Home/CWE/Improper Neutralization of Script in Attributes in a Web Page
Weakness

Improper Neutralization of Script in Attributes in a Web Page

CWE-83 · Variant · Draft

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-79 · Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Children (more specific)
ParentOfCWE-82 · Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

Attack Patterns (CAPEC)

3
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-243XSS Targeting HTML Attributes
CAPEC-244XSS Targeting URI Placeholders
CAPEC-588DOM-Based XSS

CVEs With This Weakness

17
A sample of the 17 CVEs tagged with this weakness.
CVECVE-2026-23516
CVECVE-2026-22849
CVECVE-2025-67163
CVECVE-2025-58746
CVECVE-2025-4615
CVECVE-2025-27145
CVECVE-2025-11682
CVECVE-2025-0137
CVECVE-2025-0125
CVECVE-2024-9103
CVECVE-2024-52595
CVECVE-2024-26283

Nuclei Scanner Templates

25
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
highFronsetiav1.1 - Cross-Site Scripting
highLaravel Ignition - Cross-Site Scripting
highAdobe ColdFusion - Cross-Site Scripting
highChamilo LMS 1.11.14 Cross-Site Scripting
highKafDrop - Cross-Site Scripting
highLucee - Cross-Site Scripting
highLeantime < 3.3 = Cross-Site Scripting
highOpen Akamai ARL - Cross-Site Scripting
highAdobe Experience Manager - Cross-Site Scripting
mediumSquirrelMail Virtual Keyboard <=0.9.1 - Cross-Site Scripting
mediumJoomla JVTwitter - Cross-Site Scripting
mediumJoomla MarvikShop ShoppingCart 3.4 - Cross-Site Scripting
mediumJoomla Solidres 2.13.3 - Cross-Site Scripting
mediumZzzcms 1.75 - Cross-Site Scripting
mediumKhodrochi CMS - Cross Site Scripting
mediumMingsoft MCMS < 5.3.1 - Cross-Site Scripting
mediumJoomla jMarket 5.15 - Cross-Site Scripting
mediumWordPress Core 5.6 and 6.3.1 - Cross-Site Scripting
mediumWordPress Members List <4.3.7 - Cross-Site Scripting
mediumWordPress Flow-Flow Social Stream <=3.0.71 - Cross-Site Scripting
mediumGallery Photoblocks < 1.1.41 - Cross-Site Scripting
mediumZendFramework 1.12.2 - Cross-Site Scripting
mediumMAMP Server - Cross-Site Scripting
mediumGnuboard CMS - Cross-Site Scripting
mediumOracle E-Business Suite - Cross-Site Scripting
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin