CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 582 of 1,135

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2025-8079	Akıllı Ticaret Software Technologies Ltd. Co. Smart Trade E-Commerce	Med	0.30	4.6	Sep 22, 2025	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akıllı Ticaret Software Technologies Ltd. Co. Smart Trade E-Commerce allows Reflected XSS.This issue affects Smart Trade E-Commerce: before 4.5.0.0.1.
CVE-2024-12915	Devinim Library Software	Med	0.30	4.6	Jun 30, 2025	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Devinim Software Library Software allows Reflected XSS.This issue affects Library Software: before 24.11.02.
CVE-2025-44206	Hexagon HxGN OnCall Dispatch Advantage (Web)	Med	0.30	4.6	Jun 25, 2025	Hexagon HxGN OnCall Dispatch Advantage (Web) v10.2309.03.00264 and Hexagon HxGN OnCall Dispatch Advantage (Mobile) v10.2402 are vulnerable to Cross Site Scripting (XSS) which allows a remote authenticated attacker with access to the Broadcast (Person) functionality to execute…
CVE-2025-27442	Zoom Video Communications, Inc. Zoom Workplace Apps For Linux	Med	0.30	4.6	Apr 8, 2025	Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
CVE-2025-27441	Zoom Video Communications, Inc. Zoom Workplace Apps For Linux	Med	0.30	4.6	Apr 8, 2025	Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
CVE-2025-29322	WordPress Wp Scriptcase	Med	0.30	4.6	Mar 26, 2025	A cross-site scripting (XSS) vulnerability in ScriptCase before v1.0.003 - Build 3 allows attackers to execute arbitrary code via a crafted payload to the "Connection Name" in the New Connection and Rename Connection pages.
CVE-2025-1888	Hanwha Security Web Viewer	Med	0.30	4.6	Mar 14, 2025	The Leica Web Viewer within the Aperio Eslide Manager Application is vulnerable to reflected cross-site scripting (XSS). An authenticated user can access the slides within a project and injecting malicious JavaScript into the "memo" field. The memo field has a hover over action…
CVE-2024-57277	Innocommerce Innoshop	Med	0.30	5.7	Jan 24, 2025	InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload.
CVE-2024-11990	Netwin Surgemail	Med	0.30	4.6	Nov 29, 2024	A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could allow an attacker to execute arbitrary JavaScript code via an elaborate payload injected into vulnerable parameters.
CVE-2024-23169	Rsa NetWitness	Med	0.30	4.6	Nov 15, 2024	The web interface in RSA NetWitness 11.7.2.0 allows Cross-Site Scripting (XSS) via the Where textbox on the Reports screen during new rule creation.
CVE-2024-33819	Globitel SpeechLog	Med	0.30	4.6	May 14, 2024	Globitel KSA SpeechLog v8.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Save Query function.
CVE-2024-33905	Morethanwords Tweb	Med	0.30	4.6	Apr 29, 2024	In Telegram WebK before 2.0.0 (488), a crafted Mini Web App allows XSS via the postMessage web_app_open_link event type.
CVE-2024-4026	Holded Holded	Med	0.30	4.6	Apr 22, 2024	Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session takeover.
CVE-2024-1590	Pagelayer Pagelayer	Med	0.30	4.6	Feb 23, 2024	The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied…
CVE-2026-6404	WordPress Anomify	Med	0.29	4.4	May 20, 2026	The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin…
CVE-2026-6399	WordPress General Options	Med	0.29	4.4	May 20, 2026	The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field — a function that strips HTML tags…
CVE-2026-0256	Paloaltonetworks Pan Os	Med	0.29	—	May 13, 2026	A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and…
CVE-2025-14767	WordPress Wpc Badge Management	Med	0.29	5.5	May 13, 2026	The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This…
CVE-2025-9989	—	Med	0.29	4.4	May 13, 2026	The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.53.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2026-6813	WordPress Continually	Med	0.29	4.4	May 12, 2026	The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

CVE-2025-8079MedSep 22, 2025
Akıllı Ticaret Software Technologies Ltd. Co.
Smart Trade E-Commerce
risk 0.30cvss 4.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akıllı Ticaret Software Technologies Ltd. Co. Smart Trade E-Commerce allows Reflected XSS.This issue affects Smart Trade E-Commerce: before 4.5.0.0.1.
CVE-2024-12915MedJun 30, 2025
Devinim
Library Software
risk 0.30cvss 4.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Devinim Software Library Software allows Reflected XSS.This issue affects Library Software: before 24.11.02.
CVE-2025-44206MedJun 25, 2025
Hexagon
HxGN OnCall Dispatch Advantage (Web)
risk 0.30cvss 4.6epss 0.00
Hexagon HxGN OnCall Dispatch Advantage (Web) v10.2309.03.00264 and Hexagon HxGN OnCall Dispatch Advantage (Mobile) v10.2402 are vulnerable to Cross Site Scripting (XSS) which allows a remote authenticated attacker with access to the Broadcast (Person) functionality to execute…
CVE-2025-27442MedApr 8, 2025
Zoom Video Communications, Inc.
Zoom Workplace Apps For Linux
risk 0.30cvss 4.6epss 0.00
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
CVE-2025-27441MedApr 8, 2025
Zoom Video Communications, Inc.
Zoom Workplace Apps For Linux
risk 0.30cvss 4.6epss 0.00
Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.
CVE-2025-29322MedMar 26, 2025
WordPress
Wp Scriptcase
risk 0.30cvss 4.6epss 0.00
A cross-site scripting (XSS) vulnerability in ScriptCase before v1.0.003 - Build 3 allows attackers to execute arbitrary code via a crafted payload to the "Connection Name" in the New Connection and Rename Connection pages.
CVE-2025-1888MedMar 14, 2025
Hanwha Security
Web Viewer
risk 0.30cvss 4.6epss 0.00
The Leica Web Viewer within the Aperio Eslide Manager Application is vulnerable to reflected cross-site scripting (XSS). An authenticated user can access the slides within a project and injecting malicious JavaScript into the "memo" field. The memo field has a hover over action…
CVE-2024-57277MedJan 24, 2025
Innocommerce
Innoshop
risk 0.30cvss 5.7epss 0.00
InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload.
CVE-2024-11990MedNov 29, 2024
Netwin
Surgemail
risk 0.30cvss 4.6epss 0.00
A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could allow an attacker to execute arbitrary JavaScript code via an elaborate payload injected into vulnerable parameters.
CVE-2024-23169MedNov 15, 2024
Rsa
NetWitness
risk 0.30cvss 4.6epss 0.00
The web interface in RSA NetWitness 11.7.2.0 allows Cross-Site Scripting (XSS) via the Where textbox on the Reports screen during new rule creation.
CVE-2024-33819MedMay 14, 2024
Globitel
SpeechLog
risk 0.30cvss 4.6epss 0.00
Globitel KSA SpeechLog v8.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Save Query function.
CVE-2024-33905MedApr 29, 2024
Morethanwords
Tweb
risk 0.30cvss 4.6epss 0.00
In Telegram WebK before 2.0.0 (488), a crafted Mini Web App allows XSS via the postMessage web_app_open_link event type.
CVE-2024-4026MedApr 22, 2024
Holded
Holded
risk 0.30cvss 4.6epss 0.00
Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session takeover.
CVE-2024-1590MedFeb 23, 2024
Pagelayer
Pagelayer
risk 0.30cvss 4.6epss 0.00
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied…
CVE-2026-6404MedMay 20, 2026
WordPress
Anomify
risk 0.29cvss 4.4epss 0.00
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin…
CVE-2026-6399MedMay 20, 2026
WordPress
General Options
risk 0.29cvss 4.4epss 0.00
The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field — a function that strips HTML tags…
CVE-2026-0256MedMay 13, 2026
Paloaltonetworks
Pan Os
risk 0.29cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and…
CVE-2025-14767MedMay 13, 2026
WordPress
Wpc Badge Management
risk 0.29cvss 5.5epss 0.00
The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This…
CVE-2025-9989MedMay 13, 2026
risk 0.29cvss 4.4epss 0.00
The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.53.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2026-6813MedMay 12, 2026
WordPress
Continually
risk 0.29cvss 4.4epss 0.00
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…