CWE-79 is the weakness class for improper neutralization of input during web page generation, commonly called cross-site scripting (XSS). It happens when an application takes untrusted data and places it into HTML, JavaScript, or other browser-facing content without enough encoding or filtering. If an attacker can inject script or script-like markup, that code may run in another user’s browser under the trusted site’s origin.
This matters because XSS can steal session tokens, alter page content, trigger actions as the victim, or pivot into broader compromise. It appears in attacks through comments, form fields, search results, document viewers, and other dynamic web features. Defenses focus on context-aware output encoding, input validation, safe templating, content security policies, and minimizing direct rendering of raw user input. In practice, CWE-79 is one of the most common web application flaws because many systems mix user content with browser code.