CWE-87
Improper Neutralization of Alternate XSS Syntax
Description
The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-199
CVEs mapped to this weakness (43)
page 2 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25688 | Med | 0.33 | 6.1 | 0.00 | Jun 9, 2026 | Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content… | ||
| CVE-2026-45314 | Med | 0.33 | 6.1 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then… | ||
| CVE-2024-2657 | Med | 0.29 | 4.4 | 0.00 | May 30, 2024 | The Font Farsi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with… | ||
| CVE-2025-27793 | Med | 0.27 | — | 0.00 | Mar 27, 2025 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected… | ||
| CVE-2023-6446 | Med | 0.22 | 4.4 | 0.00 | Jan 11, 2024 | The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with… | ||
| CVE-2026-55661 | 0.00 | — | — | Jun 18, 2026 | TinaCMS rich-text parsing and the default link/image renderers did not sanitize the `url` field on Slate link/image nodes. Content containing `javascript:` or `data:text/html` URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is… | |||
| CVE-2026-27120 | — | 0.00 | — | 0.00 | Feb 20, 2026 | Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the… | ||
| CVE-2025-65961 | 0.00 | — | 0.00 | Nov 25, 2025 | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57,… | |||
| CVE-2025-62415 | 0.00 | — | 0.00 | Oct 16, 2025 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in… | |||
| CVE-2025-62418 | 0.00 | — | 0.00 | Oct 16, 2025 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the… | |||
| CVE-2025-62414 | 0.00 | — | 0.00 | Oct 16, 2025 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads… | |||
| CVE-2025-49137 | — | 0.00 | — | 0.00 | Jun 9, 2025 | HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user… | ||
| CVE-2025-48495 | 0.00 | — | 0.00 | Jun 2, 2025 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior… | |||
| CVE-2025-48494 | 0.00 | — | 0.00 | Jun 2, 2025 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every… | |||
| CVE-2023-4145 | — | 0.00 | — | 0.01 | Aug 3, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2. | ||
| CVE-2023-35161 | 0.00 | — | 0.02 | Jun 23, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by… | |||
| CVE-2023-35160 | 0.00 | — | 0.02 | Jun 23, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using… | |||
| CVE-2023-35159 | 0.00 | — | 0.02 | Jun 23, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by… | |||
| CVE-2023-35158 | 0.00 | — | 0.02 | Jun 23, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using… | |||
| CVE-2023-35156 | 0.00 | — | 0.02 | Jun 23, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using… |
- risk 0.33cvss 6.1epss 0.00
Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content…
- risk 0.33cvss 6.1epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then…
- risk 0.29cvss 4.4epss 0.00
The Font Farsi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
- risk 0.27cvss —epss 0.00
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected…
- risk 0.22cvss 4.4epss 0.00
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
- CVE-2026-55661Jun 18, 2026risk 0.00cvss —epss —
TinaCMS rich-text parsing and the default link/image renderers did not sanitize the `url` field on Slate link/image nodes. Content containing `javascript:` or `data:text/html` URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is…
- CVE-2026-27120Feb 20, 2026risk 0.00cvss —epss 0.00
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the…
- CVE-2025-65961Nov 25, 2025risk 0.00cvss —epss 0.00
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57,…
- CVE-2025-62415Oct 16, 2025risk 0.00cvss —epss 0.00
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in…
- CVE-2025-62418Oct 16, 2025risk 0.00cvss —epss 0.00
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the…
- CVE-2025-62414Oct 16, 2025risk 0.00cvss —epss 0.00
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads…
- CVE-2025-49137Jun 9, 2025risk 0.00cvss —epss 0.00
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user…
- CVE-2025-48495Jun 2, 2025risk 0.00cvss —epss 0.00
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior…
- CVE-2025-48494Jun 2, 2025risk 0.00cvss —epss 0.00
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every…
- CVE-2023-4145Aug 3, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.
- CVE-2023-35161Jun 23, 2023risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by…
- CVE-2023-35160Jun 23, 2023risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using…
- CVE-2023-35159Jun 23, 2023risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by…
- CVE-2023-35158Jun 23, 2023risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using…
- CVE-2023-35156Jun 23, 2023risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using…