VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 7 of 1,236
  • CVE-2026-34617HigApr 14, 2026
    risk 0.57cvss 8.7epss 0.00

    Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining…

  • CVE-2026-35052CriApr 6, 2026
    risk 0.57cvss 9.8epss 0.01

    D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run…

  • CVE-2025-10553HigMar 31, 2026
    risk 0.57cvss 8.7epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-10551HigMar 31, 2026
    risk 0.57cvss 8.7epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2026-30917HigMar 10, 2026
    risk 0.57cvss epss 0.00

    Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This…

  • CVE-2026-2101HigFeb 16, 2026
    risk 0.57cvss 8.7epss 0.00

    A Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAvpm Web Access from ENOVIAvpm Version 1 Release 16 through ENOVIAvpm Version 1 Release 19 allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2026-2337HigFeb 11, 2026
    risk 0.57cvss epss 0.00

    A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1.

  • CVE-2026-1819HigFeb 4, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026.

  • CVE-2025-14499HigDec 23, 2025
    risk 0.57cvss 8.8epss 0.01

    IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious…

  • CVE-2023-53900HigDec 16, 2025
    risk 0.57cvss 8.8epss 0.00

    Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload…

  • CVE-2024-58305HigDec 12, 2025
    risk 0.57cvss 8.8epss 0.00

    WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by…

  • CVE-2025-10555HigNov 24, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-12486HigNov 6, 2025
    risk 0.57cvss 8.8epss 0.00

    Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Heimdall Data Database Proxy. Minimal user interaction is required to exploit this…

  • CVE-2025-10240HigOct 9, 2025
    risk 0.57cvss 8.8epss 0.00

    A vulnerability exists in the Progress Flowmon web application prior to version 12.5.5, whereby a user who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated session.

  • CVE-2025-60991HigOct 1, 2025
    risk 0.57cvss 8.8epss 0.00

    A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1.1.0.0 to v2.4.7 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload injected into the cat parameter.

  • CVE-2025-57393HigOct 1, 2025
    risk 0.57cvss 8.8epss 0.00

    A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2.0 to v4.2vallows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

  • CVE-2025-57151HigSep 3, 2025
    risk 0.57cvss 8.8epss 0.01

    phpgurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in admin/userprofile.php via the fullname parameter.

  • CVE-2025-49407HigAug 28, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1.

  • CVE-2025-30036HigAug 27, 2025
    risk 0.57cvss epss 0.00

    Stored XSS vulnerability exists in the "Oddział" (Ward) module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative…

  • CVE-2020-9322HigAug 8, 2025
    risk 0.57cvss 8.8epss 0.00

    The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.