Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-80

CWE-80

High likelihood

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Parent: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

517 vulnerabilities with CWE-80

CVE-2026-40875 HIGH

mailcow: dockerized vulnerable to stored XSS in user login history real_rip

CVE-2026-40873 HIGH

mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames

CVE-2026-40872 CRITICAL

mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field

CVE-2026-1564 MEDIUM

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

CVE-2026-20170 MEDIUM

Cisco Webex Contact Center - XSS

CVE-2026-40105 MEDIUM

XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality

CVE-2026-39425 MEDIUM

MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering

CVE-2026-26460 MEDIUM

Vtiger CRM 8.4.0 - HTML Injection

CVE-2026-33657 MEDIUM

EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field

CVE-2026-39941 MEDIUM

ChurchCRM has an XSS vulnerability

CVE-2026-34718 MEDIUM

Zammad improperly neutralizes of script-related HTML tags in ticket articles

CVE-2026-39712 MEDIUM

WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39629 MEDIUM

WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39628 MEDIUM

WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39626 MEDIUM

WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39625 MEDIUM

WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39841 MEDIUM

Stored XSS through list fields on Cargo's page values and Special:CargoTables

CVE-2026-39839 MEDIUM

Stored XSS through URLs in Cargo's map format

CVE-2026-39837 MEDIUM

Stored XSS through the dynamic table format in Cargo

CVE-2026-39344 HIGH

Reflected XSS the login page through the 'username' parameter

CVE-2026-35460 MEDIUM

Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name

CVE-2026-0396 LOW

HTML injection in the web dashboard

CVE-2026-1834 MEDIUM

Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE-2026-2995 HIGH

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

CVE-2026-33080 HIGH

Filament: Unvalidated Range and Values summarizer values can be used for XSS

Page 1 of 21 Next

Details

Vulnerabilities 517

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy