372 matches found
CVE-2026-55789 Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into...
CVE-2026-56813 Cookie attribute injection in Plug.Conn.Cookies.encode/2
Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...
CVE-2026-56813
The CVE-2026-56813 issue affects the Elixir Plug library (Plug.Conn.Cookies.encode/2). It enables attribute injection in Set-Cookie headers by not neutralizing the ; delimiter, allowing an attacker to inject or override cookie attributes (e.g., Domain, Path, or flags like Secure/HttpOnly) when at...
EUVD-2026-42876
Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...
CVE-2026-59926
A flaw was found in Mistune, a Python Markdown parser. The renderadmonition function in the Admonition directive concatenates user-controlled input into the HTML class attribute without proper escaping. This vulnerability allows for attribute injection and Cross-Site Scripting XSS attacks, even...
Linux Distros Unpatched Vulnerability : CVE-2026-59926
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, renderadmonition in src/mistune/directives/admonition.py concatenates the...
EUVD-2026-42334
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, renderadmonition in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even...
CVE-2026-59926
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, renderadmonition in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even...
CVE-2026-58657
Grav before 2.0.0 affected through 2.0.0-rc.9 and the 2.0 branch contains a stored CSS injection vulnerability in the Markdown image resize media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute fallbacks, but the resize action in Excerpts::processMediaActions...
PYSEC-2026-1474 Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as opposed to only values as user input, and...
PYSEC-2026-1473 Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
The xmlattr filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys as opposed to only values as user input, and renders these in pages that other user...
CVE-2026-59710 showdown - Stored XSS via Unescaped Table Header ID Attribute Injection
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...
CVE-2026-54298
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props ...
CVE-2026-54298
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props ...
CVE-2026-54298
Astro, prior to 6.4.6, is vulnerable to XSS via unescaped attribute names when spreading props onto HTML elements. The spreadAttributes path iterates over object keys and passes them to addAttribute, which interpolates the key into the HTML output without escaping, allowing attackers to inject ev...
CVE-2026-54298 Astro: XSS via Unescaped Attribute Names in Spread Props
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props ...
Astro: XSS via Unescaped Attribute Names in Spread Props
Summary The spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props on an HTML element and the object...
PT-2026-49739
Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.4.6 Description The spreadAttributes function in the server-side rendering pipeline iterates over object keys and passes them to the addAttribute function, which interpolates the key into the HTML output without...
CVE-2026-46625 JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property,...
CVE-2026-46625 JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property,...