279 matches found
CVE-2020-11065
In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been...
symfony/ux-twig-component Unsanitized HTML attribute injection via ComponentAttributes
More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...
GHSA-3527-QV2Q-PFVX league/commonmark contains a XSS vulnerability in Attributes extension
Summary Cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. Details The league/commonmark library provides configuration options such as htmlinput:...
CVE-2025-46734
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
CVE-2025-46734 league/commonmark Cross-site Scripting vulnerability in Attributes extension
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
CVE-2025-46734
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
CVE-2025-46734 league/commonmark Cross-site Scripting vulnerability in Attributes extension
league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...
CVE-2025-46734
CVE-2025-46734 affects the PHP Markdown parser league/commonmark, specifically the Attributes extension (versions 1.5.0–2.6.x). The vulnerability allows injection of dangerous HTML attributes via Markdown syntax (e.g., curly braces) that can bypass HTML sanitization settings. Version 2.7.0 mitiga...
CVE-2024-55601
A flaw was found in the Hugo static site generator. Some HTML attributes in Markdown in the internal templates do not escape in internal render hooks. Hugo users who do not trust their Markdown content files and are using one or more of these templates are impacted; default/markup/render-link.htm...
SUSE CVE-2024-55601
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
CVE-2024-55601
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
CVE-2024-55601 Hugo does not escape some attributes in internal templates
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
CVE-2024-55601 Hugo does not escape some attributes in internal templates
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
CVE-2024-55601
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
CVE-2024-55601
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
CVE-2024-55601
Hugo, a static site generator, is affected in versions 0.123.0 through 0.139.3 (prior to 0.139.4). The issue: certain HTML attributes in Markdown in internal templates are not escaped in render hooks, specifically in templates _default/_markup/render-link.html (v0.123.0), _default/_markup/render-...
Astra Linux – Vulnerability in Jinja2
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, which could potentially lead to Cross-Site Scripting XSS. The Jinja xmlattr filter can be...
Remote Code Execution on click of <a> Link in markdown preview
Summary There is a vulnerability in Joplin-desktop that leads to remote code execution RCE when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML...
Cross-site Scripting (XSS)
Overview markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting XSS within the Markdown class in lib/markdown2.py, which insufficiently sanitizes attribute values. An attacker can exploit this by crafting...
Huawei EulerOS: Security Advisory for python-jinja2 (EulerOS-SA-2024-2676)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...