VYPR

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

VariantIncompleteLikelihood: High

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86

CVEs mapped to this weakness (275)

page 9 of 14
  • CVE-2026-33044MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against…

  • CVE-2026-24564MedJan 23, 2026
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through <= 3.6.5.

  • CVE-2026-1154MedJan 19, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting.…

  • CVE-2025-62936MedOct 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Jthemes xSmart xsmart allows Code Injection.This issue affects xSmart: from n/a through <= 1.2.9.4.

  • CVE-2025-32230MedApr 10, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS tutor.This issue affects Tutor LMS: from n/a through <= 3.4.0.

  • CVE-2023-47869MedDec 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5.

  • CVE-2024-38527MedJun 26, 2024
    risk 0.28cvss 5.4epss 0.00

    ZenUML is JavaScript-based diagramming tool that requires no server, using Markdown-inspired text definitions and a renderer to create and modify sequence diagrams. Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS). The comment…

  • CVE-2022-38055MedJun 21, 2024
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9.

  • CVE-2024-6108MedJun 18, 2024
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg…

  • CVE-2023-45053MedJun 4, 2024
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in pluginever WP Content Pilot – Autoblogging & Affiliate Marketing Plugin allows Code Injection.This issue affects WP Content Pilot – Autoblogging & Affiliate Marketing Plugin: from…

  • CVE-2024-32790MedMay 17, 2024
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Supsystic Pricing Table by Supsystic allows Code Injection.This issue affects Pricing Table by Supsystic: from n/a through 1.9.12.

  • CVE-2025-31326MedJul 8, 2025
    risk 0.27cvss 4.1epss 0.00

    SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application…

  • CVE-2026-35163medJun 23, 2026
    risk 0.26cvss epss

    ### Impact OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer. An attacker who successfully…

  • CVE-2025-54414MedJul 26, 2025
    risk 0.26cvss epss 0.00

    Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute…

  • CVE-2026-44839MedMay 27, 2026
    risk 0.24cvss 4.8epss 0.00

    RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.

  • CVE-2026-11511LowJun 8, 2026
    risk 0.23cvss 3.5epss 0.00

    A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lead to HTML injection. It is possible to…

  • CVE-2026-33657MedApr 13, 2026
    risk 0.23cvss 4.6epss 0.00

    EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email…

  • CVE-2025-14186LowDec 7, 2025
    risk 0.23cvss 3.5epss 0.00

    A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote…

  • CVE-2025-13180LowNov 14, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site…

  • CVE-2025-13178LowNov 14, 2025
    risk 0.23cvss 3.5epss 0.00

    A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is…