EUVD-2026-22193

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

PT-2026-32585

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

MaxKB 跨站脚本漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB 2.7.1 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from the front-end MdRenderer.vue component, which bypassed standard...

Chromium: CVE-2026-5903 Policy bypass in IFrameSandbox

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

SUSE CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

EUVD-2026-20727

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

DEBIAN-CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

CVE-2026-5903 affects Google Chrome/Chromium prior to 147.0.7727.55, where a flaw in IFrameSandbox allowed a remote attacker to bypass navigation restrictions after convincing a user to perform specific UI gestures via a crafted HTML page. Connected advisories indicate Chromium-based patches exis...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5903

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

EUVD-2026-20483

CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting...

GHSA-X3HR-CP7X-44R2 CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting

Summary The Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an...

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS in the compInfosPost process. An attacker can execute arbitrary JavaScript in the context of the parent page by injecting an payload containing...

CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting

Summary The Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an...

CVE-2026-31017

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...