CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,990 vulnerabilities with CWE-79
CVE-2025-66924 MEDIUM
Open Source Point of Sale 3.4.1 - Stored Cross-Site Scripting via Item Kit Name Parameter
CVSS 6.1
CVE-2025-66923 HIGH
Open Source Point of Sale 3.4.1 - Stored Cross-Site Scripting via Phone Number Parameter
CVSS 7.2
CVE-2025-66921 HIGH
Open Source Point of Sale 3.4.1 - Stored Cross-Site Scripting via Item Name Parameter
CVSS 7.2
CVE-2025-14347 MEDIUM
Proliz Software Ltd. OBS <26.5009 - XSS
CVSS 6.3
CVE-2025-14154 MEDIUM
Better Messages <= 2.10.2 - Unauthenticated Stored XSS via Guest Display Name
CVSS 6.1
CVE-2025-14385 MEDIUM
WP Recipe Maker <= 10.2.3 - Authenticated Stored Cross-Site Scripting via Name Parameter
CVSS 6.4
CVE-2025-13861 MEDIUM
HTML Forms - Simple WordPress Forms Plugin <1.6.0 - XSS
CVSS 6.1
CVE-2025-13977 MEDIUM
Essential Addons for Elementor - WordPress <6.5.3 - XSS
CVSS 6.4
CVE-2025-14801 LOW
xiweicheng teamwork_management_system < 2.28.0 - Stored Cross-Site Scripting via Comment Content
CVSS 2.4
CVE-2025-14701 HIGH
Crafty Controller < 4.6.2 - Unauthenticated Stored Cross-Site Scripting via Server MOTD
CVSS 7.1
CVE-2025-65592 MEDIUM
nopCommerce 4.90.0 - Stored Cross-Site Scripting in Product Management Fields
CVSS 6.1
CVE-2025-65591 MEDIUM
nopCommerce 4.90.0 - Stored Cross-Site Scripting via Currencies Functionality
CVSS 5.4
CVE-2025-65590 MEDIUM
nopCommerce 4.90.0 - Cross-Site Scripting via Blog Posts Functionality
CVSS 5.4
CVE-2025-65589 MEDIUM
nopCommerce 4.90.0 - Cross-Site Scripting via Attributes Functionality
CVSS 6.1
CVE-2025-68116 HIGH
FileRise < 2.7.1 - Stored Cross-Site Scripting via SVG/HTML File Upload
CVSS 8.9
CVE-2025-59935 MEDIUM
GLPI 10.0.0-10.0.20 - Unauthenticated Stored Cross-Site Scripting via Inventory Endpoint
CVSS 6.5
CVE-2025-29231 MEDIUM
Linksys E5600 V1.1.0.26 - Stored Cross-Site Scripting via hostname and domainName Parameters
CVSS 6.1
CVE-2025-68268 MEDIUM
JetBrains TeamCity < 2025.11.1 - Reflected Cross-Site Scripting on Storage Settings Page
CVSS 5.4
CVE-2025-68166 MEDIUM
JetBrains TeamCity < 2025.11 - DOM-based Cross-Site Scripting on OAuth Connections Tab
CVSS 5.4
CVE-2025-68165 MEDIUM
JetBrains TeamCity < 2025.11 - Reflected Cross-Site Scripting in VCS Root Setup
CVSS 5.4
CVE-2025-68163 LOW
JetBrains TeamCity < 2025.11 - Stored Cross-Site Scripting on Agent Push Install Page
CVSS 3.5
CVE-2025-11220 MEDIUM
Elementor Website Builder < 3.33.3 - Authenticated Stored Cross-Site Scripting via Text Path Widget
CVSS 6.4
CVE-2025-68080 MEDIUM
Saad Iqbal User Avatar - Reloaded <1.2.2 - XSS
CVSS 6.5
CVE-2025-68079 MEDIUM
ThemeNectar Salient Shortcodes <= 1.5.4 - XSS
CVSS 6.5
CVE-2025-68078 MEDIUM
ThemeNectar Salient Portfolio <=1.8.2 - XSS
CVSS 6.5
Details
Vulnerabilities 44,990
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits