CWE-793 advisories

Cross-site Scripting (XSS)

What it is

Untrusted input is reflected into a web page without escaping, so an attacker's script runs in the victim's browser.

How to fix it

Upgrade to a patched version, then context-escape all output and set a strict Content-Security-Policy.

How to avoid it

Never build HTML by string concatenation; use a framework that auto-escapes and treat all user input as untrusted.

Known Cross-site Scripting (XSS) vulnerabilities

CVE-2026-44727 — critical · PyPI/jupyter-server
AI-LENOVO-LENA-XSS-2025 — high · Lenovo/Lenovo 'Lena' GPT-4 customer-service chatbot · exploited
APPSEC-XSS — high · Web app/Cross-Site Scripting · exploited

Stateward flags Cross-site Scripting (XSS) in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.