Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2025-52564 Chamilo: HTML injection via open parameter — chamilo-lms 6.1AIMediumAI2026-03-02
CVE-2026-28132 WordPress WooCommerce Photo Reviews plugin <= 1.4.4 - Content Injection vulnerability — WooCommerce Photo Reviews 5.3 Medium2026-02-26
CVE-2026-27578 n8n Vulnerable to Stored XSS via Various Nodes — n8n 5.4AIMediumAI2026-02-25
CVE-2026-27458 LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description — LinkAce 5.4AIMediumAI2026-02-21
CVE-2026-25006 WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability — XStore 5.3 Medium2026-02-19
CVE-2026-22422 WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability — Everest Forms 5.3 Medium2026-02-19
CVE-2025-14289 IBM webMethods Integration Server is vulnerable to HTML injection — webMethods Integration Server 5.4 Medium2026-02-17
CVE-2026-25935 Vikunja Affected by XSS Via Task Preview — vikunja 5.4AIMediumAI2026-02-11
CVE-2026-1282 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab — GitLab 3.5 Low2026-02-11
CVE-2025-12803 Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode — Bold Page Builder 6.4 Medium2026-02-07
CVE-2026-25764 OpenProject vulnerable to Stored HTML injection — openproject 3.5 Low2026-02-06
CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata — navidrome 6.1 Medium2026-02-04
CVE-2026-25054 n8n is Vulnerable to Stored Cross-Site Scripting via Markdown Rendering in Workflow UI — n8n 5.4AIMediumAI2026-02-04
CVE-2026-24564 WordPress Textmetrics plugin <= 3.6.5 - Content Injection vulnerability — Textmetrics 4.3 Medium2026-01-23
CVE-2026-22469 WordPress DeepDigital theme <= 1.0.2 - Arbitrary Shortcode Execution vulnerability — DeepDigital 5.3 Medium2026-01-22
CVE-2025-47600 WordPress WoodMart theme <= 8.3.7 - Arbitrary Shortcode Execution vulnerability — WoodMart 5.3 Medium2026-01-22
CVE-2025-36397 Security vulnerabilities have been found in IBM Application Gateway — Application Gateway 5.4 Medium2026-01-20
CVE-2026-1154 SourceCodester E-Learning System Lesson index.php cross site scripting — E-Learning System 4.3 Medium2026-01-19
CVE-2026-23528 Dask distributed Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard — distributed 9.6 -2026-01-16
CVE-2026-20047 Cisco Identity Services Engine Cross-Site Scripting Vulnerability — Cisco Identity Services Engine Software 4.8 Medium2026-01-15
CVE-2025-69169 WordPress Easy Media Download plugin <= 1.1.11 - CSS Injection vulnerability — Easy Media Download 5.4 Medium2026-01-08
CVE-2025-15058 Responsive Pricing Table <= 5.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency' — Responsive Pricing Table 6.4 Medium2026-01-07
CVE-2025-14792 Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render — Key Figures 4.4 Medium2026-01-07
CVE-2025-14835 WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting — WP Photo Album Plus 7.1 High2026-01-07
CVE-2025-36230 XSS in IBM Aspera Faspex — Aspera Faspex 5 5.4 Medium2025-12-26
CVE-2025-14735 Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting — Amazon affiliate lite Plugin 4.4 Medium2025-12-20
CVE-2025-64225 WordPress Stockie Extra plugin <= 1.2.11 - Content Injection vulnerability — Stockie Extra 6.5 Medium2025-12-18
CVE-2025-64633 WordPress Norebro Extra plugin <= 1.6.8 - Content Injection vulnerability — Norebro Extra 5.3 Medium2025-12-16
CVE-2025-66450 LibreChat JSON Injection in Chat POST Allows Remote Resource Inclusion and PXSS via Image Upload — LibreChat 6.3AIMediumAI2025-12-11
CVE-2025-63068 WordPress Contact Form 7 Dynamic Text Extension plugin <= 5.0.5 - Content Injection vulnerability — Contact Form 7 – Dynamic Text Extension 5.3 Medium2025-12-09

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.