@8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4), @alkemio/excalidraw (>=0.17.1-alkemio-5 <=0.19.0-alkemio-1) +99 more potentially affected by unknown CVE via @excalidraw/mermaid-to-excalidraw (>=0.3.0 <=1.1.2)

@excalidraw/mermaid-to-excalidraw NPM version =0.3.0, =0.18.0-beta.0, =0.17.1-alkemio-5, =1.0.0, =0.18.3, =0.18.0, =0.0.1-BETA, =0.5.0-00d79ee, =0.17.1, =18.0.3, =0.18.0-patch.1, =0.17.1-1d71f84, =0.0.1, =0.3.2, =0.3.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-39H7-PWV7-RC3X...

GHSA-39H7-PWV7-RC3X Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)

Impact @excalidraw/[email protected] depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path. This is patched i...

Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)

Impact @excalidraw/[email protected] depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path. This is patched i...

@bernierllc/neverhub (>=1.0.0 <=1.1.0), @cdagaton/excalidraw-mcp (>=0.3.2 <=0.3.3) +15 more potentially affected by CVE-2026-25536 via mcp-handler (>=1.0.1 <=1.0.7)

mcp-handler NPM version =1.0.1, =1.0.0, =0.3.2, =0.1.0, =0.0.0-experimental-20250910140832, =1.0.0, =0.0.27, =0.1.0, =0.1.1 and more Source cves: CVE-2026-25536 Source advisory: OSV:GHSA-W2FM-25VW-VH7F...

SUSE CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the handling of WebSocket messages for document structure updates in the Seadoc editor. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious payloads...

EUVD-2026-15940

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

GHSA-RQJ3-X344-QVXC Seafile Server has multiple stored XSS vulnerabilities

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

Seafile Server has multiple stored XSS vulnerabilities

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

CVE-2026-30587

CVE-2026-30587 affects Seafile Server and its Seadoc editor, with multiple stored XSS vulnerabilities exploited via WebSocket messages that update document structure. Affected versions include 13.0.15, 13.0.16-pro, and 12.0.14 and prior; fixes are in 13.0.17, 13.0.17-pro, and 12.0.20-pro. The iss...

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

PT-2026-28073

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

EUVD-2023-2357

Malicious code in bioql PyPI...

EUVD-2024-1241

Malicious code in bioql PyPI...

@8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4), @airmix/mcp-excalidraw-server (=1.0.6) +297 more potentially affected by CVE-2025-57347 via dagre-d3-es (>=7.0.10 <=7.0.11)

dagre-d3-es NPM version =7.0.10, =0.18.0-beta.0, =0.17.0-alkemio-1, =1.0.0, =0.18.3, =0.18.0, =0.0.1-BETA, =0.18.1, =1.1.4, =0.0.1, =0.15.0, =0.17.1, =0.17.2 - @changmao/reveal-md =6.1.4-chanmao0.0 and more Source cves: CVE-2025-57347 Source advisory: SNYK:JS-DAGRED3ES-13110069...

CVE-2024-32472

excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as...

CVE-2023-26140

Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting XSS via embedded links in whiteboard objects due to improper input sanitization...

Cross Site Scripting (XSS)

@excalidraw/excalidraw is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper sanitization against HTML injection in two vectors: rendering untrusted strings as iframe's srcdoc and attribute HTML injection in conjunction with allowing the allow-same-origin sandbox flag...