CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,846 vulnerabilities with CWE-79
CVE-2026-5231
HIGH
WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter
CVSS 7.2
CVE-2026-5162
MEDIUM
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget
CVSS 6.4
CVE-2026-40922
MEDIUM
SiYuan 3.6.1 to 3.6.3 - Bazaar README Stored Cross-Site Scripting
CVSS 5.4
CVE-2026-40262
HIGH
Note Mark has Stored XSS via Unrestricted Asset Upload
CVSS 8.7
CVE-2026-40322
CRITICAL
SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE
CVSS 9.0
CVE-2026-2840
MEDIUM
Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode
CVSS 6.4
CVE-2026-3369
MEDIUM
Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title
CVSS 5.4
CVE-2026-3995
MEDIUM
OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
CVSS 4.4
CVE-2026-3876
HIGH
Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode
CVSS 7.2
CVE-2026-3875
MEDIUM
BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-3355
MEDIUM
Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'
CVSS 6.1
CVE-2026-1572
MEDIUM
Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings
CVSS 6.4
CVE-2026-3551
MEDIUM
Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting
CVSS 4.4
CVE-2026-5070
MEDIUM
Vantage <= 1.20.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content
CVSS 6.4
CVE-2026-4032
MEDIUM
CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode
CVSS 6.1
CVE-2026-3878
MEDIUM
WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]'
CVSS 6.4
CVE-2026-3885
MEDIUM
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode
CVSS 6.4
CVE-2026-3299
MEDIUM
WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode
CVSS 6.4
CVE-2026-40179
MEDIUM
Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
CVSS 6.1
CVE-2026-1711
MEDIUM
Pega Infinity 8.1.0-25.1.1 - Authenticated Stored Cross-Site Scripting in User Interface Component
CVSS 4.8
CVE-2026-40186
MEDIUM
ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
CVSS 6.1
CVE-2026-35569
HIGH
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
CVSS 8.7
CVE-2026-33889
MEDIUM
ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
CVSS 5.4
CVE-2026-6370
MEDIUM
WordPress Mini Ajax Cart for WooCommerce plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability
CVSS 5.9
CVE-2026-20132
MEDIUM
Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities
CVSS 4.8
Details
Vulnerabilities
44,846
Exploit Likelihood
High