keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

CVE-2026-9086

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

EUVD-2026-39473

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

CVE-2026-9086

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

CVE-2026-9086

Keycloak contains a cross-site scripting vulnerability (CVE-2026-9086) where an attacker with manage-client or client-registration access can bypass URI validation by registering a malicious redirect URI using a case-insensitive javascript: or data: scheme. This allows arbitrary code execution in...

CVE-2026-9086

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

PT-2026-52506

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An issue exists where a remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, can bypass client Uniform...

CVE-2026-52816

Gogs exposes an unauthenticated REST endpoint POST /-/api/sanitize_ipynb that uses bluemonday.UGCPolicy with AllowURLSchemes("data"), allowing all data: URIs (including data:text/html). This enables a registered user to craft payloads that survive sanitization and execute XSS when rendered in oth...

CVE-2026-53722 Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application binds attacker-controlled input a...

CVE-2026-53722

CVE-2026-53722 affects Nuxt.js prior to versions 3.21.7 and 4.4.7, where did not validate URL schemes bound to its to or href before rendering. Attacker-controlled input (query parameters, CMS fields, or user URLs) can be reflected into the href attribute, enabling reflected DOM-based XSS via ja...

External Control of File Name or Path

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to External Control of File Name or Path in backend/htmlbackend.py‎, which ...

SUSE CVE-2026-48522

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

CVE-2026-48522

PyJWKClient in PyJWT prior to 2.13.0 passes its uri argument directly to urllib.request.urlopen(), allowing attacker-controlled jku URLs to trigger SSRF and related token-forgery scenarios via file://, ftp://, or data: schemes. Affected component: PyJWKClient (Python). Root cause: lack of a schem...

PT-2026-44394

Name of the Vulnerable Software and Affected Versions PyJWT versions prior to 2.13.0 Description PyJWKClient passes the uri argument directly to urllib.request.urlopen, which utilizes the default OpenerDirector of the Python standard library. This allows the registration of HTTPHandler,...

Open WebUI has Stored Cross-Site Scripting In Profile Picture

Summary The profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters: 1. data:text/html;base64,... in a new browser tab raresvis, 2025-04-17 — when a vict...

PT-2026-41162

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0 Description The profile image url field on the user profile update form accepts arbitrary data: URI values without MIME-type validation, leading to Cross-Site Scripting XSS. This occurs because the applicatio...

i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Summary Versions of i18nextify prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in src/localize.js replaceInside handler around line 122 only guards against a duplicated http:// origin prefix ...

GHSA-6457-MXPQ-4FQQ i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Summary Versions of i18nextify prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in src/localize.js replaceInside handler around line 122 only guards against a duplicated http:// origin prefix ...

PT-2026-37152

Name of the Vulnerable Software and Affected Versions i18nextify versions prior to 4.0.8 Description The software substitutes key interpolation tokens within src and href attribute values using the raw string from i18next.t. The substitution logic in the replaceInside handler within src/localize....