Sylius has a XSS vulnerability in checkout login form

Impact A cross-site scripting XSS vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any...

GHSA-VGH8-C6FP-7GCG Sylius has a XSS vulnerability in checkout login form

Impact A cross-site scripting XSS vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any...

CVE-2026-31822 Sylius has a XSS vulnerability in checkout login form

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting XSS vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is...

EUVD-2026-9016

The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using...

EUVD-2026-8599

repostat: Reflected Cross-Site Scripting XSS via repo prop in RepoCard...

CVE-2026-27627

Summary: CVE-2026-27627 affects Karakeep’s Reddit metascraper path. In version 0.30.0, the HTML returned as readableContentHtml by the Reddit plugin is consumed directly by the HTML parsing subprocess without DOMPurify sanitization, while other content sources go through Readability + DOMPurify. ...

CVE-2026-27627 Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,...

New API has Potential XSS in its MarkdownRenderer component

Summary A potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site ScriptingXSS when the model outputs items containing tag. Details Line 212-231 of MarkdownRenderer.jsx is unsafe, it use dangerouslySetInnerHTML to preview html the model generates. This can...

GHSA-299V-8PQ9-5GJQ New API has Potential XSS in its MarkdownRenderer component

Summary A potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site ScriptingXSS when the model outputs items containing tag. Details Line 212-231 of MarkdownRenderer.jsx is unsafe, it use dangerouslySetInnerHTML to preview html the model generates. This can...

PT-2026-21606

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.10.8-alpha.9 Description The software contains a potential unsafe operation in the MarkdownRenderer.jsx component. This allows for Cross-Site Scripting XSS when the model outputs items containing tags. The issue...

CVE-2026-25935 Vikunja Affected by XSS Via Task Preview

Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS o...

CVE-2026-25935

Technical details for CVE-2026-25935 (Vikunja XSS prior to 1.1.0) are not provided in the supplied documents. Monitor for updates and refer to the fixed version 1.1.0 for remediation context.

CVE-2026-25935 Vikunja Affected by XSS Via Task Preview

Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS o...

Vikunja Vulnerable to XSS Via Task Preview

The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task...

CVE-2026-25516 NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content

NiceGUI is a Python-based UI framework. The ui.markdown component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled conten...

PT-2026-6647

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.7.0 Description The ui.markdown component in NiceGUI does not sanitize user-controlled markdown content before rendering it as HTML via innerHTML. This allows attackers to inject malicious HTML, including JavaScript...

PT-2026-6476

Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...

Cross-site Scripting (XSS)

Overview aiosyslogd is an Asynchronous Syslog server using asyncio, with an optional uvloop integration and SQLite backend. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the dynamic log message highlighter in index.html. An attacker can execute arbitrary...

CVE-2025-70458

A DOM-based Cross-Site Scripting XSS vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the...

PT-2026-4534

Name of the Vulnerable Software and Affected Versions Sourcecodester Domain Availability Checker version 1.0 Description A DOM-based Cross-Site Scripting XSS issue exists in the DomainCheckerApp class within the domain/script.js file. The application does not properly handle user-supplied data in...