Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-80

CWE-80

High likelihood

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Parent: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

538 vulnerabilities with CWE-80

CVE-2026-26460 MEDIUM

Vtiger CRM 8.4.0 - HTML Injection in Dashboard Tab Parameter

CVE-2026-33657 MEDIUM

EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field

CVE-2026-39941 MEDIUM

ChurchCRM <7.1.0 EditEventAttendees.php - Cross-Site Scripting

CVE-2026-34718 MEDIUM

Zammad improperly neutralizes of script-related HTML tags in ticket articles

CVE-2026-39712 MEDIUM

WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39629 MEDIUM

WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39628 MEDIUM

WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39626 MEDIUM

WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39625 MEDIUM

WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution vulnerability

CVE-2026-39841 MEDIUM

Stored XSS through list fields on Cargo's page values and Special:CargoTables

CVE-2026-39839 MEDIUM

Stored XSS through URLs in Cargo's map format

CVE-2026-39837 MEDIUM

Stored XSS through the dynamic table format in Cargo

CVE-2026-39344 HIGH

Reflected XSS the login page through the 'username' parameter

CVE-2026-35460 MEDIUM

Papra <26.4.0 Transactional Emails - HTML Injection

CVE-2026-0396 LOW

HTML injection in the web dashboard

CVE-2026-1834 MEDIUM

Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE-2026-2995 HIGH

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

CVE-2026-33080 HIGH

Filament Tables 4.x and 5.x - Stored Cross-Site Scripting

CVE-2026-32891 CRITICAL

Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS

CVE-2026-29106 MEDIUM

SuiteCRM has blind XSS in return_id parameter

CVE-2026-32753 HIGH

FreeScout: Stored XSS through SVG file upload with filter bypass

CVE-2026-27166 MEDIUM

Discourse vulnerable to HTML injection via prohibited iframe URLs

CVE-2026-28499 MEDIUM

Vapor LeafKit < 1.14.2 - Collection Value Cross-Site Scripting

CVE-2026-32732 NONE

@leanprover/unicode-input-component <0.2.0 - XSS

CVE-2026-20070 MEDIUM

Cisco Secure Firewall ASA and FTD - Unauthenticated Cross-Site Scripting via VPN Web Services

Previous Page 2 of 22 Next

Details

Vulnerabilities 538

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy