CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,128 vulnerabilities with CWE-79
CVE-2025-10180 MEDIUM
Markdown Shortcode plugin <0.2.1 - XSS
CVSS 6.4
CVE-2025-10136 MEDIUM
TweetThis Shortcode <= 1.8.0 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-9490 MEDIUM
Popup Maker < 1.20.6 - Authenticated Stored Cross-Site Scripting via Title Parameter
CVSS 6.4
CVE-2025-9044 MEDIUM
Mapster WP Maps <= 1.20.0 - Authenticated Stored Cross-Site Scripting via Multiple Fields
CVSS 6.4
CVE-2025-8906 MEDIUM
Widgets for Tiktok Feed <1.7.3 - XSS
CVSS 6.4
CVE-2025-8200 MEDIUM
Mega Elements - Addons for Elementor <1.3.2 - XSS
CVSS 6.4
CVE-2025-10178 MEDIUM
CM Business Directory < 1.5.2 - Authenticated Stored Cross-Site Scripting via cmbd_featured_image Shortcode
CVSS 6.4
CVE-2025-29156 MEDIUM
Swagger Petstore 1.0.7 - Cross-Site Scripting via /api/v3/pet Endpoint
CVSS 6.1
CVE-2025-60249 MEDIUM
CIRCL vulnerability-lookup 2.16.0 - Stored Cross-Site Scripting in Bundles, Comments, and Sightings
CVSS 6.4
CVE-2025-33116 MEDIUM
IBM Watson Studio 4.0-5.2.0 - Authenticated Stored Cross-Site Scripting
CVSS 4.4
CVE-2025-59838 MEDIUM
monkeytype < 25.36.0 - Stored Cross-Site Scripting via Custom Text Loading
CVSS 5.4
CVE-2025-59832 CRITICAL
horilla < 1.4.0 - Authenticated Stored Cross-Site Scripting in Ticket Comment Editor
CVSS 9.9
CVE-2025-10949 LOW
Changsha Developer Technology iView Editor <1.1.1 - XSS
CVSS 2.4
CVE-2025-59839 HIGH
EmbedVideo < 4.0.0 - Stored Cross-Site Scripting via Arbitrary HTML Attributes
CVSS 8.6
CVE-2025-10467 HIGH
PROLIZ OBS Student Affairs Information System < v25.0401 - Stored Cross-Site Scripting
CVSS 8.9
CVE-2025-10946 LOW
nuz007 smsboom <01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674 - XSS
CVSS 3.5
CVE-2025-10945 LOW
nuz007 smsboom - Cross-Site Scripting via d.php hm Argument
CVSS 3.5
CVE-2025-10944 LOW
yi-ge get-header-ip <589b23d0eb0043c310a6a13ce4bbe2505d0d0b15 - XSS
CVSS 3.5
CVE-2025-10943 LOW
MikeCen WeChat-Face-Recognition - XSS
CVSS 3.5
CVE-2025-10940 LOW
Total.js CMS 1.0.0 - Stored Cross-Site Scripting in Layout Page HTML Parameter
CVSS 2.4
CVE-2025-59525 MEDIUM
horilla < 1.4.0 - Stored Cross-Site Scripting via SVG File Upload
CVSS 6.1
CVE-2025-59524 MEDIUM
horilla < 1.4.0 - Unauthenticated Stored Cross-Site Scripting via Unrestricted File Upload
CVSS 6.1
CVE-2025-48867 MEDIUM
Horilla HRM 1.3.0 - Authenticated Stored Cross-Site Scripting in Project and Task Modules
CVSS 4.8
CVE-2025-10909 LOW
Mangati NovoSGA <= 2.2.9 - Cross-Site Scripting via SVG File Handler
CVSS 2.4
CVE-2025-9353 MEDIUM
Themify Builder <= 7.6.9 - Authenticated Stored Cross-Site Scripting via Fancy Heading Template Parameters
CVSS 6.4
Details
Vulnerabilities 45,128
Exploit Likelihood High