CWE-79: Cross-site Scripting (XSS)
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
Yearly Trend
Top Affected Vendors
All Cross-site Scripting (XSS) CVEs (8,805)
This vulnerability allows authorized users of Combodo iTop to inject malicious scripts into tooltips via the customization mechanism, creating a store...
Apr 21, 2022This vulnerability allows attackers to inject malicious HTML into GitLab notes, leading to cross-site scripting (XSS) attacks. It affects GitLab Commu...
Apr 4, 2022This stored cross-site scripting (XSS) vulnerability in GitLab allows attackers to inject malicious scripts into issue descriptions, comments, and oth...
Apr 4, 2022CVE-2022-21690 is a cross-site scripting (XSS) vulnerability in OnionShare where the path parameter is not properly sanitized before being passed to t...
Jan 18, 2022This vulnerability allows attackers to inject malicious scripts through emoji generation in GitLab, leading to cross-site scripting (XSS) attacks. It ...
Jan 18, 2022This vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers by uploading malicious ipynb (Jupyter Notebook) files to...
Nov 5, 2021CVE-2021-41134 is a stored cross-site scripting (XSS) vulnerability in nbdime, a tool for diffing and merging Jupyter Notebooks. Attackers can inject ...
Nov 3, 2021This stored cross-site scripting vulnerability in InHand Networks IR615 Router's web interface allows attackers to inject malicious scripts that execu...
Oct 19, 2021This is a stored cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition's merge request creation page. Attackers can inject malicious J...
Oct 4, 2021CVE-2021-41086 is a DOM-based cross-site scripting (XSS) vulnerability in jsuites JavaScript components. Attackers can inject malicious JavaScript by ...
Sep 21, 2021This vulnerability allows attackers to inject malicious scripts into GitLab via Mermaid markdown diagrams, which execute when other users view the con...
Aug 25, 2021CVE-2021-39136 is a cross-site scripting (XSS) vulnerability in baserCMS's file upload function within the management system. Attackers can inject mal...
Aug 25, 2021This vulnerability allows attackers to execute stored cross-site scripting (XSS) attacks by creating a malicious default branch name in GitLab. All Gi...
Aug 5, 2021CVE-2020-16946 is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server that allows authenticated attackers to inject malicious sc...
Oct 16, 2020CVE-2020-16944 is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server where improper input sanitization allows authenticated att...
Oct 16, 2020This reflected XSS vulnerability in Zirve Information Technologies' e-Taxpayer Accounting Website allows attackers to inject malicious scripts into we...
Feb 9, 2026This is a reflected cross-site scripting (XSS) vulnerability in Ankara Hosting Website Design Website Software that allows attackers to inject malicio...
Feb 3, 20263DAlloy MediaWiki extension versions 1.0 through 1.8 contain a cross-site scripting (XSS) vulnerability in the <3d> parser tag and {{#3d}} parser func...
Sep 15, 2025This vulnerability allows authenticated users with page editing privileges to inject malicious scripts into the Citizen MediaWiki skin's search result...
Jul 3, 2025This vulnerability allows any user to inject arbitrary HTML into web pages by editing page content when using the Citizen skin with ShortDescription e...
Jul 3, 2025This vulnerability allows any user to inject arbitrary HTML into web pages via the TabberNeue MediaWiki extension, enabling cross-site scripting (XSS)...
Jun 27, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal COOKiES Consent Management module, which could exec...
Jun 13, 2025A stored XSS vulnerability in EmbedAI allows authenticated attackers to inject malicious JavaScript into chat messages. When other users view these me...
Jan 30, 2025This is a cross-site scripting (XSS) vulnerability in the TabberNeue MediaWiki extension that allows attackers to inject malicious scripts via user-su...
Jan 6, 2025A Cross-Site Scripting (XSS) vulnerability in i-librarian v5.11.0 and earlier allows a local attacker to execute arbitrary JavaScript code via the sea...
Aug 12, 2024This vulnerability in the OMGF WordPress plugin allows unauthenticated attackers to modify plugin settings and inject stored XSS payloads due to missi...
Jan 3, 2024A stored cross-site scripting (XSS) vulnerability in opensolution Quick CMS v6.7 allows attackers to inject malicious scripts into the 'Content - Name...
