CVE-2026-27902

Svelte prior to version 5.53.5 is vulnerable to HTML injection and XSS in SSR error boundary hydration markers, caused by transformError not being properly escaped before HTML output. Attacker-controlled content returned from transformError could be embedded in the page. The issue is fixed in 5.5...

CVE-2026-27902 Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...

CVE-2026-27902 Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...

GHSA-RCQW-6466-3MV7 AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

Vulnerability Type Stored Cross-Site Scripting XSS — CWE-79. Affected Product/Versions AVideo 18.0. Root Cause Summary AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be...

CVE-2026-1640 Taskbuilder <= 5.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions AJAX actions:...

CVE-2026-22231

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0...

CVE-2026-22233 OPEXUS eCASE Audit Project Cost stored XSS

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0...

CVE-2025-63693

The comment editing template dzz/comment/template/editform.htm in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and...

Improper Input Validation

datahihi1/tiny-env is vulnerable to Improper Input Validation. The vulnerability is due to missing sanitization of characters, allowing attackers to inject comment text that can cause misconfigurations or authentication failures...

CVE-2025-60299

Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting XSS vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is stored in the database a...

EUVD-2015-8700

Malware in sbrugna...

EUVD-2006-2817

Malware in sbrugna...

EUVD-2008-6998

Malware in sbrugna...

EUVD-2006-0353

Malware in sbrugna...

EUVD-2024-54392

Malicious code in bioql PyPI...

EUVD-2015-3484

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2015-6659

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via comments contents in any page of the web interface. An attacker can execute arbitrary JavaScript in the browser of any user viewing the manipulated comment by injecting obfuscated payloads that bypass input...

CVE-2024-46494

A cross-site scripting XSS vulnerability in Typecho v1.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into Name parameter under a comment for an Article...

CVE-2024-46494

A cross-site scripting XSS vulnerability in Typecho v1.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into Name parameter under a comment for an Article...