CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,869 vulnerabilities with CWE-79
CVE-2026-5255 MEDIUM
code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting
CVSS 4.3
CVE-2026-5254 LOW
welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting
CVSS 3.5
CVE-2026-5253 LOW
bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting
CVSS 3.5
CVE-2026-5252 LOW
z-9527 admin Message Create Endpoint message.js cross site scripting
CVSS 3.5
CVE-2026-5249 LOW
gougucms Record Endpoint record.html cross site scripting
CVSS 3.5
CVE-2026-35057 MEDIUM
XenForo Stored Cross-Site Scripting via Structured Text Mentions
CVSS 6.4
CVE-2026-35055 MEDIUM
XenForo Cross-Site Scripting via Lightbox in Posts
CVSS 6.1
CVE-2026-35054 MEDIUM
XenForo Stored Cross-Site Scripting via BB Code Rendering
CVSS 6.4
CVE-2026-5240 MEDIUM
code-projects BloodBank Managing System admin_state.php cross site scripting
CVSS 4.3
CVE-2026-2480 MEDIUM
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute
CVSS 6.4
CVE-2026-34605 MEDIUM
SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )
CVSS 6.1
CVE-2026-34585 HIGH
SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution
CVSS 8.6
CVE-2026-34448 CRITICAL
SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client
CVSS 9.0
CVE-2026-34405 MEDIUM
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
CVSS 6.1
CVE-2026-3468 MEDIUM
SonicWall Email Security < 10.0.35.8405 - Authenticated Stored Cross-Site Scripting
CVSS 4.8
CVE-2026-34739 MEDIUM
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
CVSS 6.1
CVE-2026-34716 MEDIUM
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
CVSS 6.4
CVE-2026-34396 MEDIUM
AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
CVSS 6.1
CVE-2026-34206 MEDIUM
Captcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template
CVSS 6.1
CVE-2026-5209 LOW
SourceCodester Leave Application System User Management cross site scripting
CVSS 2.4
CVE-2026-32607 MEDIUM
Discourse: Stored XSS via unescaped assignee name
CVSS 5.4
CVE-2026-32273 MEDIUM
Discourse: XSS on category description update via API
CVSS 5.4
CVE-2026-32243 MEDIUM
Discourse: Stored XSS in discourse-ai shared conversations onebox
CVSS 5.4
CVE-2026-34231 MEDIUM
Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag
CVSS 6.1
CVE-2026-33276 MEDIUM
XSS in Unified Search via Unescaped Host/Service Names
CVSS 5.4
Details
Vulnerabilities 44,869
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits