VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 2 of 1,236
  • CVE-2017-8898CriMay 11, 2017
    risk 0.64cvss 9.8epss 0.02

    Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=cre…

  • CVE-2007-4039CriJul 27, 2007
    risk 0.64cvss 9.8epss 0.02

    Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when…

  • CVE-2026-50883CriJun 15, 2026
    risk 0.62cvss 9.6epss 0.00

    An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.

  • CVE-2026-45323CriMay 28, 2026
    risk 0.62cvss 9.6epss 0.00

    MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant…

  • CVE-2026-42235CriMay 4, 2026
    risk 0.62cvss 9.6epss 0.00

    n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user…

  • CVE-2025-50754CriAug 4, 2025
    risk 0.62cvss 9.6epss 0.01

    Unisite CMS version 5.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the "Report" functionality. A malicious script submitted by an attacker is rendered in the admin panel when viewed by an administrator. This allows attackers to hijack the admin session and, by…

  • CVE-2024-11986CriDec 13, 2024
    risk 0.62cvss 9.6epss 0.01

    Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or…

  • CVE-2023-6452CriAug 22, 2024
    risk 0.62cvss 9.6epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS. The Forcepoint Web Security portal allows administrators to generate detailed reports on user requests…

  • CVE-2024-40618CriJul 11, 2024
    risk 0.62cvss 9.6epss 0.00

    Whale browser before 3.26.244.21 allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension.

  • CVE-2023-51219CriJun 3, 2024
    risk 0.62cvss 9.6epss 0.01

    A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact was further escalated by triggering another WebView that leaked its access token in a HTTP request header.…

  • CVE-2024-35592CriMay 24, 2024
    risk 0.62cvss 9.6epss 0.01

    An arbitrary file upload vulnerability in the Upload function of Box-IM v2.0 allows attackers to execute arbitrary code via uploading a crafted PDF file.

  • CVE-2017-2336CriJul 17, 2017
    risk 0.62cvss 9.6epss 0.01

    A reflected cross site scripting vulnerability in NetScreen WebUI of Juniper Networks Juniper NetScreen Firewall+VPN running ScreenOS allows a network based attacker to inject HTML/JavaScript content into the management session of other users including the administrator. This…

  • CVE-2025-8668CriFeb 11, 2026
    risk 0.61cvss 9.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard allows Reflected XSS. This issue affects Turboard: from 2025.07…

  • CVE-2025-54299CriJul 28, 2025
    risk 0.61cvss epss 0.00

    A stored XSS vulnerability in No Boss Testimonials component 1.0.0-3.0.0 and 4.0.0-4.0.2 for Joomla was discovered.

  • CVE-2025-54298CriJul 28, 2025
    risk 0.61cvss epss 0.00

    A stored XSS vulnerability in CommentBox component 1.0.0-1.1.0 for Joomla was discovered.

  • CVE-2024-10865CriMay 14, 2025
    risk 0.61cvss epss 0.00

    Improper Input validation leads to XSS or Cross-site Scripting vulnerability in OpenText Advanced Authentication. This issue affects Advanced Authentication versions before 6.5.

  • CVE-2024-7873CriSep 17, 2024
    risk 0.61cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS,…

  • CVE-2026-34691CriJun 9, 2026
    risk 0.60cvss 9.3epss 0.00

    Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a…

  • CVE-2026-46496CriJun 5, 2026
    risk 0.60cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `` component. The component allows `javascript:` URIs in the `source`…

  • CVE-2026-46396CriJun 5, 2026
    risk 0.60cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `` elements. The application allows `javascript:` URIs in the `src` attribute, which…