CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,813 vulnerabilities with CWE-79
CVE-2026-44212 CRITICAL
PrestaShop: Stored XSS executable in customer service view
CVSS 9.3
CVE-2026-45375 CRITICAL
SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
CVSS 9.0
CVE-2026-44670 CRITICAL
SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan
CVE-2026-44588 CRITICAL
SiYuan: URL-encoded title bypasses `escapeAriaLabel`, decoded by `decodeURIComponent` into a tooltip-XSS
CVE-2026-44586 HIGH
SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution
CVSS 8.3
CVE-2026-42897 HIGH KEV
Microsoft Exchange Server Spoofing Vulnerability
CVSS 8.1
CVE-2026-42159 MEDIUM
Flowsint: Stored XSS in description of node
CVSS 5.4
CVE-2026-44482 CRITICAL
soundcloud-rpc: Remote Code Execution via XSS in Track Title
CVSS 9.6
CVE-2026-44371 MEDIUM
Open OnDemand: Specially crafted filenames can execute javascript in the file browser
CVE-2026-42457 CRITICAL
vCluster Platform < 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0 - Stored Cross-Site Scripting
CVSS 9.0
CVE-2026-41932 MEDIUM
Vvveb < 1.0.8.3 Stored XSS via Signup Controller
CVSS 6.1
CVE-2026-24710 MEDIUM
CFEngine Enterprise <3.21.8/3.24.3/3.27.0 - XSS
CVSS 6.1
CVE-2026-21730 MEDIUM
Stored XSS in Verba
CVSS 6.1
CVE-2026-1630 MEDIUM
Reflected XSS in WEBCON BPS
CVE-2026-5790 MEDIUM
Stel Order FrontController - Stored Cross-Site Scripting
CVE-2026-43644 MEDIUM
podinfo 6.11.2 Reflected XSS via /echo Endpoint
CVSS 5.4
CVE-2026-6504 MEDIUM
Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
CVSS 6.4
CVE-2026-6174 MEDIUM
CC Child Pages <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter
CVSS 6.4
CVE-2026-6252 MEDIUM
Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute
CVSS 6.4
CVE-2026-3718 HIGH
ManageWP Worker <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header
CVSS 7.2
CVE-2026-3694 MEDIUM
Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
CVSS 6.4
CVE-2026-7481 HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVSS 8.7
CVE-2026-7377 HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVSS 8.7
CVE-2026-6417 MEDIUM
GLS Shipping for WooCommerce <= 1.4.0 - Reflected Cross-Site Scripting via 'failed_orders'
CVSS 6.1
CVE-2026-6335 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVSS 5.4
Details
Vulnerabilities 44,813
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits