Cross-site scripting (XSS) is a type of security vulnerability found in web applications. It allows attackers to inject malicious scripts into webpages viewed by other users. When a user visits an affected page, the script runs in their browser, potentially stealing sensitive information like cookies or session tokens. There are three main types of XSS: stored XSS, where the malicious script is saved on the server; reflected XSS, where the script is reflected off a web server; and DOM-based XSS, which occurs when the client-side script modifies the page's Document Object Model. Each type poses unique risks to users and applications.