CWE-79: Cross-site Scripting (XSS) — known CVE vulnerabilities
CVEs classified under CWE-79 (Cross-site Scripting (XSS)), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-49410 — CVSS 10.0 (critical): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows…
CVE-2024-47875 — CVSS 10.0 (critical): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS…
CVE-2024-6886: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git…
CVE-2023-45144 — CVSS 10.0 (critical): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations…
CVE-2023-45138 — CVSS 10.0 (critical): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version…
CVE-2022-4361 — CVSS 10.0 (critical): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC…
CVE-2023-28849 — CVSS 10.0 (critical): GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint…
CVE-2023-0018 — CVSS 10.0 (critical): Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application -…
CVE-2021-36206 — CVSS 10.0 (critical): All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication…
CVE-2022-35698 — CVSS 10.0 (critical): Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability…
CVE-2021-23856 — CVSS 10.0 (critical): The web server is vulnerable to reflected XSS and therefore an attacker might be able to execute scripts on a client’s computer by…
CVE-2021-39199 — CVSS 10.0 (critical): remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has…
CVE-2021-32798 — CVSS 10.0 (critical): The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute…
CVE-2021-32671 — CVSS 10.0 (critical): Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM…
CVE-2011-3046 — CVSS 10.0 (critical): The extension subsystem in Google Chrome before 17.0.963.78 does not properly handle history navigation, which allows remote attackers to…
CVE-2026-54158 — CVSS 9.9 (critical): SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML…
CVE-2026-54067 — CVSS 9.9 (critical): SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing </style> breaks out of its…
CVE-2026-50551 — CVSS 9.9 (critical): SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS)…
CVE-2026-40472 — CVSS 9.9 (critical): In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling…
CVE-2026-40470 — CVSS 9.9 (critical): A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via…
CVE-2026-34571 — CVSS 9.9 (critical): CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme…
CVE-2026-34569 — CVSS 9.9 (critical): CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme…
CVE-2025-59832 — CVSS 9.9 (critical): Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in…
CVE-2024-42515 — CVSS 9.9 (critical): Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g…
CVE-2024-24594 — CVSS 9.9 (critical): A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote…
CVE-2023-29205 — CVSS 9.9 (critical): XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a…
CVE-2021-42940 — CVSS 9.9 (critical): A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachment.php, which allows an attacker to…
CVE-2020-7741 — CVSS 9.9 (critical): This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any…
CVE-2025-14320 — CVSS 9.8 (critical): Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information…
CVE-2026-35052 — CVSS 9.8 (critical): D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users…
CVE-2026-29859 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2020-37153 — CVSS 9.8 (critical): ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin…
CVE-2022-50905 — CVSS 9.8 (critical): e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a…
CVE-2025-64130 — CVSS 9.8 (critical): Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary…
CVE-2025-52161 — CVSS 9.8 (critical): Scholl Communications AG Weblication CMS Core v019.004.000.000 was discovered to contain a cross-site scripting (XSS) vulnerability.
CVE-2025-49409 — CVSS 9.8 (critical): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored…
CVE-2025-49400 — CVSS 9.8 (critical): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real…
CVE-2025-44136 — CVSS 9.8 (critical): MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message…
CVE-2025-46199 — CVSS 9.8 (critical): Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the…
CVE-2020-26799 — CVSS 9.8 (critical): A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker…
CVE-2025-53484 — CVSS 9.8 (critical): User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab()…
CVE-2025-53599 — CVSS 9.8 (critical): Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted javascript scheme.
CVE-2025-44148 — CVSS 9.8 (critical): Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx…
CVE-2025-24297 — CVSS 9.8 (critical): Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
CVE-2024-57686 — CVSS 9.8 (critical): A Cross Site Scripting (XSS) vulnerability was found in /landrecordsys/admin/contactus.php in PHPGurukul Land Record System v1.0, which…
CVE-2024-52770 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the component /admin/file_manage_control of DedeBIZ v6.3.0 allows attackers to execute arbitrary…
CVE-2024-51053 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the component /main/fileupload.php of AVSCMS v8.2.0 allows attackers to execute arbitrary code…
CVE-2024-51135 — CVSS 9.8 (critical): An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access…
CVE-2024-44081 — CVSS 9.8 (critical): In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading…