CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,846 vulnerabilities with CWE-79
CVE-2026-40038 HIGH
Pachno 1.0.6 Stored Cross-Site Scripting via Multiple Parameters
CVSS 7.2
CVE-2026-23891 HIGH
Decidim <0.30.5 and <0.31.1 User Name - Stored Cross-Site Scripting
CVSS 8.7
CVE-2026-6184 LOW
code-projects Simple Content Management System welcome.php cross site scripting
CVSS 2.4
CVE-2026-30812 MEDIUM
Stored Cross-Site Scripting in Event Comments via Filter Bypass
CVSS 5.4
CVE-2026-31281 HIGH
Totara LMS <=v19.1.5 - HTML Injection
CVSS 8.0
CVE-2026-2728 MEDIUM
LibreNMS < 26.3.0 - Authenticated Cross-Site Scripting in Showconfig Page
CVSS 4.8
CVE-2026-35565 MEDIUM
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
CVSS 5.4
CVE-2026-6162 LOW
PHPGurukul Company Visitor Management System bwdates-reports-details.php cross site scripting
CVSS 3.5
CVE-2026-6159 MEDIUM
code-projects Simple ChatBox Endpoint insert.php cross site scripting
CVSS 4.3
CVE-2026-6179 MEDIUM
Stored Cross Site Scripting in NightWolf Penetration Testing Platform
CVE-2026-6150 MEDIUM
code-projects Simple Laundry System checkupdatestatus.php cross site scripting
CVSS 4.3
CVE-2026-1116 MEDIUM
Cross-site Scripting (XSS) in parisneo/lollms
CVSS 6.1
CVE-2026-6107 LOW
1Panel-dev MaxKB ChatHeadersMiddleware chat_headers_middleware.py cross site scripting
CVSS 3.5
CVE-2026-6106 LOW
1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting
CVSS 3.5
CVE-2026-31845 CRITICAL
Rukovoditel CRM < 3.6.4 - Unauthenticated Reflected Cross-Site Scripting via Zadarma API zd_echo Parameter
CVSS 9.3
CVE-2026-23900 MEDIUM
Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla
CVSS 6.5
CVE-2026-5226 MEDIUM
Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL
CVSS 6.1
CVE-2026-5217 HIGH
Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter
CVSS 7.2
CVE-2026-4895 MEDIUM
Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute
CVSS 6.4
CVE-2026-3498 MEDIUM
BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute
CVSS 6.4
CVE-2026-32893 MEDIUM
Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination
CVSS 5.4
CVE-2026-35600 MEDIUM
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
CVSS 5.4
CVE-2026-6035 MEDIUM
code-projects Vehicle Showroom Management System ServiceAndSalesReport.php cross site scripting
CVSS 4.3
CVE-2026-6034 MEDIUM
code-projects Vehicle Showroom Management System ProfitAndLossReport.php cross site scripting
CVSS 4.3
CVE-2026-6032 MEDIUM
code-projects Simple Laundry System checkcheckout.php cross site scripting
CVSS 4.3
Details
Vulnerabilities 44,846
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits