CWE-80— Improper Neutralization of Script-Related HTML Tags
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.— MITRE CWE catalog
549 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-80page 10 of 11
- CVE-2025-60244HIGHCVSS 7.1EG 7.12025-11-06
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.This issue affects TableOn: from n/a through <= 1.0.5.1.
- CVE-2025-61583MEDIUMCVSS 6.1EG 4.32025-10-01
TS3 Manager is modern web interface for maintaining Teamspeak3 servers. A reflected cross-site scripting vulnerability has been identified in versions 2.2.1 and earlier. The vulnerability exists in the error handling mechanism of the login…
- CVE-2025-62172HIGHCVSS 8.5EG 8.52025-10-14
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject m…
- CVE-2025-62198MEDIUMCVSS 5.4EG 5.42026-06-22
An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue.
- CVE-2025-62414MEDIUMCVSS 4.8EG 6.92025-10-16
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can …
- CVE-2025-62415MEDIUMCVSS 4.8EG 6.92025-10-16
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When v…
- CVE-2025-62418MEDIUMCVSS 4.8EG 6.92025-10-16
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When vi…
- CVE-2025-6247MEDIUMCVSS 4.7EG 4.72025-08-26
The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it poss…
- CVE-2025-62796MEDIUMCVSS 5.8EG 5.82025-10-28
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An at…
- CVE-2025-62897MEDIUMCVSS 5.3EG 5.32025-10-27
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Code Injection.This issue affects WP Recipe Maker: from n/a through < 10.1.0.
- CVE-2025-62936MEDIUMCVSS 4.3EG 6.12025-10-27
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Jthemes xSmart xsmart allows Code Injection.This issue affects xSmart: from n/a through <= 1.2.9.4.
- CVE-2025-63068MEDIUMCVSS 5.3EG 5.32025-12-09
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form…
- CVE-2025-64187MEDIUMCVSS 4.4EG 4.42025-11-07
OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups …
- CVE-2025-64225MEDIUMCVSS 6.5EG 6.12025-12-18
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.
- CVE-2025-64633MEDIUMCVSS 5.3EG 5.32025-12-16
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8.
- CVE-2025-64637MEDIUMCVSS 5.3EG 5.32026-06-26
Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
- CVE-2025-64764MEDIUMCVSS 5.4EG 7.12025-11-19
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has b…
- CVE-2025-65924MEDIUMCVSS 4.1EG 6.12026-02-03
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF …
- CVE-2025-66450MEDIUMCVSS 5.4EG 5.42025-12-11
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which…
- CVE-2025-66472MEDIUMCVSS 6.1EG 6.12025-12-10
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Plat…
- CVE-2025-66481CRITICALCVSS 9.6EG 9.62025-12-09
DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent security patch for MermaidArtifact.vue is insu…
- CVE-2025-66486MEDIUMCVSS 4.8EG 4.82026-04-01
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
- CVE-2025-66512MEDIUMCVSS 6.1EG 5.42025-12-05
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user …
- CVE-2025-69169MEDIUMCVSS 5.4EG 5.42026-01-08
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.
- CVE-2025-71310LOWCVSS 1.8EG 1.82026-05-26
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This …
- CVE-2025-71331MEDIUMCVSS 6.1EG 6.12026-06-20
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <i…
- CVE-2025-8029HIGHCVSS 8.1EG 8.12025-07-22
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
- CVE-2025-8386MEDIUMCVSS 6.9EG 6.92025-11-15
The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, c…
- CVE-2025-8621MEDIUMCVSS 6.4EG 6.42025-08-12
The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c’ parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible…
- CVE-2026-0396LOWCVSS 3.1EG 3.12026-03-31
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or Dy…
- CVE-2026-11511LOWCVSS 3.5EG 3.52026-06-08
A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lea…
- CVE-2026-1154MEDIUMCVSS 4.3EG 4.32026-01-19
A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description …
- CVE-2026-12812LOWCVSS 3.5EG 3.52026-06-22
A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is poss…
- CVE-2026-1282LOWCVSS 3.5EG 3.52026-02-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
- CVE-2026-13225MEDIUMCVSS 5.3EG 5.32026-06-25
Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.
- CVE-2026-13314LOWCVSS 2.0EG 2.02026-06-25
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.
- CVE-2026-1564MEDIUMCVSS 4.8EG 4.82026-04-15
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
- CVE-2026-1834MEDIUMCVSS 6.4EG 6.42026-03-31
The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output esc…
- CVE-2026-20047MEDIUMCVSS 4.8EG 4.82026-01-15
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks ag…
- CVE-2026-20070MEDIUMCVSS 6.1EG 6.12026-03-04
A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cros…
- CVE-2026-20170MEDIUMCVSS 6.1EG 6.12026-04-15
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Cont…
- CVE-2026-22254NONECVSS 0.0EG 0.02026-02-06
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization…
- CVE-2026-22422MEDIUMCVSS 5.3EG 5.32026-02-19
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.
- CVE-2026-22469MEDIUMCVSS 5.3EG 5.32026-01-22
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through <= 1.0.2.
- CVE-2026-23528MEDIUMCVSS 6.1EG 6.12026-01-16
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupy…
- CVE-2026-24128MEDIUMCVSS 6.1EG 6.12026-01-24
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site S…
- CVE-2026-24564MEDIUMCVSS 4.3EG 4.32026-01-23
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through <= 3.6.5.
- CVE-2026-25006MEDIUMCVSS 5.3EG 5.32026-02-19
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4.
- CVE-2026-25054MEDIUMCVSS 5.4EG 5.42026-02-04
n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and othe…
- CVE-2026-25578MEDIUMCVSS 6.1EG 6.12026-02-04
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to …
Map vulnerabilities like CWE-80 to your infrastructure
EchelonGraph correlates every CVE — across CWE-80 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →