254 matches found
Rukovoditel <= 3.2.1 - Cross Site Scripting
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Add New Field function at /index.php?module=entities/fields&entitiesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name...
CVE-2026-13989
Inappropriate implementation in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-13899
Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-13899
Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
Security update for kubevirt
This update for kubevirt fixes the following issues: Update to version 1.7.4, fixes various go embedded security issues: CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents bsc1251420. CVE-2025-47913: golang.org/x/crypto/ssh/agent: clien...
CVE-2026-46492 md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injecte...
Improper Encoding or Escaping of Output
Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An...
NPM: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
NPM: Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html vulnerability discovered by ? in WordPress Npm sanitize-html versions 2.17.3...
PT-2026-40445
Name of the Vulnerable Software and Affected Versions efw4.X versions prior to 4.08.010 Description The 'previewServlet' serves files using detected MIME types based on file extensions without applying security headers or content sanitization. Files with extensions such as .html, .htm, or .svg ar...
EUVD-2026-26495
A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote...
openSUSE 16 Security Update : MozillaFirefox (openSUSE-SU-2026:20621-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20621-1 advisory. Update to Firefox Extended Support Release 140.10.0 ESR. - MFSA 2026-32 bsc1262230: CVE-2026-6746: Use-after-free in the DOM: Core & HTML...
EUVD-2026-25158
STIG Manager is an API and web client for managing Security Technical Implementation Guides STIG assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting XSS vulnerability in the OIDC authentication error handling code in src/init.js and...
Linux Distros Unpatched Vulnerability : CVE-2026-6316
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the handling of table captions during the rendering process. An attacker can execute arbitrary code with the privileges of the desktop client by syncing a crafted note containing malicious HTML or JavaScript ...
Cross-site Scripting (XSS)
Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS in the multiVariableText property panel when...
CVE-2026-0902
Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: Medium...
SUSE-SU-2026:20089-1 Security update for alloy
This update for alloy fixes the following issues: Upgrade to version 1.12.1. Security issues fixed: - CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents bsc1251509. - CVE-2025-58190: golang.org/x/net/html: excessive memory consumption...
CVE-2023-4241
lol-html can cause panics on certain HTML inputs. Anyone processing arbitrary 3rd party HTML with the library is affected...
Salvo is vulnerable to reflected XSS in the list_html function
Summary The function listhtml generates an file view of a folder which includes a render of the current path, in which its inserted in the HTML without proper sanitation, leading to reflected XSS. The request path is decoded and normalized in the matching stage but is not inserted raw in the HTML...
SUSE SLED15 / SLES15 Security Update : alloy (SUSE-SU-2026:0028-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0028-1 advisory. Upgrade to version 1.12.1. Security issues fixed: - CVE-2025-47911: golang.org/x/net/html: quadratic complexit...