CWE-84— Improper Neutralization of Encoded URI Schemes in a Web Page
The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.— MITRE CWE catalog
18 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-84page 1 of 1
- CVE-2020-7011MEDIUMCVSS 6.1EG 6.12020-06-03
Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an atta…
- CVE-2021-3824MEDIUMCVSS 6.1EG 6.12021-09-23
OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.
- CVE-2022-40181HIGHCVSS 8.3EG 8.32022-10-11
A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), …
- CVE-2023-25571MEDIUMCVSS 6.8EG 6.82023-02-14
Backstage is an open platform for building developer portals. `@backstage/catalog-model` prior to version 1.2.0, `@backstage/core-components` prior to 0.12.4, and `@backstage/plugin-catalog-backend` prior to 1.7.2 are affected by a cross-s…
- CVE-2023-30959MEDIUMCVSS 4.1EG 4.12023-09-27
In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.
- CVE-2024-42184LOWCVSS 2.5EG 2.52025-01-23
BigFix Patch Download Plug-ins are affected by insecure support for file URI scheme. It could allow a malicious operator to attempt to download files using the file:// URI scheme.
- CVE-2024-45045MEDIUMCVSS 6.3EG 6.32024-08-29
Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile (Android/iOS) device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in docu…
- CVE-2024-52890MEDIUMCVSS 6.1EG 6.12025-08-05
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.03 could be susceptible to cross-site scripting due to no validation of URIs.
- CVE-2025-25323MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Qianjin Network Information Technology (Shanghai) Co., Ltd 51Job iOS 14.22.0 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25324MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Shandong Provincial Big Data Center AiShanDong iOS 5.0.0 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25325MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Yibin Fengguan Network Technology Co., Ltd YuPao DirectHire iOS 8.8.0 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25326MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Merchants Union Consumer Finance Company Limited Merchants Union Finance iOS 6.19.0 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25329MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Tencent Technology (Beijing) Company Limited Tencent MicroVision iOS 8.137.0 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25330MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Boohee Technology Boohee Health iOS 13.0.13 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25331MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Beitatong Technology LianJia iOS 9.83.50 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-25334MEDIUMCVSS 5.5EG 5.52025-02-27
An issue in Suning Commerce Group Suning EMall iOS 9.5.198 allows attackers to access sensitive user information via supplying a crafted link.
- CVE-2025-30203MEDIUMCVSS 4.8EG 4.82025-03-31
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the content of RSS feeds in the RSS widgets. A project administrator or someone with control over…
- CVE-2025-58444HIGHCVSS 8.6EG 8.62025-09-08
The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers …
Map vulnerabilities like CWE-84 to your infrastructure
EchelonGraph correlates every CVE — across CWE-84 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →