CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,319)

page 801 of 1,166

CVE	Vendor / Product	Sev	CVSS	EPSS	Published	Description
CVE-2025-29573	Mezzanine Mezzanine CMS		—	0.00	May 5, 2025	Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module.
CVE-2025-46558	Xwiki Contrib Syntax Markdown		—	0.00	Apr 30, 2025	XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown…
CVE-2025-46550	Yeswiki Yeswiki		—	0.01	Apr 29, 2025	YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them…
CVE-2025-46549	Yeswiki Yeswiki		—	0.01	Apr 29, 2025	YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session.…
CVE-2025-46350	Yeswiki Yeswiki		—	0.00	Apr 29, 2025	YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session.…
CVE-2025-46349	Yeswiki Yeswiki		—	0.01	Apr 29, 2025	YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This…
CVE-2025-46346	Yeswiki Yeswiki		—	0.00	Apr 29, 2025	YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the…
CVE-2025-46343	N8n Io N8n		—	0.00	Apr 29, 2025	n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no…
CVE-2025-3643	Moodle Moodle		—	0.00	Apr 25, 2025	A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
CVE-2025-32951	—		—	0.00	Apr 22, 2025	Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if…
CVE-2024-41446	Alkacon Opencms		—	0.00	Apr 21, 2025	A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the Create/Modify article function.
CVE-2024-42699	Alkacon Opencms		—	0.00	Apr 21, 2025	Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field
CVE-2025-43954	—		—	0.00	Apr 20, 2025	QMarkdown (aka quasar-ui-qmarkdown) before 2.0.5 allows XSS via headers even when when no-html is set.
CVE-2024-41447	Alkacon Opencms		—	0.00	Apr 18, 2025	A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.
CVE-2025-3760	Liferay Portal		—	0.00	Apr 17, 2025	A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12,…
CVE-2025-32426	Verbb Formie		—	0.00	Apr 11, 2025	Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered…
CVE-2025-32427	Verbb Formie		—	0.00	Apr 11, 2025	Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking…
CVE-2025-3469	Wikimedia Foundation Mediawiki	Non	—	0.00	Apr 10, 2025	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki:…
CVE-2025-32027	—		—	0.00	Apr 10, 2025	Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.
CVE-2025-30148	Silverstripe Silverstripe Framework		—	0.00	Apr 10, 2025	Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of…

CVE-2025-29573May 5, 2025
Mezzanine
Mezzanine CMS
risk 0.00cvss —epss 0.00
Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module.
CVE-2025-46558Apr 30, 2025
Xwiki Contrib
Syntax Markdown
risk 0.00cvss —epss 0.00
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown…
CVE-2025-46550Apr 29, 2025
Yeswiki
Yeswiki
risk 0.00cvss —epss 0.01
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them…
CVE-2025-46549Apr 29, 2025
Yeswiki
Yeswiki
risk 0.00cvss —epss 0.01
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session.…
CVE-2025-46350Apr 29, 2025
Yeswiki
Yeswiki
risk 0.00cvss —epss 0.00
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session.…
CVE-2025-46349Apr 29, 2025
Yeswiki
Yeswiki
risk 0.00cvss —epss 0.01
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This…
CVE-2025-46346Apr 29, 2025
Yeswiki
Yeswiki
risk 0.00cvss —epss 0.00
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the…
CVE-2025-46343Apr 29, 2025
N8n Io
N8n
risk 0.00cvss —epss 0.00
n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no…
CVE-2025-3643Apr 25, 2025
Moodle
Moodle
risk 0.00cvss —epss 0.00
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
CVE-2025-32951Apr 22, 2025
risk 0.00cvss —epss 0.00
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if…
CVE-2024-41446Apr 21, 2025
Alkacon
Opencms
risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the Create/Modify article function.
CVE-2024-42699Apr 21, 2025
Alkacon
Opencms
risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field
CVE-2025-43954Apr 20, 2025
risk 0.00cvss —epss 0.00
QMarkdown (aka quasar-ui-qmarkdown) before 2.0.5 allows XSS via headers even when when no-html is set.
CVE-2024-41447Apr 18, 2025
Alkacon
Opencms
risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.
CVE-2025-3760Apr 17, 2025
Liferay
Portal
risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12,…
CVE-2025-32426Apr 11, 2025
Verbb
Formie
risk 0.00cvss —epss 0.00
Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered…
CVE-2025-32427Apr 11, 2025
Verbb
Formie
risk 0.00cvss —epss 0.00
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking…
CVE-2025-3469NonApr 10, 2025
Wikimedia Foundation
Mediawiki
risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki:…
CVE-2025-32027Apr 10, 2025
risk 0.00cvss —epss 0.00
Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.
CVE-2025-30148Apr 10, 2025
Silverstripe
Silverstripe Framework
risk 0.00cvss —epss 0.00
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of…