Lucene search
K

31 matches found

CNNVD
CNNVD
added 2026/05/26 12:0 a.m.10 views

mistune 跨站脚本漏洞

Mistune is a fast and powerful Python Markdown parser developed by Hsiaoming Yang. Versions of Mistune prior to 3.2.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of Python format strings to insert id and text values into tags without proper HTML escapin...

6.1CVSS5.8AI score0.00228EPSS
Exploits1References2
OSV
OSV
added 2026/03/25 6:31 p.m.5 views

GHSA-RQJ3-X344-QVXC Seafile Server has multiple stored XSS vulnerabilities

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

5.4CVSS5.9AI score0.00278EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2026/03/25 6:31 p.m.6 views

Seafile Server has multiple stored XSS vulnerabilities

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

8.7CVSS5.9AI score0.00278EPSS
Exploits1References8Affected Software1
NVD
NVD
added 2026/03/25 6:16 p.m.4 views

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

8.7CVSS0.00278EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
added 2026/03/25 12:0 a.m.6 views

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

5.8AI score0.00278EPSS
Exploits1References7
CVE
CVE
added 2026/03/25 12:0 a.m.19 views

CVE-2026-30587

CVE-2026-30587 affects Seafile Server and its Seadoc editor, with multiple stored XSS vulnerabilities exploited via WebSocket messages that update document structure. Affected versions include 13.0.15, 13.0.16-pro, and 12.0.14 and prior; fixes are in 13.0.17, 13.0.17-pro, and 12.0.20-pro. The iss...

8.7CVSS5.8AI score0.00278EPSS
Exploits1References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/05 7:49 p.m.5 views

CVE-2026-28350

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.4, the tag passes through the default Cleaner configuration. While pagestructure=True removes html, head, and title tags, there is no specific handling for , allowing an attacker to inje...

6.1CVSS5.9AI score0.00254EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/20 7:40 p.m.8 views

CVE-2026-27474

SPIP before 4.4.9 allows Cross-Site Scripting XSS in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappeantixss function was not systematically applied to input, form, button, and anchor a HTML tags, allowing an attacker to inject malicious scripts through these element...

6.1CVSS5.6AI score0.00264EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/19 2:58 p.m.23 views

CVE-2025-71249

...

Exploits0
NVD
NVD
added 2026/02/03 6:16 p.m.7 views

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

4.1CVSS0.00227EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.8 views

PT-2026-5952

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

3.5CVSS5.5AI score0.00227EPSS
Exploits0References1
CVE
CVE
added 2026/02/03 12:0 a.m.18 views

CVE-2025-65924

CVE-2025-65924 affects ERPNext up to v15.88.1. The issue arises in the Add Quality Goal function where HTML tags (notably hyperlinks) are not sanitized in plain-text fields. While JavaScript is blocked to prevent XSS, the HTML remains in the generated PDFs, enabling users to click malicious link...

4.1CVSS5.5AI score0.00227EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2025/12/31 10:7 p.m.1 views

Cross-site Scripting (XSS)

Overview trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to applying DOMPurify.isValidAttribute to data-trix-attachments before rendering them as anchor tags. An attacker can execute arbitrary JavaScript code within the user's session,...

5.4CVSS5.3AI score
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2023-35154

Malicious code in bioql PyPI...

6.1CVSS6.3AI score0.00395EPSS
Exploits0References1
OSV
OSV
added 2025/09/08 11:15 a.m.2 views

UBUNTU-CVE-2014-125128

'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...

6.1CVSS5.8AI score0.00256EPSS
Exploits1References8
Snyk
Snyk
added 2025/09/08 10:43 a.m.4 views

Cross-site Scripting (XSS)

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS via the naughtyHref function. An attacker can execute...

6.1CVSS5.6AI score0.00256EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/09/08 10:9 a.m.2 views

CVE-2014-125128

'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...

6.1CVSS6.1AI score0.00256EPSS
Exploits1References4
CVE
CVE
added 2025/09/08 10:9 a.m.20 views

CVE-2014-125128

CVE-2014-125128 affects the sanitize-html library prior to 1.0.3. The root cause is the naughtyHref function not properly validating the href attribute in tags, allowing bypasses that rely on different casings, whitespace, or hexadecimal encodings. This leads to cross-site scripting (XSS) impact...

6.1CVSS6.1AI score0.00256EPSS
Exploits1References4Affected Software1
Debian CVE
Debian CVE
added 2025/09/08 10:9 a.m.5 views

CVE-2014-125128

'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...

6.1CVSS5.2AI score0.00256EPSS
Exploits1
OSV
OSV
added 2024/04/17 12:20 a.m.13 views

GHSA-G7XQ-XV8C-H98C Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags

Summary There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an tag could be bypassed with tab \t or newline \n characters between the...

7.1CVSS6.3AI score0.00575EPSS
Exploits0References7
Rows per page
Query Builder