Oct 19, 2023This DOM-based XSS vulnerability in Typora allows attackers to execute arbitrary JavaScript code by tricking users into opening malicious markdown fil...
Aug 19, 2023CVE-2023-23630 is a cross-site scripting (XSS) vulnerability in the Eta JavaScript templating engine when used with Express API. Attackers can inject ...
Feb 1, 2023This is a cross-site scripting (XSS) vulnerability in docsify documentation generators before version 4.12.0. Attackers can bypass previous security f...
Feb 19, 2021A cross-site scripting (XSS) vulnerability in Blood Bank Management System 1.0 allows attackers to inject malicious JavaScript via the msg and error p...
Dec 1, 2025A cross-site scripting (XSS) vulnerability in Blood Bank Management System 1.0 allows attackers to inject malicious JavaScript via user profile parame...
Dec 1, 2025A cross-site scripting (XSS) vulnerability in the Blood Bank Management System's abs.php component allows attackers to inject malicious JavaScript via...
Dec 1, 2025This cross-site scripting vulnerability in Blood Bank Management System 1.0 allows attackers to inject malicious JavaScript into user profile paramete...
Dec 1, 2025This cross-site scripting (XSS) vulnerability in Blood Bank Management System 1.0 allows attackers to inject malicious JavaScript via the error parame...
Dec 1, 2025This cross-site scripting (XSS) vulnerability in Logpoint allows attackers to inject malicious scripts into web pages viewed by other users. It affect...
Nov 28, 2025This vulnerability allows attackers to inject malicious scripts into the user portal's browse brick in Combodo iTop, potentially compromising user ses...
Nov 10, 2025This stored cross-site scripting (XSS) vulnerability in bunny.net WordPress plugin allows attackers to inject malicious scripts into web pages that ar...
May 19, 2025This stored cross-site scripting (XSS) vulnerability in Archer Platform allows authenticated attackers to inject malicious scripts into the applicatio...
Oct 17, 2023This vulnerability allows attackers to inject malicious scripts into PrestaShop websites through cross-site scripting (XSS) attacks. The flaw in the V...
Apr 25, 2023A stored Cross-site Scripting (XSS) vulnerability in BlogEngine.NET allows attackers to upload specially crafted files that inject malicious JavaScrip...
Mar 6, 2023A stored Cross-Site Scripting (XSS) vulnerability in Bagisto eCommerce platform allows attackers to inject malicious JavaScript into CMS pages by bypa...
Jan 2, 2026A stored XSS vulnerability in open-webui version 0.3.8 allows attackers to inject malicious scripts via the model description field. When executed, th...
Mar 20, 2025This is a cross-site scripting (XSS) vulnerability in Progress Sitefinity CMS administrative backend that allows attackers to inject malicious scripts...
Jan 7, 2025A stored Cross-Site Scripting (XSS) vulnerability in JATOS v3.9.3 allows attackers to inject malicious JavaScript into the UUID field of study propert...
Nov 5, 2024This CVE describes a cross-site scripting (XSS) vulnerability in Payara Server's Admin Console modules that allows attackers to inject malicious scrip...
Oct 8, 2024The Domino Catalog template has a stored XSS vulnerability that allows attackers with document editing permissions to inject malicious scripts. When u...
Jun 6, 2024This CVE describes a reflected cross-site scripting (XSS) vulnerability in Splunk Enterprise's /app/search/table endpoint. Attackers can craft malicio...
Aug 30, 2023A stored cross-site scripting vulnerability in Esri ArcGIS Enterprise Sites allows authenticated high-privileged attackers to inject malicious JavaScr...
Jul 21, 2023A stored XSS vulnerability in Esri Portal for ArcGIS Sites allows authenticated high-privilege attackers to inject malicious JavaScript into site conf...
Jul 21, 2023About Cross-site Scripting (XSS) (CWE-79)
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
Our database tracks 8,805 CVEs classified as CWE-79, with 259 rated critical and 2,329 rated high severity. The average CVSS score for Cross-site Scripting (XSS) vulnerabilities is 6.4.
External reference: View CWE-79 on MITRE CWE →
Monitor Cross-site Scripting (XSS) Vulnerabilities
Get alerted when new Cross-site Scripting (XSS) CVEs affect your infrastructure.
Start Monitoring Free