CWE-79: Cross-site Scripting (XSS)
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
Yearly Trend
Top Affected Vendors
All Cross-site Scripting (XSS) CVEs (8,800)
This stored cross-site scripting (XSS) vulnerability in Adobe Experience Manager allows users with 'Author' privileges to inject malicious scripts int...
Sep 10, 2020This stored cross-site scripting (XSS) vulnerability in Adobe Experience Manager allows authenticated users with 'Author' privileges to inject malicio...
Sep 10, 2020This stored XSS vulnerability in Adobe Experience Manager Forms allows authenticated users with 'Author' privileges to inject malicious scripts into f...
Sep 10, 2020This stored XSS vulnerability in Adobe Experience Manager Forms allows authenticated users with 'Author' privileges to inject malicious scripts into S...
Sep 10, 2020CVE-2020-16210 is a reflected cross-site scripting (XSS) vulnerability in Red Lion's N-Tron 702-W and 702M12-W industrial switches, allowing attackers...
Sep 1, 2020CVE-2020-6284 is a stored cross-site scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management that allows automatic execution of malicious ...
Aug 12, 2020A stored XSS vulnerability in the Reports functionality allows authenticated users with report privileges to inject malicious JavaScript into reports....
Dec 18, 2025An authenticated user with Teacher role in Moodle can upload a PDF containing malicious JavaScript to the GeniAI plugin. When other users click the ge...
Oct 21, 2025This stored XSS vulnerability in PROLIZ OBS Student Affairs Information System allows attackers to inject malicious scripts into web pages that are th...
Sep 25, 2025A stored XSS vulnerability in open-webui version 0.3.8 allows attackers to upload malicious files containing JavaScript. When victims access these fil...
Mar 20, 2025This vulnerability allows attackers to execute arbitrary JavaScript code in the Red Hat Advanced Cluster Security portal through cross-site scripting ...
Jan 27, 2025This cross-site scripting (XSS) vulnerability in QNAP operating systems allows authenticated attackers to inject malicious scripts into web applicatio...
Sep 6, 2024CVE-2024-28100 is a cross-site scripting (XSS) vulnerability in eLabFTW that allows authenticated users to upload malicious files that execute JavaScr...
Sep 2, 2024CVE-2024-37166 is a Cross-Site Scripting (XSS) vulnerability in ghtml template engine software where user-controlled JavaScript code can be introduced...
Jun 10, 2024IBM Security Guardium versions 11.3, 11.4, and 11.5 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users to injec...
Aug 27, 2023This stored cross-site scripting (XSS) vulnerability in XWiki Commons allows users without script rights to inject malicious scripts via the Live Data...
Apr 16, 2023This cross-site scripting (XSS) vulnerability in XWiki allows attackers to inject malicious JavaScript via column names in Livetable and Documents mac...
Apr 15, 2023This CVE allows users without script rights to perform stored cross-site scripting (XSS) attacks via the Live Data macro in XWiki Platform. Attackers ...
Mar 2, 2023This stored XSS vulnerability in Chamilo LMS allows attackers to inject malicious JavaScript into social network and messaging features. When authenti...
Mar 6, 2026This vulnerability allows attackers to inject malicious scripts into Chamilo LMS user profiles via CSV import. When other users view these profiles, t...
Mar 2, 2026This stored XSS vulnerability in Karel Electronics ViPort allows attackers to inject malicious scripts into web pages that are then executed when othe...
Feb 4, 2026This is a cross-site scripting (XSS) vulnerability in Ghost CMS that allows attackers to craft malicious links. When authenticated staff users or memb...
Jan 27, 2026This is a reflected cross-site scripting (XSS) vulnerability in the Salvo Rust web framework's directory listing functionality. Attackers can inject m...
Jan 8, 2026This is a cross-site scripting (XSS) vulnerability in IceWarp's gmaps webpage that allows remote attackers to bypass authentication. Attackers can exp...
Dec 23, 2025WonderCMS 4.3.2 contains a cross-site scripting vulnerability in the module installation endpoint that allows attackers to inject malicious JavaScript...
Dec 12, 2025This cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint allows authenticated attackers to inject malicious scripts into web pages...
Dec 9, 2025This cross-site scripting (XSS) vulnerability in Combodo iTop allows attackers to inject malicious scripts into error messages that are displayed to u...
