CVE-2025-70458

A DOM-based Cross-Site Scripting XSS vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the...

Cross-site Scripting (XSS)

Overview solspace/craft-freeform is a flexible and user-friendly form building plugin! Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the use of the dangerouslySetInