CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,730 vulnerabilities with CWE-79
CVE-2026-0266 LOW
Palo Alto Networks Cloud Ngfw - XSS
CVE-2026-45106 MEDIUM
Weblate: Stored HTML injection in editor search preview
CVSS 4.6
CVE-2026-46642 MEDIUM
draw.io: XSS via crafted cell label when opening a .drawio file
CVSS 6.1
CVE-2026-20258 HIGH
Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise
CVSS 7.1
CVE-2026-46609 MEDIUM
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
CVSS 4.6
CVE-2026-53693 MEDIUM
MISP BSimVis stored cross-site scripting in tag and cluster rendering paths via unescaped tag metadata and UI labels
CVE-2026-53473 HIGH
Migration-planner-ui-app: stored xss via javascript: url in agent credential link
CVSS 7.3
CVE-2026-45560 MEDIUM
Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)
CVSS 6.1
CVE-2026-53441 MEDIUM
Jenkins - XSS
CVSS 5.4
CVE-2026-49069 HIGH
WordPress WPZOOM Portfolio plugin <= 1.4.21 - Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-9019 MEDIUM
Easy Image Collage < 1.13.6 - XSS
CVSS 6.4
CVE-2026-8853 MEDIUM
MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter
CVSS 4.4
CVE-2026-8613 MEDIUM
aThemes Addons for Elementor <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting
CVSS 6.4
CVE-2026-9060 LOW
Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style
CVSS 3.5
CVE-2026-8071 HIGH
Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via Comment Shortcode Bypass
CVSS 8.8
CVE-2026-46518 HIGH
OpenEMR: Stored XSS in prescription CSS/HTML print view via patient demographics
CVSS 7.7
CVE-2026-41003 HIGH
Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
CVSS 7.6
CVE-2026-34417 MEDIUM
OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php
CVSS 6.1
CVE-2026-25860 MEDIUM
OpenClinic GA 5.351.19 Reflected XSS via DICOM Image Upload Handler
CVSS 6.1
CVE-2026-47933 MEDIUM
ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)
CVSS 4.8
CVE-2026-34416 MEDIUM
OSCAL-GUI Reflected XSS via project parameter in oscal.php
CVSS 6.1
CVE-2026-25557 MEDIUM
Evoluted PHP Directory Listing Script 4.0.5 Reflected XSS via dir parameter
CVSS 5.4
CVE-2026-11799 HIGH
UXSS in Focus for iOS / Klar Webkit navigation
CVSS 7.5
CVE-2026-47106 MEDIUM
Ellucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API
CVSS 5.4
CVE-2026-32856 MEDIUM
Ellucian Banner Self-Service Reflected XSS via dateConverter
CVSS 6.1
Details
Vulnerabilities 44,730
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits