CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
43,800 vulnerabilities with CWE-79
CVE-2026-3355
MEDIUM
Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'
CVSS 6.1
CVE-2026-1572
MEDIUM
Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings
CVSS 6.4
CVE-2026-3551
MEDIUM
Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting
CVSS 4.4
CVE-2026-5070
MEDIUM
Vantage <= 1.20.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content
CVSS 6.4
CVE-2026-4032
MEDIUM
CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode
CVSS 6.1
CVE-2026-3878
MEDIUM
WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]'
CVSS 6.4
CVE-2026-3885
MEDIUM
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode
CVSS 6.4
CVE-2026-3299
MEDIUM
WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode
CVSS 6.4
CVE-2026-40179
MEDIUM
Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
CVSS 6.1
CVE-2026-1711
MEDIUM
Pega Infinity < Infinity 25.1.2 - XSS
CVSS 4.8
CVE-2026-40186
MEDIUM
ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
CVSS 6.1
CVE-2026-35569
HIGH
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
CVSS 8.7
CVE-2026-33889
MEDIUM
ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
CVSS 5.4
CVE-2026-6370
MEDIUM
WordPress Mini Ajax Cart for WooCommerce plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability
CVSS 5.9
CVE-2026-20132
MEDIUM
Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities
CVSS 4.8
CVE-2026-20059
MEDIUM
Cisco Unity Connection Reflected Cross-Site Scripting Vulnerability
CVSS 6.1
CVE-2026-40734
MEDIUM
WordPress Categories Images plugin <= 3.3.1 - Cross Site Scripting (XSS) vulnerability
CVSS 6.5
CVE-2026-5717
MEDIUM
VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute
CVSS 6.4
CVE-2026-5694
HIGH
Quick Interest Slider <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting
CVSS 7.2
CVE-2026-4011
MEDIUM
Power Charts <= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
CVSS 6.4
CVE-2026-4005
MEDIUM
Coachific Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'userhash' Shortcode Attribute
CVSS 6.4
CVE-2026-3998
MEDIUM
WM JqMath <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute
CVSS 6.4
CVE-2026-3659
MEDIUM
WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
CVSS 6.4
CVE-2026-3643
HIGH
Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API
CVSS 7.2
CVE-2026-5160
MEDIUM
Github.com/yuin/goldmark/renderer/html < 1.7.17 - XSS
CVSS 6.1
Details
Vulnerabilities
43,800
Exploit Likelihood
High