CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

VariantIncompleteLikelihood: High

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Hierarchy (View 1000)

Parents

CWE-79

Children

none

Related attack patterns (CAPEC)

CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86

CVEs mapped to this weakness (163)

page 9 of 9

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-25299	Low	0.08	—	0.00	Feb 20, 2025	CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 real-time collaboration package. This vulnerability affects user markers, which represent users' positions within the document. It can lead to unauthorized JavaScript code execution, which might happen with a very specific editor and token endpoint configuration. This vulnerability affects only installations with Real-time collaborative editing enabled. The problem has been recognized and patched. The fix is available in version 44.2.1 (and above). Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2026-32732	Non	0.00	—	0.00	Mar 16, 2026	Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.
CVE-2014-2353		0.00	—	0.01	May 30, 2014	Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.