CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,813 vulnerabilities with CWE-79
CVE-2026-7498 HIGH
Stored XSS in Basamak Informatics' DernekWeb
CVSS 8.8
CVE-2026-3495 LOW
Mattermost 10.11.0-10.11.13 and 11.5.0-11.5.1 - Stored Cross-Site Scripting in Error Page Configuration
CVSS 3.8
CVE-2026-6495 HIGH
Ajax Load More < 7.8.4 - Reflected XSS
CVSS 7.1
CVE-2026-3220 HIGH
Autoptimize < 3.1.15; Clearfy Cache < 2.4.2; Speed Optimizer < 7.7.9 - Stored XSS via HTML Minification
CVSS 8.8
CVE-2026-8656 MEDIUM
Jsondiffpatch < 0.7.6 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 6.1
CVE-2026-45665 HIGH
Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order
CVSS 8.1
CVE-2026-45318 MEDIUM
Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)
CVSS 5.4
CVE-2026-45315 HIGH
Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
CVSS 8.7
CVE-2026-45303 HIGH
Open WebUI: Stored XSS via the HTML renedering view
CVSS 7.7
CVE-2026-45299 MEDIUM
Open WebUI: Stored Cross-Site Scripting In Profile Picture
CVSS 5.4
CVE-2026-44549 HIGH
Open WebUI: Stored XSS in excel file preview
CVSS 7.3
CVE-2026-44721 HIGH
Open WebUI: Stored XSS via Model Description
CVSS 7.3
CVE-2026-44568 MEDIUM
Open WebUI: Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
CVSS 4.8
CVE-2026-46367 HIGH
phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering
CVSS 7.6
CVE-2026-46363 MEDIUM
phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass
CVSS 5.4
CVE-2026-46361 MEDIUM
phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig
CVSS 6.9
CVE-2026-46360 MEDIUM
phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer
CVSS 5.4
CVE-2026-45622 MEDIUM
Vvveb: Unauthenticated reflected XSS in public product return form via customer_order_id
CVE-2026-45616 MEDIUM
Vvveb: Stored XSS in Posts allows privilege escalation via post editor
CVE-2026-44366 MEDIUM
Vvveb: Stored XSS via Comment Author Field
CVSS 6.1
CVE-2026-23695 MEDIUM
Cockpit CMS 2.14.0 Stored XSS via Set Field Display Template
CVSS 5.4
CVE-2026-6415 MEDIUM
Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field
CVSS 6.4
CVE-2026-6646 MEDIUM
The7 <= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter
CVSS 6.4
CVE-2026-24662 MEDIUM
Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 - XSS
CVSS 5.4
CVE-2026-44429 MEDIUM
MCP Registry: Stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`
CVSS 5.4
Details
Vulnerabilities 44,813
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits