Home/CWE/Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Weakness

Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

CWE-82 · Variant · Incomplete

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Extended description

Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-83 · Improper Neutralization of Script in Attributes in a Web Page

CVEs With This Weakness

7
CVEs tagged with this weakness.
CVECVE-2025-53194
CVECVE-2024-52434
CVECVE-2024-52427
CVECVE-2024-52393
CVECVE-2024-49271
CVECVE-2024-48042
CVECVE-2023-30963
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin