Lucene search
K

305 matches found

NVD
NVD
added 2026/05/19 2:16 p.m.16 views

CVE-2025-40902

A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing...

5.9CVSS0.00194EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/19 1:23 p.m.5 views

CVE-2025-40904

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remo...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.12 views

PT-2026-41891

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remo...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.9 views

PT-2026-41888

A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected...

5.9CVSS5.8AI score0.00194EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/14 6:13 p.m.6 views

EUVD-2026-30356

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 11:16 p.m.16 views

CVE-2026-44245

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...

6.1CVSS0.00183EPSS
Exploits1References1
CVE
CVE
added 2026/05/11 9:47 p.m.23 views

CVE-2026-42554

CVE-2026-42554 describes an XSS in Fiber’s AutoFormat content negotiation. Affected: GoFiber/v3 up to 3.1.0 and GoFiber/v2 up to 2.52.12. Root cause: the html branch of AutoFormat can emit raw, attacker-influenced data wrapped in HTML when the client sends Accept: text/html, enabling injection of...

6.1CVSS6AI score0.00212EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/11 7:36 p.m.9 views

GHSA-GHCM-XQFW-Q4VR Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

Impact Under the default configuration, Mermaid state diagram's classDef allow DOM injection that escapes the SVG, although tags are removed, preventing XSS. Proof-of-concept stateDiagram-v2 classDef xss...

5.3CVSS5.8AI score0.00401EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-39285

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description An issue exists in the tooltip mouseover handler where the software reads the aria-label attribute and processes it using decodeURIComponent before assigning the result to messageElement.innerHTML. Th...

9.4CVSS6.3AI score0.00509EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/07 12:50 p.m.8 views

CVE-2026-6002 HTML Injection in DivvyDrive Information Technologies' DivvyDrive

Improper neutralization of Script-Related HTML tags in a web page basic XSS vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2...

8.8CVSS5.8AI score0.00327EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/05/06 11:49 p.m.7 views

NPM: hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

NPM: hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection vulnerability discovered by ? in WordPress Npm hono versions 4.12.16...

6.1CVSS5.8AI score0.0014EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/05/06 7:16 p.m.6 views

CVE-2026-7939

Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Medium...

5.4CVSS0.00165EPSS
Exploits0References2
Veracode
Veracode
added 2026/05/04 6:1 a.m.8 views

HTML Injection

github.com/abhinavxd/libredesk is vulnerable to stored HTML injection. The vulnerability is due to improper sanitization of user input in the contact notes feature, which allows an attacker to inject arbitrary HTML by manipulating the request and exploit it to perform phishing, CSRF-style actions...

8.6CVSS5.9AI score0.00193EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.11 views

DeepL for Chrome 跨站脚本漏洞

DeepL for Chrome is an open-source translation extension for the Chrome browser developed by DeepL. Versions 1.22.0 to 1.23.0 of DeepL for Chrome contain a cross-site scripting vulnerability. This vulnerability allows attackers to execute arbitrary scripts in the user’s browser and inject malicio...

6.1CVSS6.5AI score0.00168EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/21 4:6 p.m.3 views

CVE-2026-40567 FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization a...

5.8CVSS5.9AI score0.00242EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/21 4:6 p.m.5 views

EUVD-2026-24168

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization a...

5.8CVSS5.9AI score0.00242EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.4 views

PT-2026-34011

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization a...

5.8CVSS5.9AI score0.00242EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.5 views

PT-2026-32509

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard non-administrative privileges to inject arbitrary HTML into system-generated email notifications by crafting...

4.6CVSS5.8AI score0.00176EPSS
Exploits2References4
EUVD
EUVD
added 2026/04/10 3:34 p.m.20 views

EUVD-2026-21427

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications...

5.4CVSS5.8AI score0.00195EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.13 views

PT-2026-30853

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...

4.3CVSS5.9AI score0.00192EPSS
Exploits1References2
Rows per page
Query Builder