CWE-83— Improper Neutralization of Script in Attributes in a Web Page
The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.— MITRE CWE catalog
24 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-83page 1 of 1
- CVE-2020-14525LOWCVSS 3.5EG 3.52020-09-18
Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users.
- CVE-2022-39262MEDIUMCVSS 5.2EG 5.22022-11-03
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains maliciou…
- CVE-2023-30958MEDIUMCVSS 4.7EG 4.72023-08-03
A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.
- CVE-2023-32070CRITICALCVSS 9.0EG 9.02023-05-10
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in …
- CVE-2023-37908CRITICALCVSS 9.0EG 9.02023-10-25
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML co…
- CVE-2024-26283HIGHCVSS 7.8EG 7.82024-02-22
An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS < 123.
- CVE-2024-52595HIGHCVSS 7.7EG 7.72024-11-19
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<…
- CVE-2024-9103MEDIUMCVSS 6.1EG 6.12025-03-24
Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS. This issue affects Email Security through 8.5.5.
- CVE-2025-0125MEDIUMCVSS 6.9EG 6.92025-04-11
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS ad…
- CVE-2025-0137MEDIUMCVSS 4.8EG 4.82025-05-14
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS ad…
- CVE-2025-11682HIGHCVSS 7.1EG 7.12025-10-27
Stored cross-site scripting (XSS) vulnerability in the LMT Dashboard of the Perx Customer Engagement & Loyalty Platform allows an authenticated attacker to execute arbitrary JavaScript code in a victim's browser. The vulnerability is due t…
- CVE-2025-27145LOWCVSS 3.6EG 3.62025-02-25
copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging…
- CVE-2025-4615HIGHCVSS 7.2EG 7.22025-10-09
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and execute arbitrary commands. The security r…
- CVE-2025-58746CRITICALCVSS 9.0EG 9.02025-09-08
The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate t…
- CVE-2025-67163MEDIUMCVSS 6.1EG 6.12025-12-18
A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter.
- CVE-2026-22849MEDIUMCVSS 4.8EG 4.82026-01-21
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malici…
- CVE-2026-23516MEDIUMCVSS 5.4EG 5.42026-01-21
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able t…
- CVE-2026-45669MEDIUMCVSS 5.4EG 5.42026-05-19
Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv=…
- CVE-2026-48591MEDIUMCVSS 4.8EG 4.82026-06-17
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex sp…
- CVE-2026-49276HIGHCVSS 7.4EG 7.42026-06-18
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, makin…
- CVE-2026-53722MEDIUMCVSS 5.4EG 5.42026-06-12
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underl…
- CVE-2026-53841MEDIUMCVSS 6.1EG 6.12026-06-16
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens…
- CVE-2026-58263HIGHCVSS 7.2EG 7.22026-07-01
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous elemen…
- CVE-2026-8245MEDIUMCVSS 5.4EG 5.42026-05-21
Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …
Map vulnerabilities like CWE-83 to your infrastructure
EchelonGraph correlates every CVE — across CWE-83 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →