CWE-87 · Improper Neutralization of Alternate XSS Syntax
50 CVEs classified under CWE-87 (Improper Neutralization of Alternate XSS Syntax). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-35161 | Critical | 9.7 | 2023-06-23 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing… |
CVE-2023-35160 | Critical | 9.7 | 2023-06-23 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing… |
CVE-2023-35159 | Critical | 9.7 | 2023-06-23 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing… |
CVE-2023-35158 | Critical | 9.7 | 2023-06-23 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing… |
CVE-2023-35156 | Critical | 9.7 | 2023-06-23 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing… |
CVE-2026-42235 | Critical | 9.6 | 2026-05-04 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP… |
CVE-2026-33510 | High | 8.8 | 2026-04-06 | Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The… |
CVE-2026-33506 | High | 8.8 | 2026-03-26 | Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based… |
CVE-2025-49137 | High | 8.5 | 2025-06-09 | HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user in… |
CVE-2026-40321 | High | 8.1 | 2026-04-17 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a sp… |
CVE-2026-35534 | High | 7.6 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use… |
CVE-2025-55291 | High | 7.1 | 2025-08-18 | Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allo… |
CVE-2025-62415 | Medium | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (… |
CVE-2025-62418 | Medium | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (… |
CVE-2025-62414 | Medium | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scr… |
CVE-2025-14732 | Medium | 6.4 | 2026-04-08 | The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters i… |
CVE-2025-8561 | Medium | 6.4 | 2025-10-15 | The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to… |
CVE-2024-8505 | Medium | 6.4 | 2024-10-02 | The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_label’ parameter in all versio… |
CVE-2024-4459 | Medium | 6.4 | 2024-06-06 | The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget's titles in all versions up to, a… |
CVE-2024-2618 | Medium | 6.4 | 2024-05-24 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all versions up to, and inclu… |