CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

43,800 vulnerabilities with CWE-79
CVE-2026-40483 MEDIUM
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field
CVSS 5.4
CVE-2026-40479 MEDIUM
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
CVSS 5.4
CVE-2026-2434 MEDIUM
Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-40353 MEDIUM
wger: Stored XSS via Unescaped License Attribution Fields
CVE-2026-40302 MEDIUM
zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
CVSS 6.1
CVE-2026-40301 MEDIUM
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
CVSS 4.7
CVE-2026-40286 HIGH
WeGIA has Cross-Site Scripting in Controle de Contribuição
CVSS 7.5
CVE-2026-40284 MEDIUM
WeGIA has stored XSS in listar_despachos.php
CVSS 6.8
CVE-2026-40282 MEDIUM
WeGIA has stored XSS in intercorrencia_visualizar.php
CVE-2026-33436 LOW
Stirling-PDF: Reflected XSS through crafted filename in file upload functionality
CVSS 3.1
CVE-2026-40283 MEDIUM
WeGIA has stored XSS in profile_paciente.php
CVSS 6.8
CVE-2026-6493 LOW
lukevella rallly Reset Password reset-password-form.tsx cross site scripting
CVSS 3.5
CVE-2026-6486 LOW
classroombookings User Display Name layout.php read cross site scripting
CVSS 3.5
CVE-2026-28263 MEDIUM
Dell PowerProtect Data Domain < 8.6.0.0 or later - XSS
CVSS 5.9
CVE-2026-6439 MEDIUM
VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field
CVSS 4.4
CVE-2026-5231 HIGH
WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter
CVSS 7.2
CVE-2026-5162 MEDIUM
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget
CVSS 6.4
CVE-2026-40922 MEDIUM
SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)
CVSS 5.4
CVE-2026-40262 HIGH
Note Mark has Stored XSS via Unrestricted Asset Upload
CVSS 8.7
CVE-2026-40322 CRITICAL
SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE
CVSS 9.0
CVE-2026-2840 MEDIUM
Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode
CVSS 6.4
CVE-2026-3369 MEDIUM
Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title
CVSS 5.4
CVE-2026-3995 MEDIUM
OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
CVSS 4.4
CVE-2026-3876 HIGH
Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode
CVSS 7.2
CVE-2026-3875 MEDIUM
BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
Details
Vulnerabilities 43,800
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits