Explore CVEs related to XSS vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing XSS CVEs published in 2019. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2015-5593 | The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event. | 6.1 | 1.06% | 2019-12-31 | 2026-06-16 |
| CVE-2015-5592 | Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks. | 6.1 | 1.29% | 2019-12-31 | 2026-06-16 |
| CVE-2013-7071 | Cross-site scripting (XSS) vulnerability in the handle_request function in lib/HTTPServer.pm in Monitorix before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | 6.1 | 1.11% | 2019-12-31 | 2026-06-16 |
| CVE-2019-10227 | openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component. | 6.1 | 1.23% | 2019-12-31 | 2026-06-16 |
| CVE-2019-9556 | FiberHome an5506-04-f RP2669 devices have XSS. | 5.4 | 1.12% | 2019-12-31 | 2026-06-16 |
| CVE-2019-9554 | In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | 6.1 | 2.59% | 2019-12-31 | 2026-06-16 |
| CVE-2019-9553 | Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933. | 6.1 | 1.75% | 2019-12-31 | 2026-06-16 |
| CVE-2019-9207 | PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm searchtext parameter. NOTE: This product is discontinued. | 6.1 | 1.18% | 2019-12-31 | 2026-06-16 |
| CVE-2019-9206 | PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm errormsg or loginurl parameter. NOTE: This product is discontinued. | 6.1 | 1.17% | 2019-12-31 | 2026-06-16 |
| CVE-2018-14476 | GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step 1 of installation. | 6.1 | 0.87% | 2019-12-31 | 2026-06-16 |
| CVE-2019-12186 | An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The | 4.8 | 0.55% | 2019-12-31 | 2026-06-16 |
| CVE-2018-20496 | An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | 5.4 | 0.60% | 2019-12-30 | 2026-06-16 |
| CVE-2018-20491 | An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | 5.4 | 0.56% | 2019-12-30 | 2026-06-16 |
| CVE-2018-20490 | An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | 5.4 | 0.60% | 2019-12-30 | 2026-06-16 |
| CVE-2018-7859 | A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit. | 6.1 | 1.46% | 2019-12-30 | 2026-06-16 |
| CVE-2019-20141 | An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter. | 6.1 | 4.34% | 2019-12-30 | 2026-06-16 |
| CVE-2019-19738 | log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | 6.1 | 0.71% | 2019-12-30 | 2026-06-16 |
| CVE-2019-19733 | _get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | 6.1 | 0.71% | 2019-12-30 | 2026-06-16 |
| CVE-2019-4623 | IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168924. | 5.4 | 0.67% | 2019-12-30 | 2026-06-16 |
| CVE-2019-20139 | In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | 5.4 | 26.11% | 2019-12-30 | 2026-06-16 |