VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 19 of 1,236
  • CVE-2025-40587HigFeb 10, 2026
    risk 0.49cvss 7.6epss 0.00

    A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a…

  • CVE-2025-7760HigFeb 3, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0…

  • CVE-2025-8461HigFeb 3, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond…

  • CVE-2025-8456HigFeb 3, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026.  …

  • CVE-2025-8589HigFeb 3, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026.

  • CVE-2025-7713HigJan 29, 2026
    risk 0.49cvss 7.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS):…

  • CVE-2025-2406HigDec 25, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS). This issue affects Trizbi: before 2.144.4.

  • CVE-2025-2405HigDec 25, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS). This issue affects Titarus: before 2.144.4.

  • CVE-2025-2307HigDec 25, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS). This issue affects Aidango: before 2.144.4.

  • CVE-2024-58304HigDec 11, 2025
    risk 0.49cvss 7.5epss 0.00

    SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to…

  • CVE-2025-10914HigOct 23, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Reflected XSS. This issue affects OBS (Student Affairs Information System): before V26.0401.

  • CVE-2025-59332HigSep 15, 2025
    risk 0.49cvss 8.6epss 0.00

    3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not…

  • CVE-2025-58444HigSep 8, 2025
    risk 0.49cvss epss 0.01

    The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. This…

  • CVE-2025-49428HigAug 20, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dourou Cookie Warning allows Stored XSS. This issue affects Cookie Warning: from n/a through 1.3.

  • CVE-2025-55300HigAug 18, 2025
    risk 0.49cvss epss 0.01

    Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks…

  • CVE-2025-49898HigAug 15, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.

  • CVE-2025-51624HigAug 6, 2025
    risk 0.49cvss 7.6epss 0.00

    Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0.

  • CVE-2025-53369HigJul 3, 2025
    risk 0.49cvss 8.6epss 0.00

    Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a…

  • CVE-2025-53093HigJun 27, 2025
    risk 0.49cvss 8.6epss 0.00

    TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `` tag. Version 3.1.1 contains a patch…

  • CVE-2025-49262HigJun 6, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shaonsina Sina Extension for Elementor sina-extension-for-elementor allows Stored XSS.This issue affects Sina Extension for Elementor: from n/a through <= 3.6.1.