GHSA-P5G4-V748-6FH8 tarteaucitron.js allows url scheme injection via unfiltered inputs

A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript...

CVE-2025-31476 tarteaucitron.js allows url scheme injection via unfiltered inputs

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-31476 tarteaucitron.js allows url scheme injection via unfiltered inputs

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

tarteaucitron.js 跨站脚本漏洞

tarteaucitron.js is a cookie manager for the Amauri CHAMPEAUX individual developer. A cross-site scripting vulnerability exists in tarteaucitron.js that stems from insufficient URL validation and could lead to arbitrary JavaScript execution...

Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Summary Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. Impact A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser...

GHSA-CQ88-842X-2JHP Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Summary Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. Impact A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser...

CVE-2025-2946 Cross-Site Vulnerability(XSS) due to arbitrary HTML/JavaScript gets executed while query result rendering in Query Tool and View/Edit Data Tool of pgAdmin 4

pgAdmin = 9.1 is affected by a security vulnerability with Cross-Site ScriptingXSS. If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser...

Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS

Exploit Title: Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Date: 09/2024 Exploit Author: Haythem Arfaoui CBTW Team Vendor Homepage: https://www.elaine.io/ Software Link: https://www.elaine.io/en/products/elaine-marketing-automation/ Version: 6.18.17 and below Tested on: Windows, Linu...

CVE-2025-3019

KNIME Business Hub is affected by several cross-site scripting vulnerabilities in its web pages. If a user clicks on a malicious link or opens a malicious web page, arbitrary Java Script may be executed with this user's permissions. This can lead to information loss and/or modification of existin...

SUSE CVE-2024-9900

mudler/localai version v2.21.1 contains a Cross-Site Scripting XSS vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts...

CVE-2025-27404

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of tha...

CVE-2025-27793

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code...

UBUNTU-CVE-2025-27609

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on...

CVE-2025-27406

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act...

UBUNTU-CVE-2025-27406

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act...

CVE-2025-27609 Icinga Web 2 Vulnerable to Reflected XSS

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on...

CVE-2025-27404

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of tha...

Icinga Web 2 跨站脚本漏洞

Icinga Web 2 is an open source monitoring and metrics solution from Icinga Open Source. A cross-site scripting vulnerability exists in Icinga Web 2 versions prior to 2.11.5 and prior to 2.12.13, which stems from embeddable arbitrary Javascript that could lead to user identity impersonation...

AZL-59276 CVE-2025-30219 affecting package rabbitmq-server for versions less than 3.11.24-3

RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable with other on disk file modifications can lead to arbitrary JavaScript code execution in the browsers of...

CVE-2025-30219 RabbitMQ has XSS Vulnerability in an Error Message in Management UI

RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable with other on disk file modifications can lead to arbitrary JavaScript code execution in the browsers of...