CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,813 vulnerabilities with CWE-79
CVE-2026-4859 MEDIUM
SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute
CVSS 6.4
CVE-2026-3604 MEDIUM
WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter
CVSS 4.9
CVE-2026-2300 MEDIUM
BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block
CVSS 6.4
CVE-2026-40137 MEDIUM
Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
CVSS 6.1
CVE-2026-27682 MEDIUM
SAP NetWeaver AS ABAP Business Server Pages - Reflected Cross-Site Scripting
CVSS 4.7
CVE-2026-45392 HIGH
Cribl Stream < 4.17.1 - Improper Input Validation
CVSS 8.7
CVE-2026-43900 CRITICAL
DeepChat: Persistent DOM XSS via HTML Entity Encoding in `<antArtifact>` SVG Rendering (Bypass of `svgSanitizer.ts`)
CVSS 9.3
CVE-2026-42554 MEDIUM
Fiber: XSS in AutoFormat Content Negotiation
CVSS 6.1
CVE-2026-43887 HIGH
Outline: Stored XSS via Comment Mentions
CVSS 7.3
CVE-2026-43878 MEDIUM
WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String Literal
CVSS 6.1
CVE-2026-43876 MEDIUM
WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel Subscribers
CVSS 6.4
CVE-2026-45026 MEDIUM
WeGIA: Stored XSS in html/atendido/processo_aceitacao.php
CVSS 6.8
CVE-2026-45025 MEDIUM
WeGIA: Stored XSS in html/atendido/etapa_processo.php
CVSS 6.8
CVE-2026-42887 MEDIUM
Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message
CVSS 4.5
CVE-2026-42872 MEDIUM
WeGIA: Reflected XSS in listar_arquivos_etapa.php
CVSS 6.1
CVE-2026-42870 MEDIUM
WeGIA: Cross-Site Scripting (XSS) Stored endpoint 'informacao_adicional.php' parameter 'descricao'
CVE-2026-7308 MEDIUM
Nexus Repository 3 - Stored Cross-Site Scripting (XSS) via HTML Browse Page
CVE-2026-42857 MEDIUM
Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization
CVSS 4.6
CVE-2026-41250 MEDIUM
XSS in taiga-front
CVSS 5.7
CVE-2026-38569 MEDIUM
HireFlow v1.2 - Stored Cross-Site Scripting via Resume or Feedback Comment Fields
CVSS 5.4
CVE-2026-44737 MEDIUM
grav-plugin-admin: Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]
CVE-2026-42842 MEDIUM
grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel
CVSS 5.4
CVE-2026-36906 MEDIUM
iotgateway 3.0.1 - Cross-Site Scripting via Log Record Function
CVSS 6.1
CVE-2026-7814 MEDIUM
pgAdmin 4: Stored XSS via crafted PostgreSQL object names in Browser Tree and Explain Visualizer
CVSS 4.8
CVE-2026-42841 MEDIUM
Grav: Stored XSS via Markdown media attribute() action in Grav CMS
CVSS 4.8
Details
Vulnerabilities 44,813
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits