VYPR

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

VariantIncompleteLikelihood: High

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86

CVEs mapped to this weakness (275)

page 4 of 14
  • CVE-2026-20170MedApr 15, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer…

  • CVE-2026-26460MedApr 13, 2026
    risk 0.40cvss 6.1epss 0.00

    A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into…

  • CVE-2026-39841MedApr 7, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

  • CVE-2026-39839MedApr 7, 2026
    risk 0.40cvss 6.1epss 0.00

    Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.

  • CVE-2026-4267HigMar 31, 2026
    risk 0.40cvss 7.2epss 0.00

    The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output…

  • CVE-2026-20070MedMar 4, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a…

  • CVE-2025-11992MedOct 24, 2025
    risk 0.40cvss 6.1epss 0.00

    The Multi Item Responsive Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'mioptions.php' page. This makes it possible for unauthenticated attackers to…

  • CVE-2024-10038MedNov 13, 2024
    risk 0.40cvss 6.1epss 0.00

    The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2024-9147MedNov 4, 2024
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Bna Informatics PosPratik allows XSS Through HTTP Query Strings. This issue affects PosPratik: before v3.2.1.

  • CVE-2024-2010MedSep 12, 2024
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS. This issue affects V5: before 6.2.

  • CVE-2023-4663MedSep 15, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Saphira Saphira Connect allows Reflected XSS. This issue affects Saphira Connect: before 9.

  • CVE-2023-1013MedMar 30, 2023
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Virames Vira-Investing allows Cross-Site Scripting (XSS). This issue affects Vira-Investing: before 1.0.84.86.

  • CVE-2021-44197MedMar 7, 2023
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Information Management System: before 20211126.

  • CVE-2021-44196MedMar 7, 2023
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Information Management System: before 20211126.

  • CVE-2022-35278MedAug 23, 2022
    risk 0.40cvss 6.1epss 0.01

    In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.

  • CVE-2016-9500MedJul 13, 2018
    risk 0.40cvss 6.1epss 0.05

    Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

  • CVE-2016-9493MedJul 13, 2018
    risk 0.40cvss 6.1epss 0.02

    The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of…

  • CVE-2018-4848MedJun 14, 2018
    risk 0.40cvss 6.1epss 0.01

    A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300…

  • CVE-2017-16043MedJun 4, 2018
    risk 0.40cvss 6.1epss 0.01

    Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3.

  • CVE-2006-0149MedJan 9, 2006
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field.