Arbitrary Code Execution
This is the big one that terrifies people. Cross-site scripting (XSS) allows hackers and bad actors to inject malicious code into legitimate websites. It used to be common practice for banner ads to contain XSS attacks, installing malware simply for visiting a website. This even happens to major companies. For example, Twitter was once infected with the StalkDaily worm through XSS. More subtle applications persist today. For example, XSS running on a financial website could give hackers sensitive financial data.