CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,819 vulnerabilities with CWE-79
CVE-2026-6997 LOW
BDCOM P3310D New RMON History cross site scripting
CVSS 2.4
CVE-2026-6996 LOW
BDCOM P3310D rmon event Tab cross site scripting
CVSS 2.4
CVE-2026-6995 LOW
BDCOM P3310D New User index.asp cross site scripting
CVSS 2.4
CVE-2026-6990 LOW
projeto-siga novo cross site scripting
CVSS 3.5
CVE-2026-41472 MEDIUM
CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard
CVSS 6.1
CVE-2026-41426 MEDIUM
pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates
CVSS 6.1
CVE-2026-41421 HIGH
SiYuan Desktop Notification XSS Leads to Electron RCE
CVSS 8.8
CVE-2026-41067 MEDIUM
Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass
CVSS 6.1
CVE-2026-31050 MEDIUM
Hostbill 2025-11-24/2025-12-01 - XSS
CVSS 4.9
CVE-2026-4313 LOW
Stored XSS in AdaptiveGRC
CVE-2026-41043 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
CVSS 6.5
CVE-2026-4078 MEDIUM
ITERAS <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-5428 MEDIUM
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field
CVSS 6.4
CVE-2026-41430 MEDIUM
Press vulnerable to reflected XSS on login redirection
CVSS 6.1
CVE-2026-41318 MEDIUM
AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer
CVSS 5.4
CVE-2026-41305 MEDIUM
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
CVSS 6.1
CVE-2026-31953 MEDIUM
Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login
CVSS 6.4
CVE-2026-41241 HIGH
pretalx: Stored cross-site scripting in organiser search typeahead
CVSS 8.7
CVE-2026-41240 MEDIUM
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
CVSS 6.1
CVE-2026-41239 MEDIUM
DOMPurify 1.0.10-3.3.x RETURN_DOM - SAFE_FOR_TEMPLATES Bypass
CVSS 6.8
CVE-2026-41238 MEDIUM
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
CVSS 6.9
CVE-2026-40472 CRITICAL
Hackage package metadata stored XSS vulnerability
CVSS 9.9
CVE-2026-40470 CRITICAL
Hackage package and doc upload stored XSS vulnerability
CVSS 9.9
CVE-2026-28040 MEDIUM
WordPress Taxi Booking Manager for WooCommerce plugin <= 2.0.0 - Cross Site Scripting (XSS) vulnerability
CVSS 6.5
CVE-2026-4512 LOW
WP reCaptcha by WebDesignBy < 2.0 – Admin+ Stored XSS
CVSS 3.5
Details
Vulnerabilities 44,819
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits