Lucene search
K

8 matches found

EUVD
EUVD
added 2026/06/25 1:53 p.m.5 views

EUVD-2026-39412

Malicious HTML content could be injected into the content rendered by the pretix-digital plugin...

2CVSS5.8AI score0.0033EPSS
Exploits0References1
OSV
OSV
added 2026/05/19 4:34 p.m.5 views

GHSA-JWP7-WG77-3W9V Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

Summary The fetch-apify-docs tool validates URLs against a domain allowlist using String.startsWith instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains e.g., https://docs.apify.com.evil.com/, enabling the tool to fetch and return arbitrary web content ...

6.1CVSS5.9AI score0.00045EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/27 5:56 p.m.10 views

Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

Description A vulnerability has been identified in express-xss-sanitizer , , , etc. and attributes e.g., href on . This behavior violates the expected API contract and may lead to security issues such as content injection or XSS, depending on how the sanitized output is used. Impact Developers...

8.2CVSS5.8AI score0.00382EPSS
Exploits1References5Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/08/12 12:0 a.m.2 views

Linux Distros Unpatched Vulnerability : CVE-2025-5271

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and...

6.5CVSS6.1AI score0.00257EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/05/27 12:0 a.m.5 views

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox prior to version 139, which stems from an omission of the CSP header when previewing responses in Devtools, which could lead to a content injection...

6.5CVSS4.9AI score0.00257EPSS
Exploits0References3
Veracode
Veracode
added 2025/04/28 7:42 a.m.8 views

Cross-Site Scripting (XSS)

github.com/songquanpeng/one-api is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input validation and sanitization of the argument "Homepage Content/About System/Footer.", allows malicious content to be injected and executed in the user's browser...

4.8CVSS3.4AI score0.00278EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2024/01/10 3:15 p.m.5 views

CVE-2023-6158

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evoeventpostupdatemeta function in all versions up to, and including, 4.5.4 for Pro and 2.2.7 for free. This make...

6.5CVSS5.9AI score0.00566EPSS
Exploits0References3
OSV
OSV
added 2018/06/11 9:29 p.m.6 views

CVE-2016-9902

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10...

7.5CVSS8.9AI score
Exploits0References8
Rows per page
Query Builder