257 matches found
EUVD-2024-30448
Malicious code in bioql PyPI...
EUVD-2021-30208
Malicious code in bioql PyPI...
EUVD-2024-38416
Malicious code in bioql PyPI...
GHSA-JQFW-VQ24-V9C3 Vite's `server.fs` settings were not applied to HTML files
Summary Any HTML files on the machine were served regardless of the server.fs settings. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - appType: 'spa' default or appType: 'mpa' i...
PT-2025-36945
Name of the Vulnerable Software and Affected Versions: Halo versions prior to 2.20.13 Description: Halo versions prior to 2.20.13 allow bypassing file type detection, enabling the upload of malicious files, including .exe and .html files. Uploading .html files can trigger stored cross-site...
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752
Vite CVE-2025-58752 affects the dev and preview servers when exposed on the network: HTML files on the local machine could be served despite server.fs settings, depending on app exposure and appType configuration. Affected versions are <7.1.5, <7.0.7, <6.3.6, and
PT-2025-35097
Name of the Vulnerable Software and Affected Versions: FormCms version 0.5.5 Description: FormCms version 0.5.5 contains a stored cross-site scripting XSS vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible v...
PT-2025-31558 · Cs Cart · Cs-Cart
Name of the Vulnerable Software and Affected Versions: CS Cart version 4.18.3 Description: A file upload vulnerability exists that allows attackers to execute arbitrary code. The software allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This...
CVE-2024-32657
Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is...
CVE-2024-10101
A stored cross-site scripting XSS vulnerability exists in binary-husky/gptacademic version 3.83. The vulnerability occurs at the /file endpoint, which renders HTML files. Malicious HTML files containing XSS payloads can be uploaded and stored in the backend, leading to the execution of the payloa...
CVE-2023-47314
Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting XSS. The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download...
CVE-2020-29071
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving...
CVE-2020-20670
An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file...
CVE-2019-15614
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files...
CVE-2005-2055
RealPlayer 8, 10, 10.5 6.0.12.1040-1069, and Enterprise and RealOne Player v1 and v2 allows remote malicious web server to create an arbitrary HTML file that executes an RM file via "default settings of earlier Internet Explorer browsers"...
CVE-2025-46571 Open WebUI vulnerable to limited stored XSS vila uploaded html file
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open t...
BIT-DOLIBARR-2020-13239
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS...
CVE-2024-24570
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel...