CWE-79: Cross-site Scripting (XSS)

DOMPurify versions before 2.5.0 and 3.1.3 contain a nesting-based mutation XSS (mXSS) vulnerability that allows attackers to bypass HTML sanitization ...

This vulnerability in XWiki's Identity OAuth UI component allows attackers to inject malicious scripts and XWiki syntax via OAuth login parameters. Su...

This vulnerability allows attackers to execute malicious scripts in users' browsers by tricking them into clicking specially crafted URLs. It affects ...

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js library that converts Markdown to HTML. The library i...

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files to execute arbitrary JavaScript code when opened. ...

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript into user input fields, which executes in victims' br...

A stored cross-site scripting (XSS) vulnerability in Horilla HRMS allows low-privilege authenticated users to inject malicious JavaScript into ticket ...

A cross-site scripting (XSS) vulnerability in Allegro AI's ClearML platform allows remote attackers to execute malicious JavaScript when users view th...

This vulnerability allows any XWiki user to inject malicious scripts via the HTML macro, leading to cross-site scripting (XSS) attacks. It affects XWi...

CVE-2020-7741 is a Cross-Site Scripting (XSS) vulnerability in hellojs library versions before 1.18.6. Attackers can inject malicious JavaScript via t...

CVE-2020-37153 allows attackers to execute arbitrary system commands and perform cross-site scripting attacks in ASTPP VoIP billing software. This can...

Zenitel TCIV-3+ devices contain a reflected cross-site scripting (XSS) vulnerability that allows remote attackers to inject and execute arbitrary Java...

This cross-site scripting (XSS) vulnerability in Scholl Communications AG Weblication CMS Core allows attackers to inject malicious scripts into web p...

CVE-2025-44136 is a reflected cross-site scripting vulnerability in MapTiler Tileserver-php where the 'layer' GET parameter is not properly sanitized ...

A cross-site scripting (XSS) vulnerability in Grav CMS versions 1.7.48 and earlier allows attackers to inject malicious scripts into form fields. When...

A reflected cross-site scripting (XSS) vulnerability in Luxcal 4.5.2 allows unauthenticated attackers to inject malicious scripts via the index.php pa...

This cross-site scripting (XSS) vulnerability in MediaWiki's SecurePoll extension allows attackers to inject malicious JavaScript through user-control...

This vulnerability allows attackers to execute malicious JavaScript code in Whale browser for iOS by exploiting a flaw in how the browser handles craf...

This vulnerability allows attackers to inject malicious JavaScript code into users' personal spaces of a web portal due to insufficient server-side in...

A reflected Cross-Site Scripting (XSS) vulnerability in PHPGurukul Land Record System v1.0 allows remote attackers to inject malicious scripts via the...

This critical vulnerability in DedeBIZ v6.3.0 allows attackers to upload arbitrary files to the /admin/file_manage_control component, leading to remot...

This vulnerability allows attackers to upload malicious files to AVSCMS v8.2.0 through the /main/fileupload.php component, potentially leading to remo...

CVE-2023-43091 is a critical code injection vulnerability in GNOME Maps that allows arbitrary code execution via malicious service.json configuration ...

This vulnerability in Jitsi Meet allows attackers to inject malicious URLs into video sharing messages, causing clients to load content from arbitrary...

A remote code execution vulnerability in Docker Desktop allows malicious extensions to execute arbitrary code by crafting malicious extension descript...

This vulnerability allows attackers to execute arbitrary SQL commands through the /manager/card/card_detail.php endpoint in AMTT Hotel Broadband Opera...

This vulnerability allows attackers to upload arbitrary PHP files to the Kashipara Live Membership System v1.0 via the /Membership/edit_member.php end...

CVE-2022-32269 is a critical vulnerability in Real Player's G2 Control component that allows injection of malicious JavaScript URIs into local HTTP er...

CVE-2022-28368 is a critical remote code execution vulnerability in Dompdf, a PHP library for generating PDFs from HTML. Attackers can exploit this by...

CVE-2022-0748 is a critical vulnerability in post-loader npm package that allows arbitrary JavaScript code execution through malicious markdown input....

CVE-2021-43439 is a remote code execution vulnerability in the Add Review function of iResturant 1.0 that allows unauthenticated attackers to execute ...

This CVE describes a remote code execution vulnerability in the 5ire AI assistant desktop application. The vulnerability allows attackers to execute a...

This critical vulnerability in Frappe Framework's Attachments module allows attackers to upload malicious XML files that can lead to remote code execu...

A Cross-Site Scripting (XSS) vulnerability in DriveLock Operations Center versions 25.1.2 through 25.1.4 allows attackers to inject malicious scripts ...

This stored cross-site scripting (XSS) vulnerability in Ivanti Endpoint Manager allows unauthenticated remote attackers to inject malicious JavaScript...

DeepChat versions 0.5.1 and below are vulnerable to cross-site scripting (XSS) attacks through improperly sanitized Mermaid diagram content. Attackers...

A reflected Cross-Site Scripting (XSS) vulnerability in Fanvil x210 VoIP phones running firmware version 2.12.20 allows attackers to inject malicious ...

A Cross-Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server firmware allows remote attackers to execute arbitrary code via the /bh_web_b...

This DOM-based XSS vulnerability in GitHub Enterprise Server allows attackers to execute malicious scripts when users click crafted links in Issues se...

This cross-site scripting (XSS) vulnerability in Logseq v0.10.9 allows attackers to execute arbitrary JavaScript code by injecting malicious scripts i...

CVE-2025-58357 is a content injection vulnerability in 5ire AI assistant that allows attackers to inject malicious content through chat page script ga...

A critical stored XSS vulnerability in lunary-ai/lunary Analytics component allows arbitrary JavaScript execution in all users' browsers when attacker...

A stored cross-site scripting vulnerability in WWBN AVideo allows attackers to inject malicious JavaScript via the videoNotFound 404ErrorMsg parameter...

A cross-site scripting vulnerability in WWBN AVideo's userLogin cancelUri parameter allows attackers to execute arbitrary JavaScript when users visit ...

This critical vulnerability in Arista NG Firewall allows remote attackers to execute arbitrary code with root privileges by exploiting a cross-site sc...

An HTML injection vulnerability in Vaultwarden allows attackers to inject malicious HTML/JavaScript into the username field of email messages. This co...

This vulnerability allows unauthenticated attackers to inject malicious scripts via a specific parameter in the AutomatorWP WordPress plugin. When com...

TenderDocTransfer from Chunghwa Telecom has a reflected cross-site scripting (XSS) vulnerability combined with missing CSRF protection. Unauthenticate...

This vulnerability allows unauthenticated attackers to inject malicious scripts into web application logs via manipulated Host headers. When administr...

This is a stored cross-site scripting (XSS) vulnerability in Wowza Streaming Engine's Manager component that allows unauthenticated attackers to injec...