VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 3 of 1,236
  • CVE-2026-40872CriApr 21, 2026
    risk 0.60cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover…

  • CVE-2026-27246CriApr 14, 2026
    risk 0.60cvss 9.3epss 0.00

    Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's…

  • CVE-2026-27245CriApr 14, 2026
    risk 0.60cvss 9.3epss 0.00

    Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's…

  • CVE-2026-27243CriApr 14, 2026
    risk 0.60cvss 9.3epss 0.00

    Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's…

  • CVE-2026-31845CriApr 11, 2026
    risk 0.60cvss 9.3epss 0.01

    A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response…

  • CVE-2026-30562CriMar 30, 2026
    risk 0.60cvss 9.3epss 0.00

    A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_stock.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject…

  • CVE-2025-58361CriSep 4, 2025
    risk 0.60cvss 9.3epss 0.00

    Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only…

  • CVE-2024-12223CriAug 20, 2025
    risk 0.60cvss epss 0.00

    Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.

  • CVE-2025-6185CriJul 18, 2025
    risk 0.60cvss 9.3epss 0.00

    Leviton AcquiSuite and Energy Monitoring Hub are susceptible to a cross-site scripting vulnerability, allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the…

  • CVE-2024-10217CriNov 12, 2024
    risk 0.60cvss epss 0.01

    XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence

  • CVE-2024-49397CriOct 17, 2024
    risk 0.60cvss epss 0.00

    The affected product is vulnerable to a cross-site scripting attack which may allow an attacker to bypass authentication and takeover admin accounts.

  • CVE-2024-4657CriSep 25, 2024
    risk 0.60cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software BAP Automation allows Stored XSS. This issue affects BAP Automation: before 30840.

  • CVE-2024-7785CriSep 19, 2024
    risk 0.60cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ece Software Electronic Ticket System allows Reflected XSS, Cross-Site Scripting (XSS). This issue affects Electronic Ticket System: before 2024.08.

  • CVE-2024-6886CriAug 6, 2024
    risk 0.60cvss epss 0.40

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.

  • CVE-2023-40000HigApr 16, 2024
    risk 0.60cvss 8.3epss 0.55

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.

  • CVE-2018-15884HigAug 28, 2018
    risk 0.60cvss 8.8epss 0.03

    RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.

  • CVE-2018-6882MedKEVMar 27, 2018
    risk 0.60cvss 6.1epss 0.24

    Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an…

  • CVE-2018-8979HigMar 25, 2018
    risk 0.60cvss 8.8epss 0.01

    Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.

  • CVE-2018-7746HigMar 7, 2018
    risk 0.60cvss 8.8epss 0.03

    An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin.

  • CVE-2026-44203criJun 22, 2026
    risk 0.59cvss epss

    ### Summary The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the `form_post` response mode. This may allow an attacker to inject content into the…