CVE-2026-12047 pgAdmin 4: HTML injection in cloud verify_credentials / deploy endpoints via unsanitised SDK exception text

HTML injection in pgAdmin 4's cloud deployment module. The verifycredentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit...

CVE-2026-55746

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pfftitle is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cotimport is disabled, so an authenticated user can...

EUVD-2026-37858

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pfftitle is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cotimport is disabled, so an authenticated user can...

PT-2026-50813

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 6.6 through 9.15 Description HTML injection is possible in the cloud deployment module. The application propagates exception text from AWS, Azure, and Google SDKs, as well as file-resolution and database-commit exceptions,...

CVE-2026-10850

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-50883

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload...

Exploit for CVE-2026-48849

CVE-2026-48849 - Stored XSS, HTML Injection & CSS Injection in...

PT-2026-49324

Name of the Vulnerable Software and Affected Versions matze wastebin version 3.4.1 Description An HTML injection issue in the /src/highlight.rs component allows attackers to execute arbitrary scripts using a crafted payload. HTML injection is a process where an attacker inserts malicious HTML cod...

CVE-2026-50883

CVE-2026-50883 refers to an HTML injection in the matze wastebin project (v3.4.1) affecting the internal component /src/highlight.rs . The root cause is not explicitly detailed beyond mention of HTML injection via a crafted payload, leading to arbitrary script execution. The vulnerability is rate...

CVE-2026-45669

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo with external: true generates a server-side HTML redirect body containing a tag. The destination URL is only sanitized by replacing " with %22, leaving ,...

SUSE CVE-2026-45106

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a...

PT-2026-49055

Name of the Vulnerable Software and Affected Versions Fabric.js versions prior to 7.4.0 Description Improper escaping of user-controlled input during SVG serialization via the toSVG method can lead to Cross-Site Scripting XSS. Specifically, the color field within the colorStops array of a...

FreeBSD : Gitlab -- vulnerabilities (ac9bab80-6618-11f1-8e04-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ac9bab80-6618-11f1-8e04-2cf05da270f3 advisory. Gitlab reports: Improper Access Control issue in Group SAML Identity API impacts GitLab EE...

CVE-2026-11859

An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting XSS in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c0f3cf142 before sha-08c3f93d, from G...

Gitlab -- vulnerabilities

Gitlab reports: Improper Access Control issue in Group SAML Identity API impacts GitLab EE Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE Denial of Service issue in Grape API JSON parsing middleware impacts GitLab CE/EE HTML injection issue in certain group setting fields...

CVE-2026-45106

Weblate (web-based localization tool) is affected by a stored HTML injection/XSS in the live search preview prior to version 2026.5, where unit source and context are rendered without escaping, allowing HTML/CSS that runs in authenticated editors of other users performing a matching search. The i...

CVE-2026-45106 Weblate: Stored HTML injection in editor search preview

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a...

Litestar has HTML Injection Through its CSRF Token

Overview Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine when configured inline...

GHSA-542P-WVX7-72M4 Litestar has HTML Injection Through its CSRF Token

Overview Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine when configured inline...

CVE-2026-46609

Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0...