CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)) — Vulnerability Class 21500

21500 vulnerabilities classified as CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-29192	ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover — zitadel	7.7	High	2026-03-07
CVE-2026-29191	ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint — zitadel	9.3	Critical	2026-03-07
CVE-2026-1825	Show YouTube video <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute — Show YouTube video	6.4	Medium	2026-03-07
CVE-2026-1823	Consensus Embed <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute — Consensus Embed	6.4	Medium	2026-03-07
CVE-2026-1824	Infomaniak Connect for OpenID <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes — Infomaniak Connect for OpenID	6.4	Medium	2026-03-07
CVE-2026-1074	WP App Bar <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter — WP App Bar	7.2	High	2026-03-07
CVE-2026-1820	Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute — Media Library Alt Text Editor	6.4	Medium	2026-03-07
CVE-2026-1574	MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — MyQtip – easy qTip2	6.4	Medium	2026-03-07
CVE-2026-1805	DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute — DA Media GigList	6.4	Medium	2026-03-07
CVE-2026-1569	Wueen <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode — Wueen	6.4	Medium	2026-03-07
CVE-2026-1071	Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings — Carta Online	4.4	Medium	2026-03-07
CVE-2026-2433	RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage — RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging	6.1	Medium	2026-03-07
CVE-2026-2420	LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings — LotekMedia Popup Form	4.4	Medium	2026-03-07
CVE-2026-30830	Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag — defuddle	7.2	-	2026-03-07
CVE-2026-30841	Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php — Wallos	6.1	-	2026-03-07
CVE-2026-2431	CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters — CM Custom Reports – Flexible reporting to track what matters most	6.1	Medium	2026-03-07
CVE-2026-2722	Stock Ticker <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template — Stock Ticker	4.8	Medium	2026-03-07
CVE-2026-2721	MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings — MailArchiver	4.8	Medium	2026-03-07
CVE-2026-1902	Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute — Hammas Calendar	6.4	Medium	2026-03-07
CVE-2026-25073	XikeStor SKS8310-8X Stored XSS via System Name — XikeStor SKS8310-8X	5.4	-	2026-03-07
CVE-2026-30238	Group-Office: Reflected XSS in JavaScript context — groupoffice	6.1	-	2026-03-06
CVE-2026-30237	Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php) — groupoffice	6.1	-	2026-03-06
CVE-2026-29082	Kestra: Stored Cross-Site Scripting in Markdown File Preview — kestra	7.3	High	2026-03-06
CVE-2024-35644	WordPress Preferred Languages plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability — Preferred Languages	5.9	Medium	2026-03-06
CVE-2026-29183	SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution — siyuan	9.3	Critical	2026-03-06
CVE-2026-29048	HumHub: XSS in Button component — humhub	5.4	-	2026-03-06
CVE-2026-29038	changedetection.io: Reflected XSS in RSS Tag Error Response — changedetection.io	6.1	Medium	2026-03-06
CVE-2026-28683	Gokapi: Stored XSS in SVG Hotlinks — Gokapi	8.7	High	2026-03-06
CVE-2026-28509	LangBot has a Cross Site Scripting(XSS) Vulnerability — LangBot	6.3	Medium	2026-03-06
CVE-2025-59543	Chamilo: Account Takeover via Stored XSS in Course Description — chamilo-lms	9.1	Critical	2026-03-06

Vulnerabilities classified as CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)) represent 21500 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)) — Vulnerability Class 21500