VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 13 of 1,236
  • CVE-2025-59840HigNov 13, 2025
    risk 0.53cvss 8.1epss 0.00

    Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode"…

  • CVE-2025-62716HigOct 24, 2025
    risk 0.53cvss 8.1epss 0.00

    Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site…

  • CVE-2025-49552HigOct 14, 2025
    risk 0.53cvss 8.1epss 0.00

    Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a high-privileged attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction in that a…

  • CVE-2025-57483HigSep 29, 2025
    risk 0.53cvss 8.1epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the vulnerable parameter.

  • CVE-2025-10534HigSep 16, 2025
    risk 0.53cvss 8.1epss 0.00

    Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.

  • CVE-2025-58353HigSep 4, 2025
    risk 0.53cvss 8.2epss 0.00

    Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions of Promptcraft Forge Studio sanitize user input using regex blacklists such as r`eplace(/javascript:/gi, '')`. Because the package uses multi-character…

  • CVE-2025-41425HigJul 22, 2025
    risk 0.53cvss 8.1epss 0.00

    DuraComm SPM-500 DP-10iN-100-MU is vulnerable to a cross-site scripting attack. This could allow an attacker to prevent legitimate users from accessing the web interface.

  • CVE-2024-57783HigJun 2, 2025
    risk 0.53cvss 8.1epss 0.00

    The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.

  • CVE-2025-4123HigMay 22, 2025
    risk 0.53cvss 7.6epss 0.98

    A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not…

  • CVE-2025-0984HigMay 6, 2025
    risk 0.53cvss 8.2epss 0.00

    Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content…

  • CVE-2025-22636HigApr 17, 2025
    risk 0.53cvss 8.2epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vicente Ruiz Gálvez VR-Frases vr-frases allows Reflected XSS.This issue affects VR-Frases: from n/a through <= 4.0.1.

  • CVE-2024-7085HigJan 15, 2025
    risk 0.53cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Solutions Business Manager (SBM) allows Stored XSS.  The vulnerability could result in the exposure of private information to an unauthorized actor. This…

  • CVE-2024-44309MedKEVNov 20, 2024
    risk 0.53cvss 6.3epss 0.21

    A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site…

  • CVE-2024-46482HigOct 22, 2024
    risk 0.53cvss 8.2epss 0.00

    An arbitrary file upload vulnerability in the Ticket Generation function of Ladybird Web Solution Faveo-Helpdesk v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .html or .svg file.

  • CVE-2024-4190HigJun 11, 2024
    risk 0.53cvss 8.1epss 0.00

    Stored Cross-Site Scripting (XSS) vulnerabilities have been identified in OpenText ArcSight Logger. The vulnerabilities could be remotely exploited.

  • CVE-2024-37177HigJun 11, 2024
    risk 0.53cvss 8.1epss 0.00

    SAP Financial Consolidation allows data to enter a Web application through an untrusted source. These endpoints are exposed over the network and it allows the user to modify the content from the web site. On successful exploitation, an attacker can cause significant impact to…

  • CVE-2024-2050HigMar 18, 2024
    risk 0.53cvss 8.2epss 0.00

    CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an attacker injects then executes arbitrary malicious JavaScript code within the context of the product.

  • CVE-2018-11059HigJul 24, 2018
    risk 0.53cvss 8.2epss 0.01

    RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application…

  • CVE-2017-8899HigMay 11, 2017
    risk 0.53cvss 8.1epss 0.01

    Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to…

  • CVE-2017-2683HigFeb 27, 2017
    risk 0.53cvss 8.2epss 0.01

    A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.