CVE-2026-40922

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...

CVE-2026-40922 SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...

EUVD-2026-23331

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...

CVE-2026-40922

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...

CVE-2026-40922

CVE-2026-40922 (SiYuan) : In SiYuan versions 3.6.1–3.6.3, an incomplete sanitization of bazaar README rendering allowed stored XSS via iframe srcdoc, escaping Lute HTML sanitizer and enabling embedded scripts to run in the Electron context with full app privileges. The issue stems from the saniti...

SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...

EUVD-2026-20483

CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting...

CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting

Summary The Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an...

CVE-2026-39390

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of...

GHSA-3H6J-9X8M-RG3G Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config

Summary Graby's cleanupXss function configures htmLawed with conflicting settings: safe=1 which removes combined with 'elements' = '+iframe-meta' which re-enables . htmLawed does not sanitize the srcdoc attribute, allowing injection of arbitrary JavaScript that executes when the content is render...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the cleanupXss function when sanitizing HTML content with conflicting htmLawed configuration options. An attacker can execute arbitrary JavaScript in the context of the affected application by injecting...

EUVD-2026-11286

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting XSS vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed function in component.tsx interpolated the user-supplied URL...

CVE-2026-26266

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting XSS vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in ...

CVE-2026-26266 AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting XSS vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in ...

CVE-2026-26266 AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting XSS vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in ...

EUVD-2026-9332

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting XSS vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in ...

CVE-2025-64747

Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting XSS vulnerability exists in versions prior to 11.13.0 that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface...

EUVD-2025-177203

Directus is Vulnerable to Stored Cross-site Scripting...

GHSA-VV2V-PW69-8CRF Directus is Vulnerable to Stored Cross-site Scripting

Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...

Directus is Vulnerable to Stored Cross-site Scripting

Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...