457 matches found
CVE-2021-32702
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the...
CVE-2021-44263
Gurock TestRail before 7.2.4 mishandles HTML escaping...
Cross-site Scripting (XSS)
github.com/beego/beego is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper HTML escaping due to user-controlled data not being sanitized in the RenderForm function...
CVE-2025-30223
Beego is an open-source web framework for the Go programming language. Prior to 2.3.6, a Cross-Site Scripting XSS vulnerability exists in Beego's RenderForm function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that...
CVE-2024-45699
The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the abo...
CVE-2024-45699
The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the abo...
CVE-2024-45699
CVE-2024-45699 affects Zabbix frontend: /zabbix.php?action=export.valuemaps is vulnerable to XSS via the backurl parameter due to reflecting user input without HTML escaping. Impact described as JavaScript execution in victim browser. Remediation is version-specific updates across distributions (...
CVE-2025-30223
Beego (Go framework) contains an XSS vulnerability in RenderForm() up to version 2.3.5, caused by improper HTML escaping of user-controlled data. This allows injection of attacker-controlled JavaScript in rendered forms, potentially enabling session hijacking, credential theft, or account takeove...
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. For instance, ?text= would trigger XSS here. js const text = createResource = return new...
CVE-2025-27109 Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js
solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has...
CVE-2025-27109 Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js
solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has...
CVE-2024-31996
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape , which, when used in certain places, allows XWiki syntax injection and thereby remote code execution...
postorius -- XSS
NIST reports: Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...
OESA-2025-1074 podman security update
Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library. Security Fixes: A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in...
GHSA-QWJ6-Q94F-8425 MathLive's Lack of Escaping of HTML allows for XSS
Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS. Details Overall in the code, other than in the test folder, no functions escaping...
MathLive's Lack of Escaping of HTML allows for XSS
Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS. Details Overall in the code, other than in the test folder, no functions escaping...
DEBIAN-CVE-2024-55601
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this...
GHSA-J8HP-F2MJ-586G OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this...
Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS
Summary The HtmlGenerator class is subject to potential cross-site scripting XSS attack through a parsed malformed Minecraft server MOTD. Context Minecraft server owners can set a so-called MOTD Message of the Day for their server that appears next to the server icon and below the server name on...