CVE-2025-27110

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurit...

CVE-2025-27110 Libmodsecurity3 has possible bypass of encoded HTML entities

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurit...

CVE-2025-27110

Libmodsecurity3 contains a vulnerability in version 3.0.13 where encoded HTML entities with leading zeroes are not decoded correctly. A fixed release is 3.0.14. Several advisories (Fedora, openSUSE/SUSE, OpenVAS/NASL entries) reference CVE-2025-27110 and mandate/update to 3.0.14 to remediate. The...

ModSecurity 安全漏洞

ModSecurity is an open source, cross-platform web application firewall WAF engine from OWASP ModSecurity Open Source. A security vulnerability exists in ModSecurity version 3.0.13, which stems from an inability to decode encoded HTML entities containing leading zeros...

Cross-Site Scripting (XSS)

@nuxtjs/mdc is vulnerable to cross-site scripting XSS. The vulnerability is due to a deny-list approach in URL parsing that fails to properly filter encoded HTML entities, allowing an attacker to bypass security checks and execute arbitrary JavaScript...

CVE-2025-25187 Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities. Joplin lacks a...

CVE-2025-25187 Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities. Joplin lacks a...

CVE-2024-54142 Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has be...

CVE-2024-54142 Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has be...

CVE-2024-54142

CVE-2024-54142 concerns the Discourse AI plugin for Discourse. When sharing Discourse AI Bot conversations into posts, HTML entities in the conversation could leak into the application when a user visits a post with a onebox, enabling cross-site scripting via user-visible content. The issue is ti...

Discourse AI 跨站脚本漏洞

Discourse AI is an open source AI plugin for Discourse. Discourse AI suffers from a cross-site scripting vulnerability that stems from the fact that when sharing a Discourse AI Bot conversation into a post, if there are HTML entities in the conversation, these entities may be leaked to the...

PT-2025-3019 · Discourse · Discourse Ai

Name of the Vulnerable Software and Affected Versions: Discourse AI affected versions not specified Description: The issue concerns the Discourse AI plugin, which provides AI features. When sharing conversations from the Discourse AI Bot into posts, HTML entities from the conversation could leak...

Denial Of Service (DoS)

Django is vulnerable to a denial-of-service DoS attack. The vulnerability is due to the striptags method and striptags template filter failing to handle inputs with large sequences of nested incomplete HTML entities, allowing an attacker to perform a DoS attack with specially crafted inputs...

OESA-2024-2543 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: A vulnerability was found in the Django Web Framework. The striptags and stripbtags template filter may be vulnerable to a potential denial of service DoS in cases of a large sequence ...

OESA-2024-2541 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: A vulnerability was found in the Django Web Framework. The striptags and stripbtags template filter may be vulnerable to a potential denial of service DoS in cases of a large sequence ...

OESA-2024-2539 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: A vulnerability was found in the Django Web Framework. The striptags and stripbtags template filter may be vulnerable to a potential denial of service DoS in cases of a large sequence ...

Django denial-of-service in django.utils.html.strip_tags()

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...

CVE-2024-53907

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...

PYSEC-2024-156

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...

SUSE CVE-2024-53907

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...