Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

CNNVD
CNNVDadded 2026/05/08 12:0 a.m.4 views

locize 跨站脚本漏洞

Locize is an open-source browser text editing tool developed by Locize. Versions of Locize prior to 4.0.21 contained a cross-site scripting vulnerability. This vulnerability stemmed from the window.addEventListenermessage, … handler not verifying the event.origin, which could lead to cross-site...

7.5CVSS5.6AI score0.00016EPSS
Exploits0References1
Github Security Blog
Github Security Blogadded 2026/04/22 8:32 p.m.7 views

locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Summary Versions of the locize client SDK the browser module that wires up the locize InContext translation editor prior to 4.0.21 register a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled,...

7.5CVSS5.7AI score0.00016EPSS
Exploits0References6Affected Software1
NVD
NVDadded 2026/02/11 3:16 p.m.3 views

CVE-2026-2345

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener'message', ... handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on...

3.6CVSS0.00008EPSS
Exploits0References1
OSV
OSVadded 2025/04/10 8:15 a.m.2 views

CVE-2024-38865

Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 EOL allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for ...

8.8CVSS7.4AI score
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2022/03/03 12:15 a.m.2 views

CVE-2022-25146

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message...

5.3CVSS6.1AI score0.0014EPSS
Exploits0References4
Positive Technologies
Positive Technologiesadded 2022/03/02 12:0 a.m.1 views

PT-2022-17098 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.4 through 7.4.3.8 Liferay DXP 7.4 before update 5 Description: The issue concerns the Remote App module, which fails to verify if the origin of received event messages matches the Remote App's origin. This allows...

5.3CVSS5.2AI score0.0014EPSS
Exploits0References10
OSV
OSVadded 2018/06/11 9:29 p.m.3 views

CVE-2016-9902

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10...

7.5CVSS8.9AI score
Exploits0References8
Rows per page
Query Builder