CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,818 vulnerabilities with CWE-79
CVE-2026-36388
MEDIUM
PHPGurukal Hospital Management System 4.0 - XSS
CVSS 5.4
CVE-2026-36341
MEDIUM
Krayin Laravel CRM 2.1.5 - Stored Cross-Site Scripting in Activity Comment Field
CVSS 5.4
CVE-2026-41554
HIGH
WordPress Bricks Builder theme 1.9.2-2.2 - Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-5784
HIGH
Stored XSS in DivvyDrive Information Technologies' DivvyDrive
CVSS 8.8
CVE-2026-8080
MEDIUM
MISP core - Stored XSS in MISP template (old engine) element attribute type
CVSS 5.4
CVE-2026-3953
HIGH
Reflected XSS in Gosoft Software's Proticaret E-Commerce
CVSS 8.8
CVE-2026-27421
MEDIUM
WordPress Royal Elementor Addons plugin < 1.7.1053 - Cross Site Scripting (XSS) vulnerability
CVSS 6.5
CVE-2026-41661
MEDIUM
Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion
CVSS 6.1
CVE-2026-41201
CRITICAL
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2
CVSS 9.1
CVE-2026-40296
MEDIUM
PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes
CVSS 5.4
CVE-2026-40171
HIGH
Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker
CVE-2026-8012
MEDIUM
Google Chrome - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 5.4
CVE-2026-7958
MEDIUM
Google Chrome - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 5.4
CVE-2026-7939
MEDIUM
Google Chrome - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 5.4
CVE-2026-36358
MEDIUM
Juzaweb CMS 5.0.0 - Cross-Site Scripting via Add Banner Ads Function
CVSS 5.4
CVE-2026-42509
MEDIUM
Apache Wicket: crafted strings can break out of the JavaScript sequence
CVSS 6.1
CVE-2026-7457
MEDIUM
LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update
CVSS 6.4
CVE-2026-7332
HIGH
LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter
CVSS 7.2
CVE-2026-6672
MEDIUM
Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode
CVSS 6.4
CVE-2026-23928
HIGH
Zabbix 6.0.0 to 7.4.7 - Item History Widget Stored Cross-Site Scripting
CVE-2026-23926
HIGH
Zabbix 7.0.0 to 7.4.7 - Host Navigator Tooltip Stored Cross-Site Scripting
CVE-2026-38947
MEDIUM
FluentCMS 1.2.3 - Cross-Site Scripting in TextHTML Plugin
CVSS 6.1
CVE-2026-35453
MEDIUM
PhpSpreadsheet XSS via number format text substitution in HTML Writer
CVSS 5.4
CVE-2026-38432
MEDIUM
ERPNext < 15.103.1 - Stored Cross-Site Scripting in Email Template Engine
CVSS 6.1
CVE-2026-27694
MEDIUM
traccar allows stored HTML injection in notification emails
CVSS 5.4
Details
Vulnerabilities
44,818
Exploit Likelihood
High