CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,818 vulnerabilities with CWE-79
CVE-2026-5159
MEDIUM
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter
CVSS 6.4
CVE-2026-4803
HIGH
Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta
CVSS 7.2
CVE-2026-4665
MEDIUM
WP Carousel Free <= 2.7.10 - Contributor Stored Cross-Site Scripting
CVSS 6.4
CVE-2026-6704
MEDIUM
Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter
CVSS 6.1
CVE-2026-6696
MEDIUM
Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter
CVSS 6.1
CVE-2026-6255
MEDIUM
Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute
CVSS 6.4
CVE-2026-5505
MEDIUM
WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-5247
MEDIUM
PublishPress Future <= 4.10.0 - Authenticated Stored XSS via [futureaction] Shortcode
CVSS 5.5
CVE-2026-4730
MEDIUM
Charts Ninja < 2.1.0 - Authenticated Stored Cross-Site Scripting via Chart ID Shortcode Attribute
CVSS 6.4
CVE-2026-2868
MEDIUM
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'
CVSS 6.4
CVE-2026-42235
CRITICAL
n8n: XSS via MCP OAuth client
CVSS 9.6
CVE-2026-42138
MEDIUM
Dify Vulnerable to Stored XSS via SVG-file upload
CVSS 6.1
CVE-2026-42086
MEDIUM
OpenC3 COSMOS: Self-XSS in the Command Sender
CVSS 4.6
CVE-2026-42052
MEDIUM
beets < 2.10.0 Web UI - Cross-Site Scripting
CVE-2026-42090
CRITICAL
Notesnook: RCE via stored XSS in note export rendering
CVSS 9.6
CVE-2026-38669
MEDIUM
wCMS 1.4 - Stored Cross-Site Scripting via Blog Creation
CVSS 6.1
CVE-2026-31205
MEDIUM
Pluck CMS < 4.7.21dev - Stored Cross-Site Scripting via Page Editor
CVSS 5.7
CVE-2026-7371
HIGH
GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities
CVSS 7.4
CVE-2026-42366
HIGH
GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities
CVSS 7.4
CVE-2026-5063
HIGH
NEX-Forms <= 9.1.11 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names
CVSS 7.2
CVE-2026-7677
LOW
kerwincui FastBee System Notice SysNoticeController.java add cross site scripting
CVSS 3.5
CVE-2026-0703
MEDIUM
NextMove Lite - Thank You Page for WooCommerce <= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xlwcty_current_date' Shortcode
CVSS 6.4
CVE-2026-6817
MEDIUM
Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'
CVSS 5.8
CVE-2026-4790
MEDIUM
Premium Addons for Elementor <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_svg' Parameter
CVSS 5.4
CVE-2026-5077
MEDIUM
Total <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in Blog Section Image alt Attribute
CVSS 5.4
Details
Vulnerabilities
44,818
Exploit Likelihood
High