CWE-80(Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Web Based | Often | — |
| technology | Web Server | — | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-9646 | 2026-05-28 | A reflected cross-site scripting issue exists in URL handling. |
| CVE-2026-44839 | 2026-05-27 | RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13. |
| CVE-2026-39642 | 2026-05-26 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7. |
| CVE-2025-71310 | 2026-05-26 | The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info conten… |
| CVE-2026-34246 | 2026-05-19 | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In ap… |
| CVE-2026-45346 | 2026-05-15 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementat… |
| CVE-2025-15345 | 2026-05-14 | The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27… |
| CVE-2026-44369 | 2026-05-13 | CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add mal… |
| CVE-2026-44259 | 2026-05-12 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security header… |
| CVE-2026-41611 | 2026-05-12 | Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally. |
| CVE-2026-43939 | 2026-05-12 | YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and … |
| CVE-2026-43938 | 2026-05-12 | YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header int… |
| CVE-2021-47948 | 2026-05-10 | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers … |
| CVE-2026-42451 | 2026-05-08 | Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaS… |
| CVE-2026-42030 | 2026-05-08 | MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to… |
| CVE-2026-41575 | 2026-05-08 | In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was direct… |
| CVE-2026-44264 | 2026-05-07 | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has … |
| CVE-2026-6002 | 2026-05-07 | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affect… |
| CVE-2025-59854 | 2026-05-06 | HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit br… |
| CVE-2026-40875 | 2026-04-21 | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP fro… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Sean Eidemiller | 1.0 | — | added/updated demonstrative examples |
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-08-01 | — | 1.0 | — | added/updated white box definitions |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Demonstrative_Examples, Description, Name |
| 2009-07-17 | KDM Analytics | 1.5 | — | Improved the White_Box_Definition |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated White_Box_Definitions |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Demonstrative_Examples, Description, Name, Potential_Mitigations |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Description, Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Related_Attack_Patterns, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Potential_Mitigations, Related_Attack_Patterns |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, White_Box_Definitions |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Common_Consequences, Description, Diagram, Other_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships |