CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,003 vulnerabilities with CWE-79
CVE-2025-13938 MEDIUM
WatchGuard Fireware 12.4-12.11.4, 12.5-12.5.13, 2025.1-2025.1.2 - Stored XSS in Autotask Integration
CVSS 6.1
CVE-2025-13937 MEDIUM
WatchGuard Fireware 12.4-12.11.4, 12.5-12.5.13, 2025.1-2025.1.2 - Stored XSS in ConnectWise Module
CVSS 6.1
CVE-2025-13936 MEDIUM
WatchGuard Fireware 12.4-12.11.4, 12.5-12.5.13, 2025.1-2025.1.2 - Stored XSS in Tigerpaw Integration
CVSS 6.1
CVE-2025-66574 MEDIUM
TranzAxis 3.2.41.10.26 - Authenticated Stored Cross-Site Scripting via Open Object in Tree Endpoint
CVSS 5.4
CVE-2025-65959 HIGH
Open WebUI < 0.6.37 - Stored Cross-Site Scripting via Notes PDF Download
CVSS 8.7
CVE-2025-63499 MEDIUM
Alinto SOGo < 5.12.4 - Cross-Site Scripting via Theme Parameter
CVSS 6.1
CVE-2025-59788 MEDIUM
Nextcloud < 32.0.1 - Cross-Site Scripting via Crafted PDF File
CVSS 6.4
CVE-2025-14013 LOW
jizhicms < 2.5.5 - Stored Cross-Site Scripting via Comment Handler Body Parameter
CVSS 2.4
CVE-2025-13488 MEDIUM
Sonatype Nexus Repository 3.83.0 through 3.86.2 - Stored XSS
CVE-2025-65516 MEDIUM
Seafile Community Edition < 13.0.12 - Stored Cross-Site Scripting via SVG File Upload
CVSS 6.1
CVE-2025-14007 LOW
xunruicms < 4.7.1 - Cross-Site Scripting via Domain Name Binding Page
CVSS 2.0
CVE-2025-14006 LOW
xunruicms < 4.7.1 - Cross-Site Scripting via Data Validation Page
CVSS 3.5
CVE-2025-14005 LOW
xunruicms < 4.7.1 - Cross-Site Scripting via data[name] Parameter in Add Display Name Field
CVSS 2.4
CVE-2025-41080 MEDIUM
Seafile < 12.0.14 - Stored Cross-Site Scripting via POST Parameter 'p' in File API
CVSS 6.1
CVE-2025-41079 MEDIUM
Seafile < 12.0.14 - Stored Cross-Site Scripting via PUT 'name' Parameter in User API
CVSS 6.1
CVE-2025-13513 MEDIUM
Clik stats <= 0.8 - Unauthenticated Reflected Cross-Site Scripting via PHP_SELF Parameter
CVSS 6.1
CVE-2025-11727 HIGH
Omnichannel for WooCommerce <= 1.3.65 - Unauthenticated Stored XSS via sync()
CVSS 7.2
CVE-2025-65027 HIGH
romm < 4.4.1 - Authenticated Unrestricted File Upload and Stored Cross-Site Scripting via SVG/HTML Files
CVSS 7.6
CVE-2025-66222 CRITICAL
DeepChat < 0.5.0 - Stored Cross-Site Scripting and Remote Code Execution via Mermaid Diagram Renderer
CVSS 9.6
CVE-2025-63401 MEDIUM
HCLTech DRAGON < 7.6.0 - Cross-Site Scripting via Missing Directives
CVSS 5.5
CVE-2025-20385 LOW
Splunk <10.0.2, 9.4.6, 9.3.8, 9.2.10 - Code Injection
CVSS 2.4
CVE-2025-57202 MEDIUM
AVTECH DGM1104 FullImg-1015-1004-1006-1003 - Stored Cross-Site Scripting via PwdGrp.cgi Username Field
CVSS 6.1
CVE-2025-65267 CRITICAL
ERPNext v15.83.2 and Frappe Framework v15.86.0 - Stored Cross-Site Scripting via SVG Avatar Upload
CVSS 9.0
CVE-2025-13401 MEDIUM
Autoptimize <= 3.1.13 - Authenticated Stored Cross-Site Scripting via LCP Image Preload Metabox
CVSS 6.4
CVE-2025-13448 MEDIUM
CSSIgniter Shortcodes <= 2.4.1 - Authenticated Stored Cross-Site Scripting via Element Shortcode Attribute
CVSS 6.4
Details
Vulnerabilities 45,003
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits