Lucene search
+L

15892 matches found

NVD
NVD
added 4 hours ago6 views

CVE-2026-49210

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the client-controlled childrenid.tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly in...

2.3CVSS
Exploits0References4
Cvelist
Cvelist
added 5 hours ago9 views

CVE-2026-49210 Symfony UX: XSS in symfony/ux-live-component via attacker-controlled child component tag

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the client-controlled childrenid.tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly in...

2.3CVSS
Exploits0References4
Vulnrichment
Vulnrichment
added 5 hours ago5 views

CVE-2026-49210 Symfony UX: XSS in symfony/ux-live-component via attacker-controlled child component tag

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the client-controlled childrenid.tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly in...

2.3CVSS5.4AI score
Exploits0References4
Nuclei
Nuclei
added 17 hours ago14 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. id: CVE-2019-17233 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated HTML Content Injection author: daffainfo severity: medium description: | Functions/EWDUFAQImport.ph...

6.1CVSS7.3AI score0.01843EPSS
Exploits1References2
Nuclei
Nuclei
added 17 hours ago41 views

osTicket < 1.10.2 - Cross-Site Scripting

Cross-site scripting XSS vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "sort" parameter. id: CVE-2018-7196 info: name: osTicket 1.10.2 - Cross-Site Scripting author: ritikchaddha severity: medium...

6.1CVSS6.3AI score0.02482EPSS
Exploits1References2
Nuclei
Nuclei
added 17 hours ago30 views

WordPress Integrator 1.32 - Cross-Site Scripting

A cross-site scripting vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirectto parameter to wp-login.php. id: CVE-2012-5913 info: name: WordPress Integrator 1.32 - Cross-Site Scripti...

4.3CVSS5.2AI score0.08732EPSS
Exploits1References5
OSV
OSV
added 2 days ago4 views

MGASA-2026-0254 Updated python-mistune package fixes security vulnerabilities

The updated python-mistune package fixes two security vulnerablities: Prior to 3.2.1, rendertocul builds a table-of-contents tree from a list of level, id, text tuples. Both the id value used as href="" and the text value used as the visible link label are inserted into tags via a plain Python...

8.7CVSS6.2AI score0.0035EPSS
Exploits1References4
NVD
NVD
added 3 days ago6 views

CVE-2026-47730

Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate and Profile::getName into HTML output without escaping, allowing attacker-controlled template or profile names to inject arbitrary HTML when a browser renders the profiler dum...

5.4CVSS0.00169EPSS
Exploits0References3
NVD
NVD
added 3 days ago4 views

CVE-2026-42447

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK wit...

3.6CVSS0.00139EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-42447 jadx: HTML Injection in Summary panel

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK wit...

3.6CVSS0.00139EPSS
Exploits0References3
CVE
CVE
added 3 days ago9 views

CVE-2026-42447

CVE-2026-42447 affects jadx (Dex to Java decompiler). The HTML injection occurs in the Summary tab via SummaryNode.java, which unescapes and inserts path components from an APK’s .so file entries into HTML without escaping. A malicious APK with a crafted HTML URL-encoded ZIP entry name can render...

3.6CVSS6.2AI score0.00139EPSS
Exploits0References3
OSV
OSV
added 3 days ago3 views

CVE-2026-42447 jadx: HTML Injection in Summary panel

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK wit...

3.6CVSS6.2AI score0.00139EPSS
Exploits0References5
NVD
NVD
added 4 days ago6 views

CVE-2026-58500

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...

8.2CVSS0.00276EPSS
Exploits0References2
OSV
OSV
added 4 days ago3 views

CVE-2026-58487 HedgeDoc: Stored HTML injection via email local-part

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, due to unsafe handling of the local-part of registered email addresses, HedgeDoc was vulnerable to stored HTML Injection through its publish and slide views. An attacker could register a...

5.1CVSS6.2AI score0.00358EPSS
Exploits0References3
CVE
CVE
added 4 days ago7 views

CVE-2026-58487

HedgeDoc before version 1.11.0 is vulnerable to stored HTML injection via the local-part of registered email addresses. An attacker could register a specially crafted email, reuse the local-part as the display name, and inject HTML into pages viewed by others (publish, slide views, and collaborat...

5.1CVSS6.2AI score0.00358EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-58487 HedgeDoc: Stored HTML injection via email local-part

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, due to unsafe handling of the local-part of registered email addresses, HedgeDoc was vulnerable to stored HTML Injection through its publish and slide views. An attacker could register a...

5.1CVSS0.00358EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-57883

Name of the Vulnerable Software and Affected Versions MCP Appium versions prior to 1.85.10 Description The createLocatorGeneratorUI function fails to escape HTML or JavaScript context when interpolating element attributes—specifically text, content-desc, resource-id, and locator selector...

8.2CVSS6.2AI score0.00276EPSS
Exploits0References4
NVD
NVD
added 5 days ago9 views

CVE-2026-61876

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages...

9.4CVSS0.002EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-43236

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages...

9.4CVSS6.2AI score0.002EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago12 views

PT-2026-57560

Name of the Vulnerable Software and Affected Versions LuCI affected versions not specified Description LuCI fails to properly encode DHCPv6 lease hostnames before rendering them in status tables. This allows attackers on the same network to inject HTML markup by sending a DHCPv6 Client FQDN...

9.4CVSS6.2AI score0.002EPSS
Exploits0References8
Rows per page
Query Builder