VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 18 of 1,236
  • CVE-2024-29022HigApr 12, 2024
    risk 0.50cvss 8.8epss 0.01

    Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a…

  • CVE-2023-0992HigJun 9, 2023
    risk 0.50cvss 7.2epss 0.93

    The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a…

  • CVE-2018-14631HigSep 17, 2018
    risk 0.50cvss 8.8epss 0.02

    moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected…

  • CVE-2026-11799HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.

  • CVE-2026-9809HigMay 29, 2026
    risk 0.49cvss 7.6epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization.…

  • CVE-2026-44655HigMay 28, 2026
    risk 0.49cvss epss 0.00

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is…

  • CVE-2026-9144HigMay 20, 2026
    risk 0.49cvss 7.6epss 0.00

    Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple…

  • CVE-2026-5783HigMay 20, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS. This issue affects CityPLus: before V24.29750.1.0.

  • CVE-2026-34463HigMay 19, 2026
    risk 0.49cvss epss 0.00

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before…

  • CVE-2020-37245HigMay 16, 2026
    risk 0.49cvss 7.5epss 0.01

    Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication…

  • CVE-2026-42548HigMay 13, 2026
    risk 0.49cvss epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary…

  • CVE-2026-41683HigMay 8, 2026
    risk 0.49cvss 8.6epss 0.00

    i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through…

  • CVE-2026-5301HigApr 8, 2026
    risk 0.49cvss 7.6epss 0.00

    Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries

  • CVE-2026-34585HigMar 31, 2026
    risk 0.49cvss 8.6epss 0.00

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a…

  • CVE-2026-33955HigMar 27, 2026
    risk 0.49cvss 8.6epss 0.00

    Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note…

  • CVE-2026-32721HigMar 19, 2026
    risk 0.49cvss 8.6epss 0.00

    LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the…

  • CVE-2013-20006HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like…

  • CVE-2025-14343HigFeb 26, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS. This issue affects E-Commerce Product: through 10122025.

  • CVE-2026-2472HigFeb 20, 2026
    risk 0.49cvss epss 0.01

    Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's…

  • CVE-2025-11004HigFeb 10, 2026
    risk 0.49cvss epss 0.00

    The Simplicity Device Manager Tool has a Reflected XSS (Cross-site-scripting) vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has…