Lucene search
K

547 matches found

RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.4 views

DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization

A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and...

6.1CVSS7.4AI score0.00263EPSS
Exploits1References7
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/29 2:12 p.m.6 views

Security Bulletin: IBM i is Affected By Multiple Vulnerabilities in Navigator for i and Digital Certifcate Manager

Summary Navigator for IBM i uses DOMPurify for cross-site scripting sanitization. DOMPurify is vulnerable to prototype pollution-based XSS bypass CVE-2026-41238, skipped sanitization in non-string mode CVE-2026-41239, and skipped sanitization when using the ADDTAGS function CVE-2026-41240...

8.8CVSS7.5AI score0.00331EPSS
Exploits1Affected Software5
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/28 7:37 p.m.7 views

Security Bulletin: DataStage on Cloud Pak for Data has several vulnerabilities due to open source software

Summary Open source packages are used as part of the overall processing in DataStage on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2026-2581 DESCRIPTION: This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici...

7.5CVSS5.6AI score0.00728EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-CVE-2026-0540 CVE-2026-0540 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-0540 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS7.2AI score0.0034EPSS
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-GHSA-39Q2-94RC-95CP GHSA-39q2-94rc-95cp in @rootio/dompurify - Patched by Root

Root has patched GHSA-39q2-94rc-95cp in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.8 views

ROOT-APP-NPM-CVE-2026-41239 CVE-2026-41239 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-41239 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.8CVSS5.8AI score0.00217EPSS
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-GHSA-CJ63-JHHR-WCXV GHSA-cj63-jhhr-wcxv in @rootio/dompurify - Patched by Root

Root has patched GHSA-cj63-jhhr-wcxv in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-CVE-2025-15599 CVE-2025-15599 in @rootio/dompurify - Patched by Root

Root has patched CVE-2025-15599 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS5.8AI score0.00245EPSS
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-CVE-2025-26791 CVE-2025-26791 in @rootio/dompurify - Patched by Root

Root has patched CVE-2025-26791 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS6.6AI score0.00583EPSS
Exploits1
OSV
OSV
added 2026/06/24 9:38 a.m.10 views

ROOT-APP-NPM-GHSA-CJMM-F4JC-QW8R GHSA-cjmm-f4jc-qw8r in @rootio/dompurify - Patched by Root

Root has patched GHSA-cjmm-f4jc-qw8r in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-GHSA-H8R8-WCCR-V5F2 GHSA-h8r8-wccr-v5f2 in @rootio/dompurify - Patched by Root

Root has patched GHSA-h8r8-wccr-v5f2 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0
OSV
OSV
added 2026/06/24 9:38 a.m.9 views

ROOT-APP-NPM-CVE-2026-41240 CVE-2026-41240 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-41240 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS7.3AI score0.00263EPSS
Exploits1
NVD
NVD
added 2026/06/19 12:16 a.m.11 views

CVE-2026-12048

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields was passed...

9.3CVSS0.0021EPSS
Exploits0References2
CVE
CVE
added 2026/06/18 11:37 p.m.88 views

CVE-2026-12048

CVE-2026-12048 affects pgAdmin 4 (versions 6.0 up to 9.16). Stored XSS occurs when untrusted server-returned text is passed through html-react-parser in multiple user-facing sinks (toasts, dialogs, explain visualiser, SQL editor prompts, etc.), allowing an attacker-controlled PostgreSQL server to...

9.3CVSS5.4AI score0.0021EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/18 11:37 p.m.42 views

CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields was passed...

9.3CVSS0.0021EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 2:27 p.m.6 views

GHSA-CMWH-PVXP-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)

Summary DOMPurify 3.4.7 shipped a security fix "permanent hook pollution" that makes a registered uponSanitizeAttribute hook's mutation of data.allowedAttributes non-persistent — so allowing an attribute for one element does not leak into later sanitize calls. The fix clones ALLOWEDATTR inside...

5.1CVSS5.6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.27 views

PT-2026-50814

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 6.0 through 9.15 Description Stored cross-site scripting exists in the error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server, such as ErrorResponse messages, object names in...

9.3CVSS5.9AI score0.0021EPSS
Exploits0References13
Github Security Blog
Github Security Blog
added 2026/06/17 2:14 p.m.13 views

Open WebUI: Stored XSS in Mermaid Markdown Preview

Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working paylo...

8.7CVSS5.6AI score0.002EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50483

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The application renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel:...

8.7CVSS5.8AI score0.002EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/06/15 8:12 p.m.16 views

DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output

Impact A DOMPurify instance that is reused across trust boundaries can stay bound to a previously supplied TRUSTEDTYPESPOLICY even after clearConfig is called. A later caller that requests RETURNTRUSTEDTYPE receives a TrustedHTML object created by the old policy, not by a clean default...

5.5AI score
Exploits0References2Affected Software1
Rows per page
Query Builder