CWE-80— Improper Neutralization of Script-Related HTML Tags
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.— MITRE CWE catalog
549 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-80page 11 of 11
- CVE-2026-25764LOWCVSS 3.5EG 3.52026-02-06
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an a…
- CVE-2026-25935MEDIUMCVSS 5.4EG 5.42026-02-11
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can sh…
- CVE-2026-26460MEDIUMCVSS 6.1EG 6.12026-04-13
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attack…
- CVE-2026-28132MEDIUMCVSS 5.3EG 5.32026-02-26
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a thro…
- CVE-2026-33657MEDIUMCVSS 4.6EG 4.62026-04-13
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrar…
- CVE-2026-34033MEDIUMCVSS 5.4EG 5.42026-06-09
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escap…
- CVE-2026-34246MEDIUMCVSS 4.8EG 4.82026-05-19
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController…
- CVE-2026-34718MEDIUMCVSS 6.1EG 6.12026-04-08
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in t…
- CVE-2026-35460MEDIUMCVSS 4.3EG 4.32026-04-07
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display…
- CVE-2026-39344HIGHCVSS 8.1EG 8.12026-04-07
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter receiv…
- CVE-2026-39425MEDIUMCVSS 5.4EG 5.42026-04-14
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue (…
- CVE-2026-39625MEDIUMCVSS 5.3EG 5.32026-04-08
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes TechOne techone allows Code Injection.This issue affects TechOne: from n/a through <= 3.0.3.
- CVE-2026-39626MEDIUMCVSS 5.3EG 5.32026-04-08
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
- CVE-2026-39628MEDIUMCVSS 5.3EG 5.32026-04-08
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
- CVE-2026-39629MEDIUMCVSS 5.3EG 5.32026-04-08
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9.
- CVE-2026-39642MEDIUMCVSS 5.3EG 5.32026-05-26
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7.
- CVE-2026-39712MEDIUMCVSS 5.3EG 5.32026-04-08
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through <= 5.4.3.
- CVE-2026-39837MEDIUMCVSS 5.4EG 5.42026-04-07
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
- CVE-2026-39839MEDIUMCVSS 6.1EG 6.12026-04-07
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
- CVE-2026-39841MEDIUMCVSS 6.1EG 6.12026-04-07
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
- CVE-2026-39941MEDIUMCVSS 6.1EG 6.12026-04-09
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output en…
- CVE-2026-40105MEDIUMCVSS 6.1EG 6.12026-04-15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scri…
- CVE-2026-40872CRITICALCVSS 9.3EG 9.32026-04-21
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submit…
- CVE-2026-40873HIGHCVSS 8.9EG 8.92026-04-21
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An atta…
- CVE-2026-40875HIGHCVSS 7.0EG 7.02026-04-21
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Bec…
- CVE-2026-41575MEDIUMCVSS 6.1EG 6.12026-05-08
In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing at…
- CVE-2026-41611HIGHCVSS 7.8EG 7.82026-05-12
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
- CVE-2026-42030MEDIUMCVSS 6.1EG 6.12026-05-08
MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into …
- CVE-2026-42451MEDIUMCVSS 6.3EG 6.32026-05-08
Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a vi…
- CVE-2026-43938HIGHCVSS 8.1EG 8.12026-05-12
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonCon…
- CVE-2026-43939HIGHCVSS 7.3EG 7.32026-05-12
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread pag…
- CVE-2026-44259MEDIUMCVSS 4.6EG 4.62026-05-12
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg exte…
- CVE-2026-44264MEDIUMCVSS 4.3EG 4.32026-05-07
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.
- CVE-2026-44369HIGHCVSS 8.5EG 8.52026-05-13
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then…
- CVE-2026-44839MEDIUMCVSS 4.8EG 4.82026-05-27
RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.
- CVE-2026-45346MEDIUMCVSS 5.4EG 5.42026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6…
- CVE-2026-46492HIGHCVSS 7.2EG 7.22026-05-21
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rende…
- CVE-2026-50146MEDIUMCVSS 6.1EG 6.12026-06-16
Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attrib…
- CVE-2026-50229MEDIUMCVSS 6.1EG 6.12026-06-29
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, f…
- CVE-2026-52816MEDIUMCVSS 5.4EG 5.42026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scrip…
- CVE-2026-57167MEDIUMCVSS 5.1EG 5.12026-07-10
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash …
- CVE-2026-57532HIGHCVSS 8.8EG 8.82026-06-25
Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of a…
- CVE-2026-57533LOWCVSS 2.1EG 2.12026-06-25
Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.
- CVE-2026-57534LOWCVSS 2.1EG 2.12026-06-25
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.
- CVE-2026-57535LOWCVSS 2.1EG 2.12026-06-25
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and di…
- CVE-2026-59855HIGHCVSS 8.6EG 8.62026-07-09
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a …
- CVE-2026-6002HIGHCVSS 8.8EG 8.82026-05-07
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3…
- CVE-2026-7380MEDIUMCVSS 6.1EG 6.12026-07-07
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows XSS Targeting HTML Attributes. This issue affects Access Control Sy…
- CVE-2026-9646MEDIUMCVSS 6.1EG 6.12026-05-28
A reflected cross-site scripting issue exists in URL handling.
Map vulnerabilities like CWE-80 to your infrastructure
EchelonGraph correlates every CVE — across CWE-80 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →