Home/CWE/Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 · Base · Stable

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Extended description

There are many variants of cross-site scripting, characterized by a variety of terms or involving different attack topologies. However, they all indicate the same fundamental weakness: improper neutralization of dangerous input between the adversary and a victim.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Children (more specific)
ParentOfCWE-80 · Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
ParentOfCWE-81 · Improper Neutralization of Script in an Error Message Web Page
ParentOfCWE-83 · Improper Neutralization of Script in Attributes in a Web Page
ParentOfCWE-84 · Improper Neutralization of Encoded URI Schemes in a Web Page
ParentOfCWE-85 · Doubled Character XSS Manipulations
ParentOfCWE-86 · Improper Neutralization of Invalid Characters in Identifiers in Web Pages
ParentOfCWE-87 · Improper Neutralization of Alternate XSS Syntax
Related
PeerOfCWE-352 · Cross-Site Request Forgery (CSRF)
CanPrecedeCWE-494 · Download of Code Without Integrity Check

Attack Patterns (CAPEC)

6
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-209XSS Using MIME Type Mismatch
CAPEC-588DOM-Based XSS
CAPEC-591Reflected XSS
CAPEC-592Stored XSS
CAPEC-63Cross-Site Scripting (XSS)
CAPEC-85AJAX Footprinting

CVEs With This Weakness

50,635
A sample of the 50,635 CVEs tagged with this weakness.
CVECVE-2026-8656
CVECVE-2026-8656
CVECVE-2026-8391
CVECVE-2026-8262
CVECVE-2026-8256
CVECVE-2026-8255
CVECVE-2026-8254
CVECVE-2026-8253
CVECVE-2026-8221
CVECVE-2026-8220
CVECVE-2026-8219
CVECVE-2026-8218

Nuclei Scanner Templates

30
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalshadoweb wdja v1.5.1 - Cross-Site Scripting
criticalErxes <0.23.0 - Cross-Site Scripting
criticalOPNsense - Cross-Site Scripting to RCE
criticalZimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
criticalSidekiq < 7.0.8 - Cross-Site Scripting
criticalChatGPT-Next-Web - SSRF/XSS
criticalRoundcube Webmail - Cross-Site Scripting
criticalBarco/AWIND OEM Presentation Platform - Remote Command Injection
highDOM Invader - Cross-Site Scripting
highwindow.name - DOM Cross-Site Scripting
highHTTP API DOM - XSS on JSONP callback
highFronsetiav1.1 - Cross-Site Scripting
highTop 38 Parameters - Cross-Site Scripting
highLaravel Ignition - Cross-Site Scripting
highueditor - Cross Site Scripting
highDiscourse - Cross-Site Scripting
highSiteMinder - DOM Cross-Site Scripting
highTiki Wiki CMS Groupware 5.2 - Cross-Site Scripting
highParallels H-Sphere - Cross-Site Scripting
highCKAN - DOM Cross-Site Scripting
highThruk Monitoring Webinterface - Cross-Site Scripting
highReddit Top RSS - Cross-Site Scripting
highBlackboard - Cross-Site Scripting
highZZCMS - Cross-Site Scripting
highAdobe ColdFusion - Cross-Site Scripting
highYesWiki - Stored Cross-Site Scripting
highChamilo LMS 1.11.14 Cross-Site Scripting
highTurboCRM - Cross-Site Scripting
highPHP Timeclock <=1.04 - Cross-Site Scripting
highKafDrop - Cross-Site Scripting
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin