CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

43,800 vulnerabilities with CWE-79
CVE-2026-23753 MEDIUM
GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter
CVSS 4.8
CVE-2026-23752 MEDIUM
GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter
CVSS 4.8
CVE-2026-6651 LOW
erponline.xyz ERP Online Inventory Edit Item cross site scripting
CVSS 2.4
CVE-2026-34429 MEDIUM
Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename
CVSS 5.4
CVE-2026-6648 LOW
Qibo CMS Internal Message cross site scripting
CVSS 3.5
CVE-2026-6633 LOW
Yifang CMS Extended Management L_rbac_admin.php store cross site scripting
CVSS 3.5
CVE-2026-6624 LOW
BichitroGan ISP Billing Software Pool List add cross site scripting
CVSS 2.4
CVE-2026-6623 LOW
BichitroGan ISP Billing Software Profile users-view cross site scripting
CVSS 2.4
CVE-2026-6622 LOW
BichitroGan ISP Billing Software Customer edit cross site scripting
CVSS 2.4
CVE-2026-6619 LOW
langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting
CVSS 3.5
CVE-2026-6600 LOW
langflow-ai langflow Frontend React Component Rendering edit-message.tsx cross site scripting
CVSS 3.5
CVE-2026-32963 MEDIUM
Silex Technology, Inc. SD-330AC - XSS
CVSS 6.1
CVE-2026-6593 LOW
ComfyUI View Endpoint server.py cross site scripting
CVSS 3.5
CVE-2026-6592 LOW
ComfyUI userdata Endpoint user_manager.py getuserdata cross site scripting
CVSS 3.5
CVE-2026-6559 MEDIUM
Wavlink WL-WN579A3 login.cgi sub_401F80 cross site scripting
CVSS 4.3
CVE-2026-0868 MEDIUM
EMC Scheduling Manager <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode
CVSS 6.4
CVE-2026-2986 MEDIUM
Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'
CVSS 6.4
CVE-2026-2505 MEDIUM
Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode
CVSS 5.4
CVE-2026-0894 MEDIUM
Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode
CVSS 6.4
CVE-2026-6048 MEDIUM
Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes
CVSS 6.4
CVE-2026-4801 MEDIUM
Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data
CVSS 6.4
CVE-2026-40487 HIGH
Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
CVSS 8.9
CVE-2026-1838 MEDIUM
Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter
CVSS 6.1
CVE-2026-1559 MEDIUM
Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter
CVSS 6.4
CVE-2026-40593 MEDIUM
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field
CVSS 4.8
Details
Vulnerabilities 43,800
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits