CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (22,695)
page 671 of 1,135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2004-2720 | 0.04 | — | 0.09 | Dec 31, 2004 | Cross-site scripting (XSS) vulnerability in register.asp in Snitz Forums 2000 3.4.04 and earlier allows remote attackers to inject arbitrary web script or HTML via javascript events in the Email parameter. | |||
| CVE-2004-1875 | 0.04 | — | 0.09 | Mar 30, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to… | |||
| CVE-2003-0038 | 0.04 | — | 0.11 | Feb 7, 2003 | Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters. | |||
| CVE-2002-1700 | 0.04 | — | 0.16 | Dec 31, 2002 | Cross-site scripting vulnerability (XSS) in the missing template handler in Macromedia ColdFusion MX allows remote attackers to execute arbitrary script as other users by injecting script into the HTTP request for the name of a template, which is not filtered in the resulting… | |||
| CVE-2025-50481 | 0.03 | — | 0.00 | Jul 23, 2025 | A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post. | |||
| CVE-2024-11954 | 0.03 | — | 0.01 | Jan 28, 2025 | A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been… | |||
| CVE-2024-54003 | 0.03 | — | 0.41 | Nov 27, 2024 | Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. | |||
| CVE-2024-48652 | 0.03 | — | 0.35 | Oct 22, 2024 | Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field. | |||
| CVE-2024-28156 | — | 0.03 | — | 0.39 | Mar 6, 2024 | Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views. | ||
| CVE-2024-23724 | 0.03 | — | 0.38 | Feb 11, 2024 | Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The… | |||
| CVE-2023-46998 | — | 0.03 | — | 0.39 | Nov 7, 2023 | Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions. | ||
| CVE-2023-0594 | 0.03 | — | 0.37 | Mar 1, 2023 | Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not… | |||
| CVE-2022-48110 | — | 0.03 | — | 0.01 | Feb 13, 2023 | CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an… | ||
| CVE-2022-34140 | — | 0.03 | — | 0.00 | Jul 27, 2022 | A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field. | ||
| CVE-2022-28368 | 0.03 | — | 0.89 | Apr 3, 2022 | Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file). | |||
| CVE-2021-29460 | 0.03 | — | 0.01 | Apr 27, 2021 | Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser… | |||
| CVE-2020-29470 | — | 0.03 | — | 0.00 | Dec 29, 2020 | OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the… | ||
| CVE-2020-29471 | — | 0.03 | — | 0.00 | Dec 29, 2020 | OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger. | ||
| CVE-2020-7680 | — | 0.03 | — | 0.03 | Jul 20, 2020 | docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/… | ||
| CVE-2020-10596 | — | 0.03 | — | 0.01 | Mar 17, 2020 | OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section. |
- CVE-2004-2720Dec 31, 2004risk 0.04cvss —epss 0.09
Cross-site scripting (XSS) vulnerability in register.asp in Snitz Forums 2000 3.4.04 and earlier allows remote attackers to inject arbitrary web script or HTML via javascript events in the Email parameter.
- CVE-2004-1875Mar 30, 2004risk 0.04cvss —epss 0.09
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to…
- CVE-2003-0038Feb 7, 2003risk 0.04cvss —epss 0.11
Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters.
- CVE-2002-1700Dec 31, 2002risk 0.04cvss —epss 0.16
Cross-site scripting vulnerability (XSS) in the missing template handler in Macromedia ColdFusion MX allows remote attackers to execute arbitrary script as other users by injecting script into the HTTP request for the name of a template, which is not filtered in the resulting…
- CVE-2025-50481Jul 23, 2025risk 0.03cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post.
- CVE-2024-11954Jan 28, 2025risk 0.03cvss —epss 0.01
A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been…
- CVE-2024-54003Nov 27, 2024risk 0.03cvss —epss 0.41
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
- CVE-2024-48652Oct 22, 2024risk 0.03cvss —epss 0.35
Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field.
- CVE-2024-28156Mar 6, 2024risk 0.03cvss —epss 0.39
Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.
- CVE-2024-23724Feb 11, 2024risk 0.03cvss —epss 0.38
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The…
- CVE-2023-46998Nov 7, 2023risk 0.03cvss —epss 0.39
Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.
- CVE-2023-0594Mar 1, 2023risk 0.03cvss —epss 0.37
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not…
- CVE-2022-48110Feb 13, 2023risk 0.03cvss —epss 0.01
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an…
- CVE-2022-34140Jul 27, 2022risk 0.03cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
- CVE-2022-28368Apr 3, 2022risk 0.03cvss —epss 0.89
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
- CVE-2021-29460Apr 27, 2021risk 0.03cvss —epss 0.01
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser…
- CVE-2020-29470Dec 29, 2020risk 0.03cvss —epss 0.00
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the…
- CVE-2020-29471Dec 29, 2020risk 0.03cvss —epss 0.00
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.
- CVE-2020-7680Jul 20, 2020risk 0.03cvss —epss 0.03
docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/…
- CVE-2020-10596Mar 17, 2020risk 0.03cvss —epss 0.01
OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section.