CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,858 vulnerabilities with CWE-79
CVE-2026-6106
LOW
1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware cross site scripting
CVSS 3.5
CVE-2026-31845
CRITICAL
Rukovoditel CRM < 3.6.4 - Unauthenticated Reflected Cross-Site Scripting via Zadarma API zd_echo Parameter
CVSS 9.3
CVE-2026-23900
MEDIUM
Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla
CVSS 6.5
CVE-2026-5226
MEDIUM
Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL
CVSS 6.1
CVE-2026-5217
HIGH
Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter
CVSS 7.2
CVE-2026-4895
MEDIUM
Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute
CVSS 6.4
CVE-2026-3498
MEDIUM
BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute
CVSS 6.4
CVE-2026-32893
MEDIUM
Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination
CVSS 5.4
CVE-2026-35600
MEDIUM
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
CVSS 5.4
CVE-2026-6035
MEDIUM
code-projects Vehicle Showroom Management System ServiceAndSalesReport.php cross site scripting
CVSS 4.3
CVE-2026-6034
MEDIUM
code-projects Vehicle Showroom Management System ProfitAndLossReport.php cross site scripting
CVSS 4.3
CVE-2026-6032
MEDIUM
code-projects Simple Laundry System checkcheckout.php cross site scripting
CVSS 4.3
CVE-2026-40212
MEDIUM
OpenStack Skyline < 5.0.1, 6.0.0, 7.0.0 - DOM-based Cross-Site Scripting via Unsafe document.write
CVSS 5.4
CVE-2026-1115
CRITICAL
Stored XSS in parisneo/lollms
CVSS 9.6
CVE-2026-2305
MEDIUM
AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
CVSS 6.4
CVE-2026-6003
LOW
code-projects Simple IT Discussion Forum user.php cross site scripting
CVSS 2.4
CVE-2026-4305
MEDIUM
Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter
CVSS 6.1
CVE-2026-1263
MEDIUM
Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter
CVSS 6.4
CVE-2026-40112
MEDIUM
PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
CVSS 5.4
CVE-2026-21904
MEDIUM
Junos Space: ilpFilter field on nLegacy.jsp is vulnerable to reflected cross-site script injection
CVSS 6.1
CVE-2026-39941
MEDIUM
ChurchCRM <7.1.0 EditEventAttendees.php - Cross-Site Scripting
CVSS 6.1
CVE-2026-3005
MEDIUM
List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode
CVSS 6.4
CVE-2026-5742
MEDIUM
UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution
CVSS 6.4
CVE-2026-4336
MEDIUM
Ultimate FAQ Accordion Plugin <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content
CVSS 6.4
CVE-2026-5836
LOW
code-projects Online Shoe Store admin_product.php cross site scripting
CVSS 2.4
Details
Vulnerabilities
44,858
Exploit Likelihood
High