CWE-79: Cross-site Scripting (XSS)
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
Yearly Trend
Top Affected Vendors
All Cross-site Scripting (XSS) CVEs (8,870)
This is a reflected cross-site scripting (XSS) vulnerability in the Traveler WordPress theme that allows attackers to inject malicious scripts into we...
Dec 18, 2025This Cross-Site Scripting (XSS) vulnerability in the ListingPro WordPress theme allows attackers to inject malicious scripts into web pages viewed by ...
Dec 18, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the ANAC XML Bandi di Gara WordPress plugin. When users vi...
Dec 18, 2025This DOM-based cross-site scripting (XSS) vulnerability in the Jannah WordPress theme allows attackers to inject malicious scripts into web pages view...
Dec 18, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the Photography WordPress theme. When users visit a specia...
Dec 18, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the dt-reservation-plugin WordPress plugin. When users vis...
Dec 18, 2025This is a reflected cross-site scripting (XSS) vulnerability in the XStore Core WordPress plugin. Attackers can inject malicious scripts via crafted U...
Dec 18, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the XStore WordPress theme, which are then executed in vic...
Dec 18, 2025This is a reflected cross-site scripting (XSS) vulnerability in the Mailster WordPress plugin that allows attackers to inject malicious scripts into w...
Dec 18, 2025This is a reflected cross-site scripting (XSS) vulnerability in the Schiocco Support Board WordPress plugin. Attackers can inject malicious scripts in...
Dec 18, 2025This is a reflected cross-site scripting (XSS) vulnerability in the Logtik WordPress theme that allows attackers to inject malicious scripts into web ...
Dec 18, 2025A stored cross-site scripting (XSS) vulnerability in Crafty Controller's Server MOTD component allows remote unauthenticated attackers to inject malic...
Dec 17, 2025This CVE describes a reflected cross-site scripting (XSS) vulnerability in Shopware's login page. Attackers can inject malicious JavaScript via the wa...
Dec 11, 2025This stored Cross-Site Scripting (XSS) vulnerability in the WP-ShowHide WordPress plugin allows attackers to inject malicious scripts into web pages t...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_Dot1xCfg.php allows attackers to trick authenticated users into clicking malicious ...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in port_util.php allows attackers to trick authenticated users into clicking malicious lin...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_PortCfg.php allows attackers to trick authenticated users into clicking malicious l...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_portCntr.php allows attackers to trick authenticated users into clicking malicious ...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_portSfp.php allows attackers to trick authenticated users into clicking malicious l...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_portCntr2.php allows attackers to trick authenticated users into sending malicious ...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_portSecCfg.php allows attackers to trick authenticated users into sending malicious...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in pxc_vlanIntfCfg.php allows attackers to trick authenticated users into sending maliciou...
Dec 9, 2025An unauthenticated cross-site scripting (XSS) vulnerability in dyn_conn.php allows attackers to trick authenticated users into sending malicious POST ...
Dec 9, 2025This vulnerability allows attackers to inject malicious scripts into WordPress admin pages via unsanitized parameters in the Custom Admin Menu plugin....
Dec 9, 2025The Flo Forms WordPress plugin allows unauthenticated attackers to upload malicious SVG files containing JavaScript via an AJAX endpoint. When adminis...
Nov 21, 2025This vulnerability allows attackers to inject malicious JavaScript via the URL parameter in Combodo iTop's export.php file, leading to cross-site scri...
Nov 10, 2025An unauthenticated reflected cross-site scripting vulnerability in CMSimpleXH allows attackers to inject malicious JavaScript via crafted requests lik...
Nov 6, 2025This reflected XSS vulnerability in CMSimple_XH 1.8 allows attackers to inject malicious JavaScript via URL path segments, which gets executed in vict...
Nov 6, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the Grand Conference Theme Custom Post Type plugin for Wor...
Nov 6, 2025This Cross-Site Scripting (XSS) vulnerability in the WordPress Simple Payment plugin allows attackers to inject malicious scripts into web pages viewe...
Nov 6, 2025This reflected cross-site scripting (XSS) vulnerability in the Booster for WooCommerce plugin allows attackers to inject malicious scripts into web pa...
Nov 6, 2025This is a cross-site scripting (XSS) vulnerability in the Houzez WordPress theme functionality plugin that allows attackers to inject malicious script...
Nov 6, 2025This Cross-Site Scripting (XSS) vulnerability in the WPMobile.App WordPress plugin allows attackers to inject malicious scripts into web pages viewed ...
Nov 6, 2025This is a cross-site scripting (XSS) vulnerability in the YOP Poll WordPress plugin that allows attackers to inject malicious scripts into web pages. ...
Nov 6, 2025This is a cross-site scripting (XSS) vulnerability in the tagDiv Composer WordPress plugin that allows attackers to inject malicious scripts into web ...
Nov 6, 2025This is a cross-site scripting (XSS) vulnerability in the Togo WordPress theme that allows attackers to inject malicious scripts into web pages. Attac...
Nov 6, 2025This is a reflected cross-site scripting (XSS) vulnerability in the GoStore WordPress theme that allows attackers to inject malicious scripts into web...
Nov 6, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the Institutions Directory WordPress plugin. When users vi...
Nov 6, 2025This is a reflected cross-site scripting (XSS) vulnerability in the Enzy WordPress theme that allows attackers to inject malicious scripts into web pa...
Nov 6, 2025This Cross-Site Scripting (XSS) vulnerability in the ThimPress Resca WordPress theme allows attackers to inject malicious scripts into web pages that ...
Nov 6, 2025This vulnerability allows attackers to inject malicious scripts into WooTour plugin pages, which execute in victims' browsers when they visit speciall...
Nov 6, 2025This reflected cross-site scripting (XSS) vulnerability in the Jobmonster WordPress theme allows attackers to inject malicious scripts into web pages ...
Nov 6, 2025This is a reflected cross-site scripting (XSS) vulnerability in the NooTheme WeMusic WordPress theme. Attackers can inject malicious scripts via craft...
Nov 6, 2025This reflected cross-site scripting (XSS) vulnerability in the NooTheme Yogi WordPress theme allows attackers to inject malicious scripts into web pag...
Nov 6, 2025This Cross-Site Scripting (XSS) vulnerability in the Epic Review WordPress plugin allows attackers to inject malicious scripts into web pages viewed b...
Nov 6, 2025This vulnerability allows attackers to cause denial of service or memory corruption by tricking users into opening malicious media files. It affects m...
Nov 4, 2025This vulnerability allows cross-site scripting (XSS) attacks in SailPoint IdentityIQ when web services return non-HTML content with an incorrect HTML ...
Nov 3, 2025This Cross-Site Scripting (XSS) vulnerability in the Infomaniak VOD WordPress plugin allows attackers to inject malicious scripts into web pages. When...
Oct 22, 2025This vulnerability allows attackers to inject malicious scripts into web pages generated by the WC Return products WordPress plugin. When users visit ...
Oct 22, 2025This Cross-site Scripting (XSS) vulnerability in the WordPress Pets plugin allows attackers to inject malicious scripts into web pages viewed by other...
Oct 22, 2025About Cross-site Scripting (XSS) (CWE-79)
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
Our database tracks 8,870 CVEs classified as CWE-79, with 275 rated critical and 2,378 rated high severity. The average CVSS score for Cross-site Scripting (XSS) vulnerabilities is 6.4.
External reference: View CWE-79 on MITRE CWE →
Monitor Cross-site Scripting (XSS) Vulnerabilities
Get alerted when new Cross-site Scripting (XSS) CVEs affect your infrastructure.
Start Monitoring Free