CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,845 vulnerabilities with CWE-79
CVE-2026-2986
MEDIUM
Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'
CVSS 6.4
CVE-2026-2505
MEDIUM
Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode
CVSS 5.4
CVE-2026-0894
MEDIUM
Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode
CVSS 6.4
CVE-2026-6048
MEDIUM
Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes
CVSS 6.4
CVE-2026-4801
MEDIUM
Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data
CVSS 6.4
CVE-2026-40487
HIGH
Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
CVSS 8.9
CVE-2026-1838
MEDIUM
Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter
CVSS 6.1
CVE-2026-1559
MEDIUM
Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter
CVSS 6.4
CVE-2026-40593
MEDIUM
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field
CVSS 4.8
CVE-2026-40483
MEDIUM
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field
CVSS 5.4
CVE-2026-40479
MEDIUM
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
CVSS 5.4
CVE-2026-2434
MEDIUM
Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-40353
MEDIUM
wger: Stored XSS via Unescaped License Attribution Fields
CVSS 5.4
CVE-2026-40302
MEDIUM
zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
CVSS 6.1
CVE-2026-40301
MEDIUM
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
CVSS 4.7
CVE-2026-40286
HIGH
WeGIA has Cross-Site Scripting in Controle de Contribuição
CVSS 7.5
CVE-2026-40284
MEDIUM
WeGIA has stored XSS in listar_despachos.php
CVSS 6.8
CVE-2026-40282
MEDIUM
WeGIA has stored XSS in intercorrencia_visualizar.php
CVE-2026-33436
LOW
Stirling-PDF: Reflected XSS through crafted filename in file upload functionality
CVSS 3.1
CVE-2026-40283
MEDIUM
WeGIA has stored XSS in profile_paciente.php
CVSS 6.8
CVE-2026-6493
LOW
lukevella rallly Reset Password reset-password-form.tsx cross site scripting
CVSS 3.5
CVE-2026-6486
LOW
classroombookings User Display Name layout.php read cross site scripting
CVSS 3.5
CVE-2026-28263
MEDIUM
Dell PowerProtect Data Domain 7.7.1.0-8.5, 8.3.1.0-8.3.1.20, 7.13.1.0-7.13.1.50 - Cross-Site Scripting
CVSS 5.9
CVE-2026-6439
MEDIUM
VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field
CVSS 4.4
CVE-2026-5231
HIGH
WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter
CVSS 7.2
Details
Vulnerabilities
44,845
Exploit Likelihood
High