VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 15 of 1,236
  • CVE-2026-34558CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality…

  • CVE-2026-34557CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management…

  • CVE-2026-32275CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.

  • CVE-2026-32635CriMar 16, 2026
    risk 0.52cvss 9.0epss 0.00

    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and…

  • CVE-2025-66024CriMar 4, 2026
    risk 0.52cvss 9.0epss 0.00

    The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML…

  • CVE-2021-22291HigOct 7, 2025
    risk 0.52cvss 8.0epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ABB EIBPORT V3 KNX, ABB EIBPORT V3 KNX GSM.This issue affects EIBPORT V3 KNX: before 3.9.2; EIBPORT V3 KNX GSM: before 3.9.2.

  • CVE-2025-58746CriSep 8, 2025
    risk 0.52cvss 9.0epss 0.00

    The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and…

  • CVE-2024-54142CriJan 14, 2025
    risk 0.52cvss 9.0epss 0.00

    Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation.…

  • CVE-2024-52951HigNov 27, 2024
    risk 0.52cvss 8.0epss 0.01

    Stored Cross-Site Scripting in the Access Request History in Omada Identity before version 15 update 1 allows an authenticated attacker to execute arbitrary code in the browser of a victim via a specially crafted link or by viewing a manipulated Access Request History

  • CVE-2024-6497HigJul 20, 2024
    risk 0.52cvss 8.8epss 0.11

    The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2023-3388HigJun 24, 2023
    risk 0.52cvss 7.2epss 0.84

    The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…

  • CVE-2016-1000273criJul 20, 2022
    risk 0.52cvss epss 0.02

    JavaMelody is a monitoring tool for JavaEE applications. Versions prior to 1.61.0 are vulnerable to a cross-site scripting (XSS) attack. This issue was patched in version 1.61.0, and users are recommended to upgrade to the latest version. There are no known workarounds.

  • CVE-2016-1000226criSep 1, 2020
    risk 0.52cvss epss 0.01

    Affected versions of `swagger-ui` are vulnerable to cross-site scripting in both the `consumes` and `produces` parameters of the swagger JSON document for a given API. Additionally, `swagger-ui` allows users to load arbitrary swagger JSON documents via the query string…

  • CVE-2018-5432HigJun 13, 2018
    risk 0.52cvss 8.0epss 0.01

    The TIBCO Administrator server component of of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains multiple vulnerabilities wherein a malicious user could theoretically perform cross-site scripting…

  • CVE-2017-10612HigOct 13, 2017
    risk 0.52cvss 8.0epss 0.01

    A persistent site scripting vulnerability in Juniper Networks Junos Space allows users who can change certain configuration to implant malicious Javascript or HTML which may be used to steal information or perform actions as other Junos Space users or administrators. Affected…

  • CVE-2016-4923HigOct 13, 2017
    risk 0.52cvss 8.0epss 0.01

    Insufficient cross site scripting protection in J-Web component in Juniper Networks Junos OS may potentially allow a remote unauthenticated user to inject web script or HTML and steal sensitive data and credentials from a J-Web session and to perform administrative actions on…

  • CVE-2012-0767MedKEVFeb 16, 2012
    risk 0.52cvss 6.1epss 0.07

    Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject arbitrary web…

  • CVE-2026-43984HigJun 4, 2026
    risk 0.51cvss 8.9epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main…

  • CVE-2026-41611HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

  • CVE-2026-42611HigMay 11, 2026
    risk 0.51cvss 8.9epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever…