CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,730 vulnerabilities with CWE-79
CVE-2026-54393
MEDIUM
MISP Overmind theme stored XSS via unvalidated homepage setting
CVE-2026-53606
MEDIUM
sanitize-html < 2.17.5 - Cross-Site Scripting via URI Scheme Bypass
CVSS 5.4
CVE-2026-45014
MEDIUM
Apostrophe Vulnerable to Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version Tooltip
CVE-2026-45011
HIGH
Apostrophe has stored XSS via javascript: URL in Image Widget Link
CVSS 7.3
CVE-2026-44990
CRITICAL
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
CVSS 9.3
CVE-2026-12130
LOW
CodeAstro Human Resource Management System Projects Management Add_Projects cross site scripting
CVSS 3.5
CVE-2026-12129
LOW
CodeAstro Human Resource Management System Dashboard add_tod cross site scripting
CVSS 3.5
CVE-2026-53724
LOW
Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
CVE-2026-53568
MEDIUM
Frappe: Stored XSS in Frappe Report/List View via 'set_link_title_field_value'
CVE-2026-53722
MEDIUM
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
CVSS 5.4
CVE-2026-47739
MEDIUM
Frappe: Stored XSS in Note
CVE-2026-44205
MEDIUM
Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload
CVE-2026-46342
MEDIUM
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
CVSS 5.4
CVE-2026-9125
MEDIUM
The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute
CVSS 6.4
CVE-2026-42653
HIGH
WordPress SliceWP plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-46489
HIGH
SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
CVSS 8.1
CVE-2026-8589
HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVSS 7.3
CVE-2026-10087
HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVSS 8.7
CVE-2026-40986
MEDIUM
Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML
CVSS 4.8
CVE-2026-2827
MEDIUM
Open User Map PRO <= 1.4.31 - Unauthenticated Stored Cross-Site Scripting via 'oum_location_notification'
CVSS 4.7
CVE-2026-42558
HIGH
Xibo Vulnerable to Stored XSS and Iframe Sandbox Escape via Data Connector Script in DataSet
CVSS 7.6
CVE-2026-53742
MEDIUM
Simple Link Directory through 9.0.4 Stored XSS via Embed Shortcode Attributes
CVSS 5.4
CVE-2026-53741
MEDIUM
Simple Link Directory through 9.0.4 Stored XSS via sld_no_results_found Option
CVSS 5.4
CVE-2026-53740
MEDIUM
Yoast Duplicate Post through 4.6 Stored Cross-Site Scripting via Scheduled Republish Notice
CVSS 5.4
CVE-2026-53737
MEDIUM
Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response
CVSS 6.1
Details
Vulnerabilities
44,730
Exploit Likelihood
High