CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
BaseStableLikelihood: High
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (19,212)
page 5 of 961| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6497 | Hig | 0.59 | 8.8 | 0.23 | Jul 20, 2024 | The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-43286 appears to be a duplicate of this issue. | |
| CVE-2016-9470 | Cri | 0.59 | 9.0 | 0.01 | Mar 28, 2017 | Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain. | |
| CVE-2007-4040 | Hig | 0.59 | 8.8 | 0.17 | Jul 27, 2007 | Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670. | |
| CVE-2026-42556 | Hig | 0.58 | 8.9 | 0.00 | May 8, 2026 | Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7. | |
| CVE-2026-38949 | Hig | 0.58 | 8.9 | 0.00 | Apr 28, 2026 | Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code | |
| CVE-2026-40873 | Hig | 0.58 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability. | |
| CVE-2026-40487 | Hig | 0.58 | 8.9 | 0.00 | Apr 18, 2026 | Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix. | |
| CVE-2025-40899 | Hig | 0.58 | 8.9 | 0.00 | Apr 15, 2026 | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | |
| CVE-2026-39328 | Hig | 0.58 | 8.9 | 0.00 | Apr 7, 2026 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0. | |
| CVE-2025-40892 | Hig | 0.58 | 8.9 | 0.00 | Dec 18, 2025 | A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | |
| CVE-2025-11956 | Hig | 0.58 | 8.9 | 0.00 | Nov 6, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Stored XSS.This issue affects OBS (Student Affairs Information System): before 25.0401. | |
| CVE-2025-60507 | Hig | 0.58 | 8.9 | 0.00 | Oct 21, 2025 | Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser. | |
| CVE-2025-10467 | Hig | 0.58 | 8.9 | 0.00 | Sep 25, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Stored XSS.This issue affects OBS (Student Affairs Information System): before v25.0401. | |
| CVE-2025-9798 | Hig | 0.58 | 8.9 | 0.00 | Sep 23, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Netigma allows Stored XSS.This issue affects Netigma: from 6.3.3 before 6.3.5 V8. | |
| CVE-2022-4975 | Hig | 0.58 | 8.9 | 0.00 | Jan 27, 2025 | A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/* endpoints, the front-end generates a DOM table-element (id="pdf-table"). This information is then populated with unsanitized data using innerHTML. An attacker with some control over the data rendered can trigger a cross-site scripting (XSS) vulnerability. | |
| CVE-2024-5420 | Hig | 0.58 | — | 0.47 | Jun 4, 2024 | Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below. | |
| CVE-2017-8569 | Hig | 0.58 | 8.8 | 0.15 | Jul 11, 2017 | Microsoft SharePoint Server allows an elevation of privilege vulnerability due to the way that it sanitizes a specially crafted web request to an affected SharePoint server, aka "SharePoint Server XSS Vulnerability". | |
| CVE-2026-45315 | Hig | 0.57 | 8.7 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded <script> runs in the Open WebUI origin. This vulnerability is fixed in 0.9.3. | |
| CVE-2026-7481 | Hig | 0.57 | 8.7 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. | |
| CVE-2026-7377 | Hig | 0.57 | 8.7 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization. |