CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,747 vulnerabilities with CWE-79
CVE-2026-40607
HIGH
MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column
CVE-2026-40598
MEDIUM
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
CVE-2026-40597
HIGH
MantisBT <2.28.2 Attachments - Content Security Policy Bypass
CVE-2026-40596
HIGH
MantisBT is vulnerable to XSS and potential account takeover via user font family preference update
CVE-2026-39970
HIGH
TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form
CVE-2026-39964
MEDIUM
TypeBot: Stored XSS via javascript: URI in text bubble links — bot author executes JS on visitors' browsers
CVSS 5.4
CVE-2026-36226
MEDIUM
Advantech WebAccess/SCADA 8.0-2015.08.16 - Cross-Site Scripting via Create New Project User Decryption Field
CVSS 6.1
CVE-2026-28445
HIGH
Typebot: Stored XSS via Rating Block Custom Icon Bypasses isUnsafe Sandbox in Builder Preview
CVSS 8.7
CVE-2026-42506
MEDIUM
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
CVSS 6.1
CVE-2026-8353
MEDIUM
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
CVSS 4.8
CVE-2026-9104
MEDIUM
Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title
CVSS 6.4
CVE-2026-7509
MEDIUM
KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
CVSS 6.4
CVE-2026-6864
MEDIUM
CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter
CVSS 6.1
CVE-2026-3481
MEDIUM
WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via 'shortcode' Parameter
CVSS 6.1
CVE-2026-8139
MEDIUM
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName
CVSS 5.4
CVE-2026-4929
MEDIUM
Simple Hierarchical Select (Drupal 7) XSS in term-derived output
CVSS 5.4
CVE-2026-4093
MEDIUM
Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)
CVSS 5.4
CVE-2026-22678
MEDIUM
Webmin < 2.641 Stored XSS via System and Server Status
CVSS 5.4
CVE-2026-8203
MEDIUM
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter
CVSS 5.4
CVE-2026-8197
MEDIUM
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name
CVSS 4.8
CVE-2026-48230
MEDIUM
Open ISES Tickets < 3.44.2 Reflected XSS via ticketsmdb_import.php Multiple POST Parameters
CVSS 5.4
CVE-2026-48229
MEDIUM
Open ISES Tickets < 3.44.2 Reflected XSS via routes_i.php ticket_id Parameter
CVSS 5.4
CVE-2026-48228
MEDIUM
Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters
CVSS 5.4
CVE-2026-48227
MEDIUM
Open ISES Tickets < 3.44.2 Reflected XSS via patient.php id and ticket_id Parameters
CVSS 5.4
CVE-2026-48226
MEDIUM
Open ISES Tickets < 3.44.2 Reflected XSS via os_watch.php ref and mode_orig Parameters
CVSS 5.4
Details
Vulnerabilities
44,747
Exploit Likelihood
High