CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,736 vulnerabilities with CWE-79
CVE-2026-45580
MEDIUM
WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
CVSS 5.4
CVE-2026-48527
HIGH
HAX CMS saveNode Endpoint - Stored Cross-Site Scripting
CVSS 8.7
CVE-2026-45551
MEDIUM
Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write
CVE-2026-9811
MEDIUM
Mautic 7 - Authenticated Stored Cross-Site Scripting in Project Selector Component
CVSS 5.4
CVE-2026-9809
HIGH
Mautic 7 - Authenticated Stored Cross-Site Scripting in Projects Component
CVSS 7.6
CVE-2026-10058
MEDIUM
ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting
CVSS 4.8
CVE-2026-10057
MEDIUM
ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting
CVSS 4.8
CVE-2026-9243
MEDIUM
The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter
CVSS 6.4
CVE-2026-9714
MEDIUM
Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
CVSS 6.4
CVE-2026-6275
MEDIUM
StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname
CVSS 6.4
CVE-2026-7430
MEDIUM
Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import
CVSS 4.4
CVE-2026-9971
MEDIUM
Google Chrome - XSS
CVSS 5.4
CVE-2026-45343
HIGH
LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking
CVE-2026-44657
HIGH
MantisBT: Stored XSS in File Download
CVE-2026-44655
HIGH
MantisBT: Stored XSS on Move Attachments Admin Page
CVE-2026-41897
MEDIUM
MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field
CVE-2026-42401
MEDIUM
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
CVSS 4.1
CVE-2026-43979
MEDIUM
Local Deep Research: HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)
CVSS 5.0
CVE-2026-45348
HIGH
pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal
CVSS 8.7
CVE-2026-45323
CRITICAL
MeshCore Card: XSS vulnerability through meshcore node name
CVSS 9.6
CVE-2026-47762
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
CVSS 8.7
CVE-2026-47761
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
CVSS 8.7
CVE-2026-47760
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
CVSS 8.7
CVE-2026-47759
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
CVSS 8.7
CVE-2026-4334
MEDIUM
Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting
CVSS 6.4
Details
Vulnerabilities
44,736
Exploit Likelihood
High