CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

17 matches found

RedhatCVE•added 2026/05/18 2:27 p.m.•9 views

CVE-2026-41650

A flaw was found in fast-xml-parser. The XMLBuilder component does not properly escape specific sequences "--" in comments and "" in CDATA sections when constructing XML from JavaScript objects. This vulnerability allows an attacker to perform XML injection if user-controlled data is processed...

6.1CVSS5.7AI score0.00012EPSS

Exploits1References5

NVD•added 2026/05/07 3:16 p.m.•9 views

CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

6.1CVSS0.00012EPSS

Exploits1References2

Vulnrichment•added 2026/05/07 1:36 p.m.•5 views

CVE-2026-41650 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

6.1CVSS5.7AI score0.00012EPSS

Exploits1References2

CNNVD•added 2026/04/02 12:0 a.m.•5 views

XMLDOM 安全漏洞

XMLDOM is a JavaScript implementation of the W3C DOM for Node developed by jindw. Versions of XMLDOM prior to 0.6.0, 0.8.12, and 0.9.9 contain security vulnerabilities. These vulnerabilities stem from allowing attackers to insert controlled strings into CDATASection nodes, potentially leading to...

7.5CVSS5.7AI score0.00019EPSS

Exploits0References4

RedhatCVE•added 2026/01/07 9:26 a.m.•4 views

CVE-2019-12041

lib/common/htmlre.js in remarkable 1.7.1 allows Regular Expression Denial of Service ReDoS via a CDATA section...

7.5CVSS6.7AI score0.00403EPSS

Exploits1References1

NVD•added 2022/12/14 2:15 p.m.•21 views

CVE-2022-23516

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.2.0, 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a...

7.5CVSS0.00046EPSS

Exploits0References3

Typo3•added 2022/02/22 12:0 a.m.•45 views

Sanitization bypass in SVG Sanitizer

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected...

4.3CVSS1AI score0.00179EPSS

Exploits0Affected Software1

FreeBSD•added 2022/02/22 12:0 a.m.•18 views

typo3 -- XSS vulnerability in svg-sanitize

The TYPO3 project reports: The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+x...

6.2CVSS0.8AI score0.00179EPSS

Exploits0References2

Friends Of PHP•added 2022/02/15 1:54 a.m.•18 views

A cross-site scripting vulnerability

Description Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This...

4.3CVSS5.6AI score0.00179EPSS

Exploits0Affected Software1

Github Security Blog•added 2022/02/14 10:54 p.m.•33 views

Cross-site Scripting in enshrined/svg-sanitize

Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This issue is fix...

6.2CVSS5.7AI score0.00179EPSS

Exploits0References6Affected Software1

Cvelist•added 2021/01/13 3:49 p.m.•8 views

CVE-2021-23899

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents...

9.6AI score0.00443EPSS

Exploits0References3

OSV•added 2019/06/06 3:32 p.m.•1 views

GHSA-Q22G-8FR4-QPJ4 Regular Expression Denial of Service in remarkable

lib/common/htmlre.js in remarkable 1.7.1 allows Regular Expression Denial of Service ReDoS via a CDATA section...

7.5CVSS7.1AI score0.00403EPSS

Exploits1References5

OSV•added 2019/05/13 1:29 p.m.•8 views

CVE-2019-12041

lib/common/htmlre.js in remarkable 1.7.1 allows Regular Expression Denial of Service ReDoS via a CDATA section...

7.5CVSS6.7AI score

Exploits0References1

NVD•added 2019/05/13 1:29 p.m.•6 views

CVE-2019-12041

lib/common/htmlre.js in remarkable 1.7.1 allows Regular Expression Denial of Service ReDoS via a CDATA section...

7.5CVSS7.4AI score0.00403EPSS

Exploits1References1

Prion•added 2019/05/13 1:29 p.m.•8 views

Design/Logic Flaw

lib/common/htmlre.js in remarkable 1.7.1 allows Regular Expression Denial of Service ReDoS via a CDATA section...

5CVSS7.4AI score0.00403EPSS

Exploits1References1Affected Software1

Cvelist•added 2019/05/13 12:7 p.m.•10 views

CVE-2019-12041

lib/common/htmlre.js in remarkable 1.7.1 allows Regular Expression Denial of Service ReDoS via a CDATA section...

7.4AI score0.00403EPSS

Exploits1References1

Positive Technologies•added 2019/05/13 12:0 a.m.•3 views

PT-2019-12629 · Remarkable · Remarkable

Name of the Vulnerable Software and Affected Versions: remarkable version 1.7.1 Description: The issue allows for Regular Expression Denial of Service ReDoS via a CDATA section in the lib/common/html re.js file. Recommendations: For version 1.7.1, at the moment, there is no information about a...

7.5CVSS7.3AI score0.00403EPSS

Exploits1References7

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by