1183402 matches found
CVE-2020-37256
Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...
CVE-2026-9086
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
CVE-2026-54025
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls throu...
CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
CVE-2026-9086
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
CVE-2026-9086
Keycloak contains a cross-site scripting vulnerability (CVE-2026-9086) where an attacker with manage-client or client-registration access can bypass URI validation by registering a malicious redirect URI using a case-insensitive javascript: or data: scheme. This allows arbitrary code execution in...
EUVD-2026-39473
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
CVE-2026-9086
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
CVE-2026-54025 LibreChat: Stored XSS via unescaped image alt text in markdown artifact preview
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls throu...
CVE-2026-54025
LibreChat suffers a stored XSS in its Markdown artifact preview prior to version 0.8.4-rc1. The vulnerability arises because lib re uses marked v15.0.12 to render image alt text without HTML-escaping double quotes when the custom image renderer defers to the default renderer. LibreChat’s generate...
EUVD-2026-39463
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls throu...
CVE-2026-48940
CVE-2026-48940 involves a stored cross-site scripting (XSS) in the Joomla extension K2. A user with K2 (Author by default) create-item rights can submit an article where the embedVideo POST field contains a raw [removed] tag. K2 stores the payload verbatim and renders it unescaped to every visito...
CVE-2026-48942 Joomla Extension - getk2.com - Stored-XSS in K2 extension for Joomla < 2.26
K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...
CVE-2026-48942
Affected software: K2 extension for Joomla (getk2.com), version constraint listed as K2 ≤ 2.26. Vulnerability: two templates render the database column __#k2_users.image directly into HTML src attributes without HTML escaping, revealing a stored-XSS risk. Root cause: lack of escaping when injecti...
CVE-2026-13225
The provided connected documents confirm CVE-2026-13225 as a Stored XSS in pretix. Malicious HTML content could be injected into the email address field of an order; pretix displays this on the confirmation page for individual tickets without sanitization. Affects pretix’s order confirmation page...
CVE-2026-13225 Stored XSS in ticket confirmation page
Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order...
CVE-2026-56071
Unauthenticated Cross Site Scripting XSS in Forminator = 1.53.1 versions...
CVE-2026-56042
Customer Cross Site Scripting XSS in Advanced Order Export For WooCommerce = 4.0.9 versions...
CVE-2026-57534
Summary: CVE-2026-57534 affects the pretix-pages plugin, where malicious HTML content can be injected into a page’s content, causing a stored XSS condition. The root cause is described as unsafe handling of page content within the plugin; exploitation details are not provided beyond the stored-XS...