VYPR

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

VariantIncompleteLikelihood: High

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86

CVEs mapped to this weakness (275)

page 1 of 14
  • CVE-2026-40872CriApr 21, 2026
    risk 0.60cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover…

  • CVE-2025-53883CriOct 30, 2025
    risk 0.60cvss epss 0.00

    A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x86_64/server:latest: from ? before…

  • CVE-2026-40873HigApr 21, 2026
    risk 0.58cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted…

  • CVE-2026-6002HigMay 7, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

  • CVE-2024-51735HigNov 5, 2024
    risk 0.57cvss epss 0.00

    Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports…

  • CVE-2025-62172HigOct 14, 2025
    risk 0.55cvss epss 0.01

    Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy…

  • CVE-2024-34070CriMay 14, 2024
    risk 0.55cvss 9.6epss 0.01

    Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the…

  • CVE-2026-43938HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the…

  • CVE-2025-8029HigJul 22, 2025
    risk 0.53cvss 8.1epss 0.00

    Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

  • CVE-2026-41611HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

  • CVE-2024-37166HigJun 10, 2024
    risk 0.51cvss 8.9epss 0.00

    ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version…

  • CVE-2025-53093HigJun 27, 2025
    risk 0.49cvss 8.6epss 0.00

    TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `` tag. Version 3.1.1 contains a patch…

  • CVE-2025-21612HigJan 6, 2025
    risk 0.49cvss 8.6epss 0.00

    TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.

  • CVE-2026-44369HigMay 13, 2026
    risk 0.48cvss epss 0.00

    CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens…

  • CVE-2024-33831HigApr 30, 2024
    risk 0.48cvss 7.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Advanced Expectation - Response module of yapi v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the body field.

  • CVE-2026-43939HigMay 12, 2026
    risk 0.47cvss 7.3epss 0.00

    YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or…

  • CVE-2025-10496HigOct 9, 2025
    risk 0.47cvss 7.2epss 0.00

    The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2023-32193HigOct 16, 2024
    risk 0.47cvss 8.3epss 0.00

    A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely.

  • CVE-2023-32192HigOct 16, 2024
    risk 0.47cvss 8.3epss 0.00

    A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser

  • CVE-2026-40875HigApr 21, 2026
    risk 0.46cvss epss 0.00

    mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP…