269 matches found
CVE-2026-5160
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check IsDangerousURL before resolving HTML entities...
PT-2026-33004
Name of the Vulnerable Software and Affected Versions github.com/yuin/goldmark/renderer/html versions prior to 1.7.17 Description Improper ordering of URL validation and normalization allows Cross-site Scripting XSS. The renderer performs a prefix-based check using the IsDangerousURL function to...
GHSA-95H2-GJ7X-GX9W Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
EVIDENCE | Disclosed to Vercel H1 | 2026-03-22 no response after 12 days | | Cross-reported here | 2026-04-03 | --- Summary useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol functio...
Incomplete List of Disallowed Inputs
Overview org.webjars.npm:unhead is a Full-stack manager built for any framework. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the hasDangerousProtocol function though the usage of HtmlEntityHex and HtmlEntityDec RegExp. An attacker can inject malicio...
CVE-2026-39315 Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...
CVE-2026-39315 Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...
PT-2026-31676
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check IsDangerousURL before resolving HTML entities. This allows an attacker to bypass...
Improper detection of disallowed URIs by Loofah `allowed_uri?`
Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...
phpMyFAQ has Stored XSS in user list via admin-managed display_name
Summary A stored cross-site scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities e.g., img .... When an administrator views the admin user list, the payload is decoded server-si...
CVE-2025-34305 IPFire < v2.29 Stored XSS via Multiple Methods in cleanhtml()
IPFire versions prior to 2.29 Core Update 198 contain multiple stored cross-site scripting XSS vulnerabilities caused by a bug in the cleanhtml function /var/ipfire/header.pl that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - fo...
CVE-2025-34305 IPFire < v2.29 Stored XSS via Multiple Methods in cleanhtml()
IPFire versions prior to 2.29 Core Update 198 contain multiple stored cross-site scripting XSS vulnerabilities caused by a bug in the cleanhtml function /var/ipfire/header.pl that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - fo...
EUVD-2007-1025
Malware in sbrugna...
EUVD-2019-3433
Malware in sbrugna...
EUVD-2005-0650
Malware in sbrugna...
EUVD-2021-1606
Malware in sbrugna...
EUVD-2015-6727
Malware in sbrugna...
EUVD-2019-3939
Malware in sbrugna...
EUVD-2019-0036
Malware in sbrugna...
EUVD-2019-0347
Malware in sbrugna...