Nov 10, 2025This vulnerability allows attackers to inject malicious scripts into Combodo iTop dashboards when rendered via AJAX calls. Users of iTop versions befo...
Nov 10, 2025Combodo iTop versions before 2.7.13 and 3.2.2 contain a cross-site scripting vulnerability in dashboard editing via AJAX calls. This allows attackers ...
Nov 10, 2025This is a cross-site scripting (XSS) vulnerability in Heimdall Data Database Proxy that allows remote attackers to execute arbitrary code. Attackers c...
Nov 6, 2025A stored Cross-Site Scripting (XSS) vulnerability in TastyIgniter's media manager allows attackers to upload malicious SVG files containing JavaScript...
Oct 20, 2025This is a cross-site scripting (XSS) vulnerability in Progress Flowmon web application that allows attackers to execute malicious scripts in authentic...
Oct 9, 2025This stored cross-site scripting (XSS) vulnerability in Kissflow Work Platform allows attackers to inject malicious scripts that execute when users vi...
Oct 1, 2025This CVE describes a cross-site scripting (XSS) vulnerability in Fiora chat application versions 1.0.0 through user avatar upload functionality. Attac...
Oct 1, 2025CVE-2025-26210 is a cross-site scripting (XSS) vulnerability in DeepSeek R1 through version V3.1 that allows attackers to execute arbitrary JavaScript...
Sep 3, 2025FoxCMS 1.2.6 contains a reflected Cross-Site Scripting (XSS) vulnerability in the /index.php/plus endpoint that allows attackers to inject malicious s...
Aug 27, 2025FoxCMS 1.2.6 contains a cross-site scripting (XSS) vulnerability in the /index.php/article endpoint that allows attackers to inject and execute malici...
Aug 25, 2025QuantumNous new-api v0.8.5.2 contains a Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages view...
Aug 22, 2025This vulnerability allows authenticated administrators in XWiki to inject malicious Apache Velocity templates through the Global Preferences Presentat...
Aug 20, 2025This vulnerability in Statamic CMS allows attackers to perform cross-site scripting (XSS) attacks through the /users endpoint. It enables stored XSS v...
Aug 8, 2025An unauthenticated cross-site scripting vulnerability in AccuWeather and Custom RSS widgets allows attackers to inject malicious RSS feed URLs. This c...
Jun 25, 2025This CVE describes a cross-site scripting (XSS) vulnerability in the Drupal Simple Klaro module that allows attackers to inject malicious scripts into...
Jun 13, 2025An authenticated attacker can inject malicious scripts into the plant name field, which are then stored and executed when other users view the affecte...
Apr 15, 2025This vulnerability in the Site Reviews WordPress plugin allows unauthenticated attackers to inject malicious scripts into review fields, which execute...
Mar 19, 2025This is a stored cross-site scripting (XSS) vulnerability in FortiADC's web management interface. Authenticated attackers can inject malicious scripts...
Mar 11, 2025CVE-2025-27434 is a cross-site scripting (XSS) vulnerability in SAP Commerce's Swagger UI component that allows unauthenticated attackers to inject an...
Mar 11, 2025A DOM Clobbering vulnerability in Mavo v0.3.2 allows attackers to inject malicious HTML elements that can override JavaScript objects and execute arbi...
Mar 3, 2025This is a reflected cross-site scripting (XSS) vulnerability in Celk Sistemas Celk Saude healthcare software version 3.1.252.1. An attacker can inject...
Jan 29, 2025This vulnerability in Google Chrome extensions allows attackers to escalate privileges by tricking users into performing specific UI gestures on a mal...
Jan 15, 2025This vulnerability in Google Chrome's navigation implementation allows attackers to escalate privileges through a crafted HTML page. It affects users ...
Jan 15, 2025About Cross-site Scripting (XSS) (CWE-79)
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
Our database tracks 8,800 CVEs classified as CWE-79, with 256 rated critical and 2,327 rated high severity. The average CVSS score for Cross-site Scripting (XSS) vulnerabilities is 6.4.
External reference: View CWE-79 on MITRE CWE →
Monitor Cross-site Scripting (XSS) Vulnerabilities
Get alerted when new Cross-site Scripting (XSS) CVEs affect your infrastructure.
Start Monitoring Free