CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,894 vulnerabilities with CWE-79
CVE-2026-32757 MEDIUM
Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
CVSS 5.4
CVE-2026-33395 MEDIUM
Discourse has stored click‑based XSS via Graphviz SVG javascript: links
CVSS 4.4
CVE-2026-32721 HIGH
LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
CVSS 8.6
CVE-2026-29106 MEDIUM
SuiteCRM has blind XSS in return_id parameter
CVSS 5.9
CVE-2026-29100 HIGH
SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter
CVSS 7.1
CVE-2026-32754 CRITICAL
FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})
CVSS 9.3
CVE-2026-32751 CRITICAL
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
CVSS 9.0
CVE-2026-32040 MEDIUM
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
CVSS 4.6
CVE-2026-33346 HIGH
OpenEMR has stored XSS in portal_payment.php via Unescaped table_args
CVSS 8.7
CVE-2026-33303 MEDIUM
OpenEMR Vulnerable to Stored XSS via Unescaped portal_login_username in Credential Print View
CVSS 5.4
CVE-2026-33299 MEDIUM
OpenEMR has Stored XSS in patient encounter Eye Exam form answers
CVSS 5.4
CVE-2026-27740 MEDIUM
Discourse has Stored XSS in AI Triage Automation
CVSS 6.1
CVE-2026-27570 MEDIUM
Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
CVSS 6.1
CVE-2026-32119 MEDIUM
OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page
CVSS 4.4
CVE-2026-32869 MEDIUM
OPEXUS eComplaint and eCASE XSS via Name of Organization field
CVSS 5.5
CVE-2026-32868 MEDIUM
OPEXUS eComplaint and eCASE XSS via my information
CVSS 5.5
CVE-2026-32866 MEDIUM
OPEXUS eComplaint and eCase stored XSS via profile first and last name
CVSS 5.5
CVE-2026-32843 MEDIUM
Linkit ONE Location Aware Sensor System (LASS) Reflected XSS via PM25.php
CVE-2026-27070 HIGH
WordPress Everest Forms Pro plugin <= 1.9.10 - Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-27068 HIGH
WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-25442 HIGH
WordPress Kentha theme <= 4.7.2 - Reflected Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-25438 HIGH
WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability
CVSS 7.1
CVE-2026-21788 MEDIUM
HCL Connections 8 - Cross-Site Scripting
CVSS 5.4
CVE-2026-4120 MEDIUM
Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
CVSS 6.4
CVE-2026-4006 MEDIUM
Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter
CVSS 6.4
Details
Vulnerabilities 44,894
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits