CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,734 vulnerabilities with CWE-79
CVE-2026-7186 MEDIUM
Fix stored XSS in URL dashboard widget via dangerous URI schemes
CVSS 5.4
CVE-2026-11512 MEDIUM
itsourcecode Hospital Management System billing.php cross site scripting
CVSS 4.3
CVE-2026-3011 MEDIUM
Recipe Card Blocks Lite <= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes'
CVSS 6.4
CVE-2026-11569 MEDIUM
Quay: quay: stored xss via filedrop svg upload
CVSS 5.4
CVE-2026-41724 HIGH
VMware Cloud Foundation Operations - Authenticated Stored Cross-Site Scripting
CVSS 8.0
CVE-2026-41723 HIGH
VMware Cloud Foundation Operations - Authenticated Stored Cross-Site Scripting
CVSS 8.0
CVE-2026-41722 HIGH
VMware Cloud Foundation Operations - Authenticated Stored Cross-Site Scripting
CVSS 8.0
CVE-2026-11491 LOW
CodeAstro Human Resource Management System Notice Board Management All_notice cross site scripting
CVSS 2.4
CVE-2026-11468 LOW
SourceCodester Hospitals Patient Records Management System page room_types cross site scripting
CVSS 2.4
CVE-2026-11436 MEDIUM
Mage AI Sign-in Flow index.tsx useMutation cross site scripting
CVSS 4.3
CVE-2026-11434 LOW
FluentCMS Blocks Plugin blocks cross site scripting
CVSS 2.4
CVE-2026-9594 MEDIUM
WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter
CVSS 4.4
CVE-2026-9280 MEDIUM
Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode
CVSS 6.1
CVE-2026-8991 MEDIUM
Drag And Drop Multiple File Upload For Contact Form 7 < 1.3.9.7 - XSS
CVSS 4.4
CVE-2026-7796 MEDIUM
EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute
CVSS 6.4
CVE-2026-7795 MEDIUM
Click to Chat <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter
CVSS 6.4
CVE-2026-9281 MEDIUM
Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension)
CVSS 6.4
CVE-2026-8901 HIGH
Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data
CVSS 7.2
CVE-2026-8438 HIGH
All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path
CVSS 7.2
CVE-2026-8900 MEDIUM
Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-8893 MEDIUM
Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-45778 MEDIUM
Open XDMoD Vulnerable to Reflected Cross-Site Scripting (XSS) in Password Reset
CVSS 5.4
CVE-2026-25624 MEDIUM
Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting
CVSS 5.7
CVE-2026-46511 HIGH
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
CVE-2026-46496 CRITICAL
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Details
Vulnerabilities 44,734
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits