CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableExploit Likelihood: High

🏆 #1 in CWE Top 25 20241

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Extended Description

There are many variants of cross-site scripting, characterized by a variety of terms or involving different attack topologies. However, they all indicate the same fundamental weakness: improper neutralization of dangerous input between the adversary and a victim.

Technical Details

Structure: Simple

Applicable To

Languages

Not Language-Specific

Platforms

🏆 CWE Top 25 Historical Ranking

2023:#2

Score: 45.54

4,278 CVEs

2024:#1↑1

Score: 45.54

4,442 CVEs

Trend:Worsening (moved down 1 ranks)

Additional Resources

Official CWE-79 page on MITRE
CWE Top 25 Most Dangerous Software Weaknesses (2024)
Browse CVEs related to CWE-79 in our CVE Lookup Tool