CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

EUVD-2026-33324

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

CVE-2026-41159

Mermaid (mermaid-js) contains a CSS injection vulnerability (CVE-2026-41159) affecting prior releases. Before fixes in v10.9.6 and v11.15.0, its default config allows injecting CSS via fontFamily, themeCSS, and altFontFamily. The injected CSS exploits stylis’s scope handling, where :not(&) escape...

GHSA-87F9-HVMW-GH4P Mermaid: Improper sanitization of configuration leads to CSS injection

Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. Live demo: mermaid.live Example code: %%init: "fontFamily": "x;ab :not&background:green !important cd"%% flowchart LR A --...

GHSA-XCJ9-5M2H-648R Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection

Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures classDef values with an unrestricted regex: jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 ^\n...

ShinyHunters escalates Canvas attacks with school login defacements

Days after confirming a major data breach, Instructure is now facing a second blow. Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of school...

Canvas Breach Disrupts Schools & Colleges Nationwide

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service's login page with a ransom demand that threatened to...

ShinyHunters Defaces Canvas LMS Portal, Hundreds of Universities Affected

ShinyHunters hackers defaced the official Canvas LMS portal after breaching Instructure systems, disrupting university access worldwide...

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Overview For executive leadership, the emergence of Kyber ransomware represents a significant and immediate threat due to its specialized, dual-platform deployment capability targeting mission-critical virtualization infrastructure VMware ESXi and core Windows file systems. This cross-platform...

EUVD-2026-19390

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...

CVE-2026-0396

A flaw was found in dnsdist. A remote attacker could exploit this vulnerability by sending specially crafted DNS queries to a dnsdist instance where domain-based dynamic rules have been enabled. This could allow the attacker to inject malicious HTML content into the internal web dashboard,...

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

CVE-2026-29100

Summary: CVE-2026-29100 affects SuiteCRM. The vulnerability is a reflected HTML injection on the login page, enabling an attacker to inject arbitrary HTML content (e.g., phishing content or page defacement). The issue is associated with SuiteCRM version 7.15.0 and is fixed in 7.15.1. What’s affec...

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

PT-2026-26438

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

K000160327: Protect your network from geopolitical uncertainty with F5

Security Advisory Description While there are many cyber-threats creating a constant need for cybersecurity efforts, history teaches us that geopolitical conflicts often generate increased cyber activity. In recent years the world has seen conflicts in Ukraine, Yemen, Iran, and elsewhere generate...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the firstname and lastname inputs when processed by editUser.tpl.php. An attacker can inject arbitrary HTML content by submitting crafted input, which is rendered when other users view the affected profile,...

lxml-html-clean has <base> tag injection through default Cleaner configuration

Summary The tag passes through the default Cleaner configuration. While pagestructure=True removes html, head, and title tags, there is no specific handling for , allowing an attacker to inject it and hijack relative links on the page. Details The tag is not currently in the pagestructure kill se...