PT-2026-22621

Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30...

Exploit for CVE-2026-2472

Unauthenticated Stored Cross-Site Scripting XSS in genai/e...

CVE-2026-24351

PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early about this vulnerability, but didn't respond with...

CVE-2026-24351

PluXml CMS is affected by CVE-2026-24351 (Stored XSS in Static Pages editing). An attacker with editing privileges can inject arbitrary HTML/JS that is rendered when visiting the edited page. Vulnerable confirmed in versions 5.8.21 and 5.9.0-rc7; other versions were not tested and might also be v...

GO-2026-4552 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api...

EUVD-2026-8800

Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers...

GHSA-QGVG-PR8V-6RR3 Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers

Errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError...

EUVD-2026-8799

Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent...

GHSA-PHWV-C562-GVMH Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting XSS if rendering untrusted data as the binding's initial value on the server...

CVE-2026-27902

A cross-site scripting XSS vulnerability was found in Svelte’s server-side rendering SSR error handling. Error messages returned from the transformError function were not properly escaped before being embedded into HTML output within hydration markers. If an application returns attacker-controlle...

CVE-2026-27902

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...

CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting XSS if rendering untrusted data as the binding's initial value o...

CVE-2026-27902

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...

CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting XSS if rendering untrusted data as the binding's initial value o...

PT-2026-22077

Svelte performance oriented web framework. Prior to version 5.53.5, errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError. Version 5.53.5 fixes the...

PT-2026-22076

Name of the Vulnerable Software and Affected Versions Svelte versions prior to 5.53.5 Description Svelte, a performance-oriented web framework, had an issue where the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped in versions prior to 5.53.5...

CVE-2026-27116

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are blocked, , ,...

GHSA-4QGR-4H56-8895 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module

Summary Vikunja is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are...

CVE-2026-27116 Vikunja has Reflected HTML Injection via filter Parameter in Projects Module

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are blocked, , ,...

CVE-2026-27116 Vikunja has Reflected HTML Injection via filter Parameter in Projects Module

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are blocked, , ,...