CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
VariantIncompleteLikelihood: High
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86
CVEs mapped to this weakness (163)
page 8 of 9| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-32230 | Med | 0.28 | 4.3 | 0.00 | Apr 10, 2025 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS tutor.This issue affects Tutor LMS: from n/a through <= 3.4.0. | |
| CVE-2023-47869 | Med | 0.28 | 4.3 | 0.00 | Dec 9, 2024 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5. | |
| CVE-2022-38055 | Med | 0.28 | 4.3 | 0.00 | Jun 21, 2024 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9. | |
| CVE-2024-6108 | Med | 0.28 | 4.3 | 0.00 | Jun 18, 2024 | A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg leads to basic cross site scripting. It is possible to launch the attack remotely. VDB-268854 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2023-45053 | Med | 0.28 | 4.3 | 0.00 | Jun 4, 2024 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in pluginever WP Content Pilot – Autoblogging & Affiliate Marketing Plugin allows Code Injection.This issue affects WP Content Pilot – Autoblogging & Affiliate Marketing Plugin: from n/a through 1.3.3. | |
| CVE-2024-32790 | Med | 0.28 | 4.3 | 0.00 | May 17, 2024 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Supsystic Pricing Table by Supsystic allows Code Injection.This issue affects Pricing Table by Supsystic: from n/a through 1.9.12. | |
| CVE-2025-31326 | Med | 0.27 | 4.1 | 0.00 | Jul 8, 2025 | SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as redirecting users to attacker-controlled domains. This issue primarily affects the integrity of the system. However, the confidentiality and availability of the system remain unaffected. | |
| CVE-2025-54414 | Med | 0.26 | — | 0.00 | Jul 26, 2025 | Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3. | |
| CVE-2025-14186 | Low | 0.23 | 3.5 | 0.00 | Dec 7, 2025 | A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-13180 | Low | 0.23 | 3.5 | 0.00 | Nov 14, 2025 | A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-13178 | Low | 0.23 | 3.5 | 0.00 | Nov 14, 2025 | A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-1807 | Low | 0.23 | 3.5 | 0.00 | Mar 2, 2025 | A vulnerability, which was classified as problematic, was found in Eastnets PaymentSafe 2.5.26.0. This affects an unknown part of the file /directRouter.rfc of the component Edit Manual Reply Handler. The manipulation of the argument Title leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.27.0 is able to address this issue. | |
| CVE-2024-50344 | Med | 0.23 | 4.6 | 0.00 | Oct 30, 2024 | I, Librarian is an open-source version of a PDF managing SaaS. Supplemental Files are allowed to be viewed in the browser, only if they have a white-listed MIME type. Unfortunately, this logic is broken, thus allowing unsafe files containing Javascript to be executed with the application context. An attacker can exploit this vulnerability by uploading a supplementary file that contains a malicious code or script. This code will then be executed when the file is loaded in the browser. The vulnerability was fixed in version 5.11.2. | |
| CVE-2026-44264 | Med | 0.21 | 4.3 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. | |
| CVE-2025-59854 | Low | 0.20 | 3.1 | 0.00 | May 6, 2026 | HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP). | |
| CVE-2026-0396 | Low | 0.20 | 3.1 | 0.00 | Mar 31, 2026 | An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. | |
| CVE-2024-4214 | Low | 0.18 | 2.7 | 0.00 | May 17, 2024 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Bill Minozzi Car Dealer allows Code Injection.This issue affects Car Dealer: from n/a through 4.15. | |
| CVE-2024-47612 | Low | 0.16 | 3.5 | 0.00 | Oct 2, 2024 | DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped (more specifically, (datadump-table-column-queued), (datadump-table-column-in-progress), (datadump-table-column-completed), (datadump-table-column-failed)). If these messages are edited (which requires the (editinterface) right by default), anyone who can view Special:DataDump (which requires the (view-dump) right by default) can be XSSed. This vulnerability is fixed with 601688ee8e8808a23b102fa305b178f27cbd226d. | |
| CVE-2024-5851 | Low | 0.16 | 3.5 | 0.00 | Jun 11, 2024 | A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main&inc=feature_schedule&op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.4.8 is able to address this issue. The name of the patch is 7a88920f6b536c6a91512e739bcb4e8adefeed2b. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-267912. NOTE: The code maintainer was contacted early about this disclosure and was eager to prepare a fix as quickly as possible. | |
| CVE-2025-22274 | Low | 0.13 | — | 0.00 | Feb 28, 2025 | It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. |