Cross-site scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, or defacement. It exploits the trust a user has in a particular website and can be mitigated through input validation, output encoding, and the use of security headers like Content Security Policy (CSP).