CVE-2026-31906

CVE-2026-31906 affects Apache OFBiz up to version 24.09.05 (pre-24.09.06). The issue is an improper neutralization of input during web page generation, i.e., Cross-Site Scripting (XSS). Some sources describe it as a reflected XSS due to improper HTML attribute escaping in layered-modal dialog par...

CVE-2026-40479 Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget

Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and...

CVE-2026-40479

CVE-2026-40479 (Kimai) : Concrete details across multiple sources show a stored XSS vulnerability caused by an incomplete escape in the client-side escapeForHtml() in KimaiEscape.js. Affected versions are 1.16.3 through 2.52.0; the issue arises when a user-controlled profile alias is injected int...

Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget

Summary The client-side escapeForHtml function in KimaiEscape.js, introduced in commit 89bfa82c 2959 to fix a JavaScript XSS vulnerability, only escapes , and & but does not escape " double quote or ' single quote. When user-controlled data profile alias is placed in an HTML attribute context...

DRUPAL-CONTRIB-2026-032

The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an tag, they may be able to insert arbitrary JavaScript. This vulnerability is mitigated by the fact that a text format that allows iframe-consent HT...

Cross-site Scripting (XSS)

prosemirrortohtml is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of HTML attribute values, which allows an attacker to inject and execute arbitrary JavaScript code through crafted input...

Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact The prosemirrortohtml gem is vulnerable to Cross-Site Scripting XSS attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Who is impacted: - Any application using...

EUVD-2022-24394

Malicious code in bioql PyPI...

GHSA-C2XF-9V2R-R2RX Hugo does not escape some attributes in internal templates

Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. default/markup/render-link.html from v0.123.0 default/markup/render-image.html from...

Hugo 跨站脚本漏洞

Hugo is a Go-based framework for rapid static site generation from the Gohugoio community. A cross-site scripting vulnerability exists in Hugo versions prior to 0.123.0 through 0.139.4, which stems from improperly escaping HTML attributes in certain Markdown in internal rendering hooks...

SUSE CVE-2009-1714

Cross-site scripting XSS vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes...