CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,813 vulnerabilities with CWE-79
CVE-2026-6073 HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVSS 8.7
CVE-2026-5243 MEDIUM
The Plus Addons for Elementor < 6.4.11 - Authenticated Stored Cross-Site Scripting via Navigation Menu Lite Widget
CVSS 6.4
CVE-2026-5361 MEDIUM
Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
CVSS 6.4
CVE-2026-45228 MEDIUM
Quark Drive < 0.8.5 Stored XSS via System Configuration
CVSS 5.4
CVE-2026-44376 MEDIUM
CubeCart: Reflected XSS in Store Search Bar
CVSS 6.1
CVE-2026-39428 MEDIUM
CubeCart v6 < 6.6.0 Product Fields - Stored Cross-Site Scripting
CVSS 4.8
CVE-2026-42548 HIGH
Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()
CVE-2026-0256 MEDIUM
Palo Alto Networks Cloud Ngfw - XSS
CVE-2026-44581 MEDIUM
Next.js: Cross-site scripting in App Router applications using CSP nonces
CVSS 4.7
CVE-2026-44580 MEDIUM
Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input
CVSS 6.1
CVE-2026-45028 MEDIUM
Astro: Server island encrypted parameters vulnerable to cross-component replay
CVSS 6.1
CVE-2026-42557 CRITICAL
jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
CVSS 9.6
CVE-2026-6177 HIGH
Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
CVSS 7.2
CVE-2026-42948 MEDIUM
Elecom Co.,ltd. WAB-BE187-M - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 4.8
CVE-2026-3004 MEDIUM
Snow Monkey Blocks <= 24.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute
CVSS 6.4
CVE-2026-6962 MEDIUM
Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVSS 6.4
CVE-2026-6828 MEDIUM
Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute
CVSS 6.4
CVE-2026-44245 MEDIUM
Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
CVSS 6.1
CVE-2026-42157 MEDIUM
Flowsint: Stored XSS on map node marker in map page
CVE-2026-42338 MEDIUM
ip-address: XSS in Address6 HTML-emitting methods
CVSS 6.1
CVE-2026-34686 HIGH
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
CVSS 8.7
CVE-2026-34658 MEDIUM
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
CVSS 4.8
CVE-2026-34655 MEDIUM
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
CVSS 4.8
CVE-2026-23819 HIGH
Error in SSID Processing allows Stored XSS in Web Management Interface
CVSS 8.8
CVE-2026-43892 HIGH
AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection
CVSS 8.8
Details
Vulnerabilities 44,813
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits