8 matches found
EUVD-2026-39412
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin...
GHSA-JWP7-WG77-3W9V Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
Summary The fetch-apify-docs tool validates URLs against a domain allowlist using String.startsWith instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains e.g., https://docs.apify.com.evil.com/, enabling the tool to fetch and return arbitrary web content ...
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Description A vulnerability has been identified in express-xss-sanitizer , , , etc. and attributes e.g., href on . This behavior violates the expected API contract and may lead to security issues such as content injection or XSS, depending on how the sanitized output is used. Impact Developers...
Linux Distros Unpatched Vulnerability : CVE-2025-5271
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and...
Mozilla Firefox 安全漏洞
Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox prior to version 139, which stems from an omission of the CSP header when previewing responses in Devtools, which could lead to a content injection...
Cross-Site Scripting (XSS)
github.com/songquanpeng/one-api is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input validation and sanitization of the argument "Homepage Content/About System/Footer.", allows malicious content to be injected and executed in the user's browser...
CVE-2023-6158
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evoeventpostupdatemeta function in all versions up to, and including, 4.5.4 for Pro and 2.2.7 for free. This make...
CVE-2016-9902
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10...