427 matches found
CVE-2026-9818
CVE-2026-9818 is rejected/not used; this entry does not represent an active vulnerability.
Linux Distros Unpatched Vulnerability : CVE-2026-27136
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications...
Linux Distros Unpatched Vulnerability : CVE-2026-42506
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications...
CVE-2026-27136 Invoking duplicate attributes can cause XSS in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...
CVE-2026-42502
Summary of CVE-2026-42502 : The vulnerability concerns the Go project’s HTML parsing in the package golang.org/x/net/html. The root cause is an incorrect handling of HTML elements in foreign content during parsing, which can produce an unexpected HTML tree when rendering with Render. This behavio...
Google Go 安全漏洞
Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go. This vulnerability arises from parsing arbitrary HTML and using Render for rendering, which may lead ...
Concrete CMS 跨站脚本漏洞
Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier had a cross-site scripting vulnerability. This vulnerability occurred due to the OAuth integration name being rendered using the t translation assistant. As a result, the...
EUVD-2026-31048
mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML...
CVE-2026-7460
CVE-2026-7460 affects mailcow-dockerized (2026-03b) and describes a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and render...
PT-2026-42099
Name of the Vulnerable Software and Affected Versions mailcow-dockerized version 2026-03b Description A stored cross-site scripting issue exists in the administrator Queue Manager. The Queue Manager retrieves mail queue entries from the endpoint '/api/v1/get/mailq/all' and copies server-controlle...
CVE-2026-34246
CtrlPanel CVE-2026-34246 affects versions 1.1.1 and earlier. The vulnerability is a Stored XSS in the admin role management interface where datatable() inserts $role->name and $role->color directly into HTML and a .rawColumns(['actions','name']) setting disables automatic escaping. An admin...
CVE-2026-45231
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or updat...
CVE-2026-45231
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or updat...
CVE-2026-45231 DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or updat...
PT-2026-41718
Name of the Vulnerable Software and Affected Versions DumbAssets versions 1.0 through 1.0.11 Description A stored cross-site scripting issue exists in asset fields, specifically name, description, modelNumber, serialNumber, and tags. These fields are stored without server-side sanitization and...
Cross-site Scripting (XSS)
FileBrowser Quantum is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled share metadata fields when rendered in HTML using text/template, which allows an attacker to inject and execute malicious scripts when users visit a shared URL...
CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...
CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...
EUVD-2026-30654
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...
CVE-2026-45303
Open WebUI vulnerability CVE-2026-45303: Stored XSS via the HTML rendering view affects Open WebUI prior to 0.6.5. The frontend renders chat HTML inside an iframe with sandbox=