CWE-80— Improper Neutralization of Script-Related HTML Tags
522 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-80page 5 of 11
- CVE-2023-40557MEDIUMCVSS 5.4EG 5.42024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in PickPlugins Tabs & Accordion allows Code Injection.This issue affects Tabs & Accordion: from n/a through 1.3.10.
- CVE-2023-41048LOWCVSS 3.7EG 3.72023-09-21
plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG image…
- CVE-2023-4109MEDIUMCVSS 4.8EG 4.82023-08-30
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.
- CVE-2023-42458LOWCVSS 3.7EG 3.72023-09-21
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the S…
- CVE-2023-43790MEDIUMCVSS 5.7EG 5.72024-04-15
iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.
- CVE-2023-44393CRITICALCVSS 9.3EG 9.32023-10-09
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability c…
- CVE-2023-44396MEDIUMCVSS 6.8EG 6.82024-04-15
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.
- CVE-2023-45053MEDIUMCVSS 4.3EG 4.32024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in pluginever WP Content Pilot – Autoblogging & Affiliate Marketing Plugin allows Code Injection.This issue affects WP Content Pilot – Autoblog…
- CVE-2023-45635MEDIUMCVSS 5.4EG 5.42024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WP Darko Responsive Tabs allows Code Injection.This issue affects Responsive Tabs: from n/a before 4.0.6.
- CVE-2023-46235MEDIUMCVSS 5.4EG 5.42023-10-31
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10.15, due to a lack of request sanitization in the logs, a malicious request containing XSS would be stored in a log file. When an ad…
- CVE-2023-46310MEDIUMCVSS 5.3EG 5.32024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through 7.6.10.
- CVE-2023-4663MEDIUMCVSS 6.1EG 6.12023-09-15
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Saphira Saphira Connect allows Reflected XSS. This issue affects Saphira Connect: before 9.
- CVE-2023-46722MEDIUMCVSS 6.1EG 6.12023-10-31
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the sto…
- CVE-2023-47513MEDIUMCVSS 5.4EG 5.42024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in ARI Soft ARI Stream Quiz allows Code Injection.This issue affects ARI Stream Quiz: from n/a through 1.3.2.
- CVE-2023-47869MEDIUMCVSS 4.3EG 4.32024-12-09
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5.
- CVE-2023-48285MEDIUMCVSS 5.3EG 5.32024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79.
- CVE-2023-48763MEDIUMCVSS 5.3EG 5.32024-04-24
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Crocoblock JetFormBuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through 3.1.4.
- CVE-2023-49852MEDIUMCVSS 6.5EG 6.52024-06-04
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Vsourz Digital Responsive Slick Slider WordPress allows Code Injection.This issue affects Responsive Slick Slider WordPress: from n/a through 1.…
- CVE-2023-50933MEDIUMCVSS 6.1EG 6.12024-02-02
IBM PowerSC 1.3, 2.0, and 2.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-For…
- CVE-2023-51308MEDIUMCVSS 6.1EG 6.12025-02-20
PHPJabbers Car Park Booking System v3.0 is vulnerable to Multiple HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters.
- CVE-2023-5582LOWCVSS 3.5EG 3.52023-10-14
A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may b…
- CVE-2023-5933MEDIUMCVSS 6.4EG 6.42024-01-26
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.
- CVE-2024-0183LOWCVSS 2.4EG 2.42024-01-01
A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross…
- CVE-2024-10038MEDIUMCVSS 6.1EG 6.12024-11-13
The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenti…
- CVE-2024-10592MEDIUMCVSS 6.4EG 6.42024-11-16
The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup class parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possi…
- CVE-2024-10621MEDIUMCVSS 6.4EG 6.42024-11-08
The Simple Shortcode for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pw_map shortcode in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping…
- CVE-2024-11404MEDIUMCVSS 5.5EG 5.52024-11-20
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS. This issue aff…
- CVE-2024-11479MEDIUMCVSS 5.1EG 0.02024-12-04
A HTML Injection vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. HTML markup could be added to comments of tickets, which when submitted will render in the emails sent to all users …
- CVE-2024-11954LOWCVSS 2.4EG 2.42025-01-28
A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be lau…
- CVE-2024-12127MEDIUMCVSS 6.1EG 6.12024-12-17
The Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 0.0.21 …
- CVE-2024-13497HIGHCVSS 7.2EG 7.22025-03-15
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient …
- CVE-2024-13704HIGHCVSS 7.2EG 7.22025-02-18
The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes i…
- CVE-2024-1606MEDIUMCVSS 4.6EG 4.62024-03-18
Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking u…
- CVE-2024-2010MEDIUMCVSS 6.1EG 6.12024-09-12
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS. This issue affects V5: before 6.2.
- CVE-2024-20341MEDIUMCVSS 6.1EG 6.12024-10-23
A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting …
- CVE-2024-20362MEDIUMCVSS 6.1EG 6.12024-04-03
A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a us…
- CVE-2024-20382MEDIUMCVSS 6.1EG 6.12024-10-23
A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting …
- CVE-2024-20460MEDIUMCVSS 6.1EG 6.12024-10-16
A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user. Thi…
- CVE-2024-20504MEDIUMCVSS 5.4EG 5.42024-11-06
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance could allow an authenticated, remote attacker to conduct a stored cross-…
- CVE-2024-22277MEDIUMCVSS 6.4EG 6.42024-07-04
VMware Cloud Director Availability contains an HTML injection vulnerability. A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks.
- CVE-2024-23522MEDIUMCVSS 5.3EG 5.32024-05-17
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Form Builder Team Formidable Forms allows Code Injection.This issue affects Formidable Forms: from n/a through 6.7.
- CVE-2024-2380MEDIUMCVSS 4.6EG 4.62024-04-05
Stored XSS in graph rendering in Checkmk <2.3.0b4.
- CVE-2024-23817HIGHCVSS 7.1EG 7.12024-01-25
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an att…
- CVE-2024-23841HIGHCVSS 8.2EG 8.22024-01-30
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would…
- CVE-2024-24571MEDIUMCVSS 5.4EG 5.42024-01-31
facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient i…
- CVE-2024-24574MEDIUMCVSS 6.5EG 6.52024-02-05
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). T…
- CVE-2024-24807LOWCVSS 2.7EG 2.72024-02-05
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only…
- CVE-2024-24812MEDIUMCVSS 5.4EG 5.42024-02-07
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS)…
- CVE-2024-24874MEDIUMCVSS 5.3EG 5.32024-05-17
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CodePeople CP Polls allows Code Injection.This issue affects CP Polls: from n/a through 1.0.71.
- CVE-2024-25639MEDIUMCVSS 5.9EG 5.92024-07-08
Khoj is an application that creates personal AI agents. The Khoj Obsidian, Desktop and Web clients inadequately sanitize the AI model's response and user inputs. This can trigger Cross Site Scripting (XSS) via Prompt Injection from untrust…
Map vulnerabilities like CWE-80 to your infrastructure
EchelonGraph correlates every CVE — across CWE-80 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →