CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,818 vulnerabilities with CWE-79
CVE-2026-42451 MEDIUM
Grimmory: Stored XSS via Malicious EPUB Enables Session Token Theft
CVSS 6.3
CVE-2026-42224 HIGH
Icinga ipl/web < 0.13.1 - Reflected Cross-Site Scripting
CVSS 7.6
CVE-2026-42192 MEDIUM
Plunk: Stored XSS in campaign view
CVSS 5.4
CVE-2026-42794 MEDIUM
Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
CVSS 6.1
CVE-2026-41886 HIGH
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
CVSS 7.5
CVE-2026-41683 HIGH
HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
CVSS 8.6
CVE-2026-41591 MEDIUM
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
CVSS 6.4
CVE-2026-41576 HIGH
Ajax30/BraveCMS-2.0: Stored HTML Injection in Contact Email via nl2br() and Unescaped Blade Template
CVSS 7.1
CVE-2026-41575 MEDIUM
th30d4y/IP: DOM-Based Cross-Site Scripting (XSS) Vulnerability
CVSS 6.1
CVE-2026-41524 HIGH
Ajax30/BraveCMS-2.0: Stored XSS in Page / Article Content
CVSS 8.7
CVE-2026-7650 MEDIUM
E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
CVSS 6.4
CVE-2026-7475 MEDIUM
Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script
CVSS 6.4
CVE-2026-5341 MEDIUM
NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-7330 HIGH
Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter
CVSS 7.2
CVE-2026-8136 LOW
SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting
CVSS 2.4
CVE-2026-42150 MEDIUM
wlc: print_html outputs API data without HTML escaping, enabling stored XSS
CVSS 5.1
CVE-2026-8117 MEDIUM
SourceCodester Pizzafy Ecommerce System index.php cross site scripting
CVSS 4.3
CVE-2026-8106 MEDIUM
GitHub Enterprise Server Management Console - Reflected HTML Injection
CVSS 6.1
CVE-2026-41929 MEDIUM
Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor
CVSS 6.1
CVE-2026-32207 HIGH
Azure Machine Learning Notebook Spoofing Vulnerability
CVSS 8.8
CVE-2026-41692 MEDIUM
i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes
CVSS 4.7
CVE-2026-39823 MEDIUM
Bypass of meta content URL escaping causes XSS in html/template
CVSS 6.1
CVE-2026-44742 HIGH
Postorius < 1.3.13 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 7.2
CVE-2026-41904 HIGH
FreeScout < 1.8.217 - Stored Cross-Site Scripting in Mailbox Auto-Reply Message
CVSS 7.6
CVE-2026-41653 HIGH
BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration
Details
Vulnerabilities 44,818
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits