CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,867 vulnerabilities with CWE-79
CVE-2026-4333
MEDIUM
LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute
CVSS 6.4
CVE-2026-3600
MEDIUM
Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute
CVSS 6.4
CVE-2026-3513
MEDIUM
TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
CVSS 6.4
CVE-2026-3239
MEDIUM
Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode
CVSS 6.4
CVE-2026-4379
MEDIUM
LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute
CVSS 6.4
CVE-2026-2988
MEDIUM
Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes
CVSS 6.4
CVE-2026-32289
MEDIUM
JsBraceDepth Context Tracking Bugs (XSS) in html/template
CVSS 6.1
CVE-2026-4406
MEDIUM
Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter
CVSS 4.7
CVE-2026-4394
MEDIUM
Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field
CVSS 6.1
CVE-2026-39936
MEDIUM
Stored XSS in Score due to usage of non-reserved data attributes
CVE-2026-39935
MEDIUM
XSS-via-i18n in localised wiki names
CVE-2026-39933
MEDIUM
Multiple XSS vulnerabilities in GlobalWatchlist
CVE-2026-39846
CRITICAL
SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
CVSS 9.0
CVE-2026-39400
MEDIUM
Stored XSS via Job HTML/Table Output in Cronicle
CVSS 6.1
CVE-2026-32712
MEDIUM
Open Source Point of Sale has Stored XSS in Customer Name (Sales)
CVSS 5.4
CVE-2026-39841
MEDIUM
Stored XSS through list fields on Cargo's page values and Special:CargoTables
CVSS 6.1
CVE-2026-39840
MEDIUM
CSS injection in multiple Cargo display formats
CVSS 6.1
CVE-2026-39838
MEDIUM
ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS
CVE-2026-39380
MEDIUM
Open Source Point of Sale has Stored XSS in Stock Location (Configuration)
CVSS 5.4
CVE-2026-39367
MEDIUM
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
CVSS 5.4
CVE-2026-39344
HIGH
Reflected XSS the login page through the 'username' parameter
CVSS 8.1
CVE-2026-39338
MEDIUM
ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration
CVSS 6.1
CVE-2026-39336
MEDIUM
ChurchCRM has Stored XSS from unescaped config values in HTML attributes
CVSS 6.1
CVE-2026-39335
MEDIUM
ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls
CVSS 6.1
CVE-2026-39333
HIGH
ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php
CVSS 8.7
Details
Vulnerabilities
44,867
Exploit Likelihood
High