CWE · MITRE source
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
There are many variants of cross-site scripting, characterized by a variety of terms or involving different attack topologies. However, they all indicate the same fundamental weakness: improper neutralization of dangerous input between the adversary and a victim.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (3)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Validates web inputs to reject script-related content that could produce XSS. |
SI-15 | Information Output Filtering | SI | Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability. |
CA-8 | Penetration Testing | CA | Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-3929 KEV | 9.6 | 9.8 | 0.9425 | 2019-04-30 |
CVE-2024-42009 KEV | 9.3 | 9.3 | 0.9141 | 2024-08-05 |
CVE-2023-34192 KEV | 9.1 | 9.0 | 0.8899 | 2023-07-06 |
CVE-2022-27926 KEV | 8.9 | 6.1 | 0.9413 | 2022-04-21 |
CVE-2023-37580 KEV | 8.9 | 6.1 | 0.9392 | 2023-07-31 |
CVE-2020-3580 KEV | 8.8 | 6.1 | 0.9324 | 2020-10-21 |
CVE-2019-9978 KEV | 8.5 | 6.1 | 0.8833 | 2019-03-24 |
CVE-2023-5631 KEV | 8.3 | 6.1 | 0.8443 | 2023-10-18 |
CVE-2018-6882 KEV | 8.0 | 6.1 | 0.7952 | 2018-03-27 |
CVE-2023-43770 KEV | 8.0 | 6.1 | 0.8039 | 2023-09-22 |
CVE-2020-13965 KEV | 7.5 | 6.1 | 0.7182 | 2020-06-09 |
CVE-2014-2120 KEV | 7.4 | 6.1 | 0.6984 | 2014-03-19 |
CVE-2019-18426 KEV | 7.3 | 8.2 | 0.6100 | 2020-01-21 |
CVE-2023-4220 | 7.2 | 8.1 | 0.9324 | 2023-11-28 |
CVE-2023-49785 | 7.2 | 9.1 | 0.9044 | 2024-03-12 |
CVE-2020-35730 KEV | 7.1 | 6.1 | 0.6481 | 2020-12-28 |
CVE-2024-37383 KEV | 7.1 | 6.1 | 0.6403 | 2024-06-07 |
CVE-2024-28741 | 7.0 | 8.8 | 0.8799 | 2024-04-06 |
CVE-2020-5398 | 6.9 | 7.5 | 0.9018 | 2020-01-17 |
CVE-2020-11023 KEV | 6.9 | 6.9 | 0.5821 | 2020-04-29 |
CVE-2021-31761 | 6.9 | 9.6 | 0.8232 | 2021-04-25 |
CVE-2019-10475 | 6.8 | 6.1 | 0.9244 | 2019-10-23 |
CVE-2020-2096 | 6.8 | 6.1 | 0.9267 | 2020-01-15 |
CVE-2020-9496 | 6.8 | 6.1 | 0.9376 | 2020-07-15 |
CVE-2023-2442 | 6.8 | 8.7 | 0.8436 | 2023-06-07 |