S)
+
+    # The body text should contain the literal payload characters as plain text
+    body_text = driver.find_element(By.TAG_NAME, "body").text
+    if "onerror" in body_text:
+        # Payload is visible as literal text — confirm it was not also executed
+        assert not driver.execute_script("return window.__xss_canary || false"), (
+            "XSS canary fired even though payload appeared as visible text on devices.php"
+        )
+
+    # No <img> with src=x should have been injected by the XSS payload
+    injected_imgs = driver.find_elements(By.CSS_SELECTOR, "img[src='x']")
+    assert len(injected_imgs) == 0, (
+        f"XSS payload created an <img src=x> element — payload was not escaped. "
+        f"Found {len(injected_imgs)} injected image(s)."
+    )
+
+
+def test_devname_attribute_break_xss_not_executed(xss_driver, xss_token):
+    """
+    Verify that the attribute-break variant of XSS payload is also handled.
+    This checks that encodeSpecialChars() encodes double-quotes in devName,
+    preventing an attacker from breaking out of an HTML attribute context.
+    """
+    attr_break_mac = "fa:ce:00:00:00:02"
+    attr_payload = {
+        "createNew": True,
+        "devName": XSS_ATTR_BREAK,
+        "devOwner": "XSS-attr-test",
+        "devLastIP": "192.168.99.100",
+    }
+    try:
+        resp = requests.post(
+            f"{API_BASE_URL}/device/{attr_break_mac}",
+            json=attr_payload,
+            headers=_auth_headers(xss_token),
+            timeout=10,
+        )
+        if resp.status_code not in (200, 201):
+            pytest.skip(f"Could not create attribute-break XSS device (HTTP {resp.status_code})")
+
+        # Pre-set canary via CDP, then navigate — same pattern as main tests.
+        _navigate_with_canary(xss_driver, f"{BASE_URL}/devices.php")
+        time.sleep(ASYNC_WAIT_S)
+
+        fired = _read_canary(xss_driver)
+        assert not fired, (
+            f"Attribute-break XSS canary was tripped on devices.php. "
+            f"Payload: {XSS_ATTR_BREAK!r}. "
+            "Ensure double-quotes are encoded by encodeSpecialChars()."
+        )
+    finally:
+        requests.delete(
+            f"{API_BASE_URL}/devices",
+            json={"macs": [attr_break_mac]},
+            headers=_auth_headers(xss_token),
+            timeout=10,
+        )