CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,142 vulnerabilities with CWE-79
CVE-2025-8319 MEDIUM
Barracuda Message Archiver Firmware - DOM-Based Cross-Site Scripting via Login Error Parameter
CVSS 6.1
CVE-2025-43229 MEDIUM
Safari < 18.6 - Universal Cross-Site Scripting
CVSS 6.1
CVE-2025-5684 MEDIUM
MetForm - Contact Form Builder for Elementor <= 4.0.1 - Authenticated Stored XSS via mf-template
CVSS 6.4
CVE-2025-53541 MEDIUM
Tuleap <16.8-5, <16.9-3 - Code Injection
CVSS 5.4
CVE-2025-27514 MEDIUM
GLPI 9.5.0-10.0.18 - Stored Cross-Site Scripting in Project Kanban
CVSS 4.5
CVE-2025-44136 CRITICAL
MapTiler Tileserver-php v2.0 - Unauthenticated Reflected Cross-Site Scripting via Layer Parameter
CVSS 9.8
CVE-2025-52358 MEDIUM
Vivaldi United Group iCONTROL+ Server - Stored Cross-Site Scripting via Error or Edit-Menu-Item Parameters
CVSS 6.3
CVE-2025-6060 MEDIUM
DECE Software Geodi < GEODI Setup 9.0.146 - Cross-Site Scripting
CVSS 5.4
CVE-2025-40686 MEDIUM
Human Resource Management System 1.0 - Reflected Cross-Site Scripting via EmployeeID Parameter
CVSS 6.1
CVE-2025-40685 MEDIUM
Human Resource Management System 1.0 - Reflected Cross-Site Scripting via searcstate Parameter
CVSS 6.1
CVE-2025-40684 MEDIUM
Human Resource Management System 1.0 - Reflected Cross-Site Scripting via searccountry Parameter
CVSS 6.1
CVE-2025-40683 MEDIUM
Human Resource Management System 1.0 - Reflected Cross-Site Scripting via searccity Parameter
CVSS 6.1
CVE-2025-5587 MEDIUM
Appzend <= 1.2.6 - Authenticated Stored Cross-Site Scripting via progressbarLayout Parameter
CVSS 6.4
CVE-2025-8216 MEDIUM
Sky Addons for Elementor <3.1.4 - XSS
CVSS 6.4
CVE-2025-8196 MEDIUM
Magical Addons For Elementor <1.3.8 - XSS
CVSS 6.4
CVE-2025-6692 MEDIUM
YouTube Embed <= 10.3 - Authenticated Stored XSS via Instance Parameter
CVSS 6.4
CVE-2025-6681 MEDIUM
Fan Page <= 1.0.1 - Authenticated Stored Cross-Site Scripting via Width Parameter
CVSS 6.4
CVE-2025-4566 MEDIUM
Elementor Website Builder - WordPress <3.30.2 - XSS
CVSS 6.4
CVE-2025-3075 MEDIUM
Elementor Website Builder < 3.29.0 - Authenticated Stored Cross-Site Scripting via 'elementor-element' Shortcode
CVSS 6.4
CVE-2025-7811 MEDIUM
StreamWeasels YouTube Integration <1.4.0 - XSS
CVSS 6.4
CVE-2025-7810 MEDIUM
StreamWeasels Kick Integration <1.1.4 - XSS
CVSS 5.4
CVE-2025-7809 MEDIUM
StreamWeasels Twitch Integration <1.9.3 - XSS
CVSS 6.4
CVE-2025-54423 MEDIUM
copyparty <= 1.18.4 - Unauthenticated Stored Cross-Site Scripting via Multimedia Tag Handling
CVSS 5.4
CVE-2025-54299 CRITICAL
No Boss Testimonials component for Joomla 1.0.0-3.0.0 and 4.0.0-4.0.2 - Stored Cross-Site Scripting
CVE-2025-54298 CRITICAL
CommentBox component for Joomla 1.0.0-1.1.0 - Stored Cross-Site Scripting
Details
Vulnerabilities 45,142
Exploit Likelihood High