Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)) — Vulnerability Class 21489

21489 vulnerabilities classified as CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-40479 Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget — kimai 5.4 Medium2026-04-17
CVE-2026-2434 Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes — Pz-LinkCard 6.4 Medium2026-04-17
CVE-2026-40353 wger: Stored XSS via Unescaped License Attribution Fields — wger 5.4AIMediumAI2026-04-17
CVE-2026-40302 zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering — zrok 6.1 Medium2026-04-17
CVE-2026-40301 rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives — dom-sanitizer 4.7 Medium2026-04-17
CVE-2026-40286 WeGIA has Cross-Site Scripting in Controle de Contribuição — WeGIA 7.5 High2026-04-17
CVE-2026-40284 WeGIA has stored XSS in listar_despachos.php — WeGIA 6.8 Medium2026-04-17
CVE-2026-40282 WeGIA has stored XSS in intercorrencia_visualizar.php — WeGIA 5.4AIMediumAI2026-04-17
CVE-2026-40283 WeGIA has stored XSS in profile_paciente.php — WeGIA 6.8 Medium2026-04-17
CVE-2026-6493 lukevella rallly Reset Password reset-password-form.tsx cross site scripting — rallly 3.5 Low2026-04-17
CVE-2026-6486 classroombookings User Display Name layout.php read cross site scripting — classroombookings 3.5 Low2026-04-17
CVE-2026-28263 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain 5.9 Medium2026-04-17
CVE-2026-6439 VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field — VideoZen 4.4 Medium2026-04-17
CVE-2026-5231 WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter — WP Statistics – Simple, privacy-friendly Google Analytics alternative 7.2 High2026-04-17
CVE-2026-5162 Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget — Royal Addons for Elementor – Addons and Templates Kit for Elementor 6.4 Medium2026-04-17
CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload — note-mark 8.7 High2026-04-16
CVE-2026-40922 SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066) — siyuan 5.4AIMediumAI2026-04-16
CVE-2026-40322 SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE — siyuan 9.1 Critical2026-04-16
CVE-2026-2840 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode — Email Encoder – Protect Email Addresses and Phone Numbers 6.4 Medium2026-04-16
CVE-2026-3369 Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title — Better Find and Replace – AI-Powered Suggestions 5.4 Medium2026-04-16
CVE-2025-6024 Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites — WSO2 API Manager 6.1 Medium2026-04-16
CVE-2024-10242 Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection — WSO2 API Manager 6.1 Medium2026-04-16
CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval — WSO2 API Manager 5.4 Medium2026-04-16
CVE-2026-3876 Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode — Prismatic 7.2 High2026-04-16
CVE-2026-3355 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch' — Customer Reviews for WooCommerce 6.1 Medium2026-04-16
CVE-2026-3875 BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes — BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor 6.4 Medium2026-04-16
CVE-2025-13364 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode — WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters 6.4 Medium2026-04-16
CVE-2026-3995 OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting — OPEN-BRAIN 4.4 Medium2026-04-16
CVE-2026-1572 Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings — Livemesh Addons by Elementor 6.4 Medium2026-04-16
CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting — Custom New User Notification 4.4 Medium2026-04-16

Vulnerabilities classified as CWE-79 (在Web页面生成时对输入的转义处理不恰当(跨站脚本)) represent 21489 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.