CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,819 vulnerabilities with CWE-79
CVE-2026-4085
MEDIUM
Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute
CVSS 6.4
CVE-2026-4082
MEDIUM
ER Swiffy Insert <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-4076
MEDIUM
Slider Bootstrap Carousel <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-4074
MEDIUM
Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-3362
MEDIUM
Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting
CVSS 4.4
CVE-2026-2719
MEDIUM
Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting
CVSS 4.4
CVE-2026-2714
MEDIUM
Institute Management <= 5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Enquiry Form Title' Setting
CVSS 4.4
CVE-2026-1845
MEDIUM
Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings
CVSS 5.5
CVE-2026-1379
MEDIUM
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting
CVSS 4.4
CVE-2026-40451
MEDIUM
DeepL Chrome browser extension 1.22.0-1.23.0 - Cross-Site Scripting
CVSS 6.1
CVE-2026-41063
MEDIUM
WWBN AVideo ParsedownSafeWithLinks - Cross-Site Scripting
CVSS 5.4
CVE-2026-41061
MEDIUM
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiver
CVSS 5.4
CVE-2026-40927
MEDIUM
Docmost: XSS in Comments with JavaScript URI
CVSS 5.4
CVE-2026-40878
LOW
mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
CVE-2026-40875
HIGH
mailcow: dockerized vulnerable to stored XSS in user login history real_rip
CVE-2026-40873
HIGH
mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames
CVE-2026-40872
CRITICAL
mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field
CVE-2026-6745
LOW
Bagisto Custom Scripts cross site scripting
CVSS 3.5
CVE-2026-41456
MEDIUM
Bludit CMS Reflected XSS via Search Plugin
CVE-2026-6743
LOW
WebSystems WebTOTUM Calendar cross site scripting
CVSS 3.5
CVE-2026-40568
HIGH
FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization
CVSS 8.5
CVE-2026-35451
MEDIUM
Twenty: Stored XSS via BlockNote FileBlock
CVSS 5.7
CVE-2026-27937
LOW
October: Reflected XSS via DataTable Form Widget
CVSS 3.1
CVE-2026-40565
MEDIUM
FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href
CVSS 6.1
CVE-2026-31013
MEDIUM
Dovestones Softwares ADPhonebook <4.0.1.1 - XSS
CVSS 6.1
Details
Vulnerabilities
44,819
Exploit Likelihood
High