CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (24,712)
page 19 of 1,236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-40587 | Hig | 0.49 | 7.6 | 0.00 | Feb 10, 2026 | A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a… | ||
| CVE-2025-7760 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0… | ||
| CVE-2025-8461 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond… | ||
| CVE-2025-8456 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026. … | ||
| CVE-2025-8589 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026. | ||
| CVE-2025-7713 | Hig | 0.49 | 7.5 | 0.00 | Jan 29, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS):… | ||
| CVE-2025-2406 | Hig | 0.49 | 7.6 | 0.00 | Dec 25, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS). This issue affects Trizbi: before 2.144.4. | ||
| CVE-2025-2405 | Hig | 0.49 | 7.6 | 0.00 | Dec 25, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS). This issue affects Titarus: before 2.144.4. | ||
| CVE-2025-2307 | Hig | 0.49 | 7.6 | 0.00 | Dec 25, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS). This issue affects Aidango: before 2.144.4. | ||
| CVE-2024-58304 | Hig | 0.49 | 7.5 | 0.00 | Dec 11, 2025 | SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to… | ||
| CVE-2025-10914 | Hig | 0.49 | 7.6 | 0.00 | Oct 23, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Reflected XSS. This issue affects OBS (Student Affairs Information System): before V26.0401. | ||
| CVE-2025-59332 | Hig | 0.49 | 8.6 | 0.00 | Sep 15, 2025 | 3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not… | ||
| CVE-2025-58444 | Hig | 0.49 | — | 0.01 | Sep 8, 2025 | The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. This… | ||
| CVE-2025-49428 | Hig | 0.49 | 7.5 | 0.00 | Aug 20, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dourou Cookie Warning allows Stored XSS. This issue affects Cookie Warning: from n/a through 1.3. | ||
| CVE-2025-55300 | Hig | 0.49 | — | 0.01 | Aug 18, 2025 | Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks… | ||
| CVE-2025-49898 | Hig | 0.49 | 7.6 | 0.00 | Aug 15, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14. | ||
| CVE-2025-51624 | Hig | 0.49 | 7.6 | 0.00 | Aug 6, 2025 | Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0. | ||
| CVE-2025-53369 | Hig | 0.49 | 8.6 | 0.00 | Jul 3, 2025 | Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a… | ||
| CVE-2025-53093 | Hig | 0.49 | 8.6 | 0.00 | Jun 27, 2025 | TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `` tag. Version 3.1.1 contains a patch… | ||
| CVE-2025-49262 | Hig | 0.49 | 7.6 | 0.00 | Jun 6, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shaonsina Sina Extension for Elementor sina-extension-for-elementor allows Stored XSS.This issue affects Sina Extension for Elementor: from n/a through <= 3.6.1. |
- risk 0.49cvss 7.6epss 0.00
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026. …
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026.
- risk 0.49cvss 7.5epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS):…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS). This issue affects Trizbi: before 2.144.4.
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS). This issue affects Titarus: before 2.144.4.
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS). This issue affects Aidango: before 2.144.4.
- risk 0.49cvss 7.5epss 0.00
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Reflected XSS. This issue affects OBS (Student Affairs Information System): before V26.0401.
- risk 0.49cvss 8.6epss 0.00
3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not…
- risk 0.49cvss —epss 0.01
The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. This…
- risk 0.49cvss 7.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dourou Cookie Warning allows Stored XSS. This issue affects Cookie Warning: from n/a through 1.3.
- risk 0.49cvss —epss 0.01
Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
- risk 0.49cvss 7.6epss 0.00
Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0.
- risk 0.49cvss 8.6epss 0.00
Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a…
- risk 0.49cvss 8.6epss 0.00
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `` tag. Version 3.1.1 contains a patch…
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shaonsina Sina Extension for Elementor sina-extension-for-elementor allows Stored XSS.This issue affects Sina Extension for Elementor: from n/a through <= 3.6.1.