CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
VariantIncompleteLikelihood: High
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86
CVEs mapped to this weakness (150)
page 1 of 8| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40872 | Cri | 0.60 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability. | |
| CVE-2025-53883 | Cri | 0.60 | — | 0.00 | Oct 30, 2025 | A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x86_64/server:latest: from ? before 5.0.28-150600.3.36.8; SUSE Manager Server LTS 4.3: from ? before 4.3.88-150400.3.113.5. | |
| CVE-2026-40873 | Hig | 0.58 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability. | |
| CVE-2024-51735 | Hig | 0.57 | — | 0.00 | Nov 5, 2024 | Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template.The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS. This may lead to commands executed on the host as well. This issue is not yet resolved. Users are advised to add their own filtering or to reach out to the developer to aid in developing a patch. | |
| CVE-2025-62172 | Hig | 0.55 | — | 0.00 | Oct 14, 2025 | Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users' sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist. | |
| CVE-2024-34070 | Cri | 0.55 | 9.6 | 0.01 | May 14, 2024 | Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9. | |
| CVE-2026-39344 | Hig | 0.53 | 8.1 | 0.00 | Apr 7, 2026 | ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0. | |
| CVE-2025-8029 | Hig | 0.53 | 8.1 | 0.00 | Jul 22, 2025 | Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. | |
| CVE-2024-37166 | Hig | 0.51 | 8.9 | 0.00 | Jun 10, 2024 | ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version 2.0.0 contains updated documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive protection against all types of XSS attacks in every scenario. This aligns with the approach taken by other template engines. Developers should be cautious and take additional measures to sanitize user input and prevent potential vulnerabilities. Additionally, the backtick character (`) is now also escaped to prevent the creation of strings in most cases where a malicious actor somehow gains the ability to write JavaScript. This does not provide comprehensive protection either. | |
| CVE-2025-53093 | Hig | 0.49 | 8.6 | 0.00 | Jun 27, 2025 | TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug. | |
| CVE-2025-21612 | Hig | 0.49 | 8.6 | 0.00 | Jan 6, 2025 | TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2. | |
| CVE-2024-33831 | Hig | 0.48 | 7.4 | 0.00 | Apr 30, 2024 | A stored cross-site scripting (XSS) vulnerability in the Advanced Expectation - Response module of yapi v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the body field. | |
| CVE-2025-10496 | Hig | 0.47 | 7.2 | 0.00 | Oct 9, 2025 | The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
| CVE-2023-32193 | Hig | 0.47 | 8.3 | 0.00 | Oct 16, 2024 | A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. | |
| CVE-2023-32192 | Hig | 0.47 | 8.3 | 0.00 | Oct 16, 2024 | A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser | |
| CVE-2026-40875 | Hig | 0.46 | — | 0.00 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability. | |
| CVE-2025-14835 | Hig | 0.46 | 7.1 | 0.00 | Jan 7, 2026 | The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |
| CVE-2025-60244 | Hig | 0.46 | 7.1 | 0.00 | Nov 6, 2025 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.This issue affects TableOn: from n/a through <= 1.0.5.1. | |
| CVE-2025-51989 | Hig | 0.46 | 7.0 | 0.00 | Aug 21, 2025 | HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject HTML tags into the "keresztnév" (firstname) field, which will be sent out in an email resulting in possible Phishing scenarios against any, previously not registered, email address. | |
| CVE-2025-31384 | Hig | 0.46 | 7.1 | 0.00 | Apr 4, 2025 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5. |