CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
45,147 vulnerabilities with CWE-79
CVE-2025-6050
MEDIUM
Mezzanine < 6.1.1 - Authenticated Stored Cross-Site Scripting via Blog Post Title in Admin Interface
CVSS 4.8
CVE-2025-40674
MEDIUM
osCommerce v4 - Reflected Cross-Site Scripting via /watch/en/about-us Parameter
CVE-2025-5209
MEDIUM
Ivory Search < 5.5.10 - Authenticated Stored Cross-Site Scripting in Plugin Settings
CVSS 4.8
CVE-2025-4775
MEDIUM
WordPress Infinite Scroll - Ajax Load More <7.4.0.1 - XSS
CVSS 6.4
CVE-2025-3774
HIGH
Wise Chat <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header
CVSS 7.2
CVE-2025-48993
MEDIUM
Group-Office <6.8.123, 25.0.27 - XSS
CVSS 6.1
CVE-2025-48992
MEDIUM
Group-Office <6.8.123, 25.0.27 - XSS
CVSS 4.8
CVE-2025-6131
LOW
CodeAstro Food Ordering System 1.0 - Stored Cross-Site Scripting via Restaurant Name/Address Parameter
CVSS 2.4
CVE-2025-6127
LOW
PHPGurukul Nipah Virus Testing Management System 1.0 - Cross-Site Scripting via Search Report Parameter
CVSS 3.5
CVE-2025-6126
MEDIUM
PHPGurukul Rail Pass Management System 1.0 - Cross-Site Scripting via Contact Form Name Parameter
CVSS 4.3
CVE-2025-6125
LOW
PHPGurukul Rail Pass Management System 1.0 - Cross-Site Scripting via pagedes Argument
CVSS 2.4
CVE-2025-40729
MEDIUM
Customer Support System 1.0 - Reflected Cross-Site Scripting via Page Parameter
CVSS 6.1
CVE-2025-40727
MEDIUM
Phoenix CMS - Reflected Cross-Site Scripting via Search GET Parameter
CVE-2025-40726
MEDIUM
Nosto - Reflected Cross-Site Scripting via Search Results Page q Parameter
CVE-2025-4987
HIGH
Dassault Systmes Project Portfolio Manager R2023x-R2025x - Stored Cross-Site Scripting in Opportunity Management
CVSS 8.7
CVE-2025-6092
MEDIUM
comfyanonymous comfyui <0.3.39 - XSS
CVSS 4.3
CVE-2025-5990
HIGH
Crafty Controller 4.3.0-4.3.1 - Authenticated Stored Cross-Site Scripting via Server Name and API Key Forms
CVSS 7.6
CVE-2025-5337
MEDIUM
MetaSlider < 3.98.0 - Authenticated Stored XSS via Aria-Label
CVSS 6.4
CVE-2025-5238
MEDIUM
YITH WooCommerce Wishlist <4.5.0 - XSS
CVSS 6.4
CVE-2025-4667
MEDIUM
Simply Schedule Appointments Booking Plugin <1.6.8.30 - XSS
CVSS 6.4
CVE-2025-6061
MEDIUM
kk Youtube Video <= 0.2 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-6040
MEDIUM
Easy Flashcards <= 0.1 - Cross-Site Request Forgery and Stored Cross-Site Scripting via Settings Update
CVSS 6.1
CVE-2025-5589
MEDIUM
StreamWeasels Kick Integration <1.1.3 - XSS
CVSS 6.4
CVE-2025-5336
MEDIUM
Click to Chat plugin - WordPress <4.22 - XSS
CVSS 6.4
CVE-2025-4216
MEDIUM
DIOT SCADA with MQTT <= 1.0.5.1 - Authenticated Stored Cross-Site Scripting via 'diot' Shortcode
CVSS 6.4
Details
Vulnerabilities
45,147
Exploit Likelihood
High