VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 12 of 1,236
  • CVE-2026-44990CriJun 12, 2026
    risk 0.53cvss 9.3epss 0.00

    ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp`…

  • CVE-2026-47631HigJun 9, 2026
    risk 0.53cvss 8.1epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2026-42849CriJun 2, 2026
    risk 0.53cvss 9.3epss 0.00

    authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the…

  • CVE-2026-24752HigJun 1, 2026
    risk 0.53cvss 8.2epss 0.00

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a…

  • CVE-2026-24751HigJun 1, 2026
    risk 0.53cvss 8.2epss 0.00

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a…

  • CVE-2026-45668CriMay 29, 2026
    risk 0.53cvss epss 0.00

    Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note…

  • CVE-2026-44212CriMay 14, 2026
    risk 0.53cvss 9.3epss 0.00

    PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious…

  • CVE-2026-43938HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the…

  • CVE-2026-43900CriMay 11, 2026
    risk 0.53cvss 9.3epss 0.00

    DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering…

  • CVE-2019-25676HigApr 5, 2026
    risk 0.53cvss 8.2epss 0.00

    Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Attackers can inject script tags through the cateid parameter in categorysearch.php or SQL code…

  • CVE-2026-34932CriApr 2, 2026
    risk 0.53cvss 9.3epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.

  • CVE-2025-13002HigFeb 12, 2026
    risk 0.53cvss 8.2epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS). This issue affects E-Commerce Package: through 27112025.

  • CVE-2026-1953HigFeb 5, 2026
    risk 0.53cvss epss 0.00

    Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it…

  • CVE-2026-0535HigJan 22, 2026
    risk 0.53cvss 8.1epss 0.01

    A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or…

  • CVE-2026-0534HigJan 22, 2026
    risk 0.53cvss 8.1epss 0.00

    A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute…

  • CVE-2026-0533HigJan 22, 2026
    risk 0.53cvss 8.1epss 0.01

    A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this…

  • CVE-2025-66444HigDec 24, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center…

  • CVE-2025-14202HigDec 18, 2025
    risk 0.53cvss epss 0.00

    A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the…

  • CVE-2025-13614HigDec 5, 2025
    risk 0.53cvss 8.1epss 0.00

    The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2025-0248HigNov 25, 2025
    risk 0.53cvss 8.1epss 0.00

    HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the…