CVEbaza.plCWE DictionaryCWE-82
Common Weakness Enumeration

CWE-82

Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

Category: VariantCVE: 7
Description

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Extended Description

Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute.

CVE vulnerabilities with CWE-82 (7)
9.9
CVSS
CRITICAL
CVE-2024-52427

Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Server Side Include (SSI) Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.3.11.

pub. 2024-11-18
9.1
CVSS
CRITICAL
CVE-2024-52434

Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through <= 1.10.29.

pub. 2024-11-18
9.1
CVSS
CRITICAL
CVE-2024-52393

Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.This issue affects Podlove Podcast Publisher: from n/a through <= 4.1.15.

pub. 2024-11-14
9.1
CVSS
CRITICAL
CVE-2024-48042

Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.28.

pub. 2024-10-16
9.1
CVSS
CRITICAL
CVE-2024-49271

Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through <= 1.5.121.

pub. 2024-10-16
8.5
CVSS
HIGH
CVE-2025-53194

Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Code Injection.This issue affects JetEngine: from n/a through <= 3.7.0.

pub. 2025-08-20
5.4
CVSS
MEDIUM
CVE-2023-30963

A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further intervention is required.

pub. 2023-07-10
Information
ID: CWE-82
Type: Variant
Vulnerabilities: 7
MITRE CWE ↗
← CWE Dictionary
CWE-82 — Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | CWE Dictionary | CVEbaza.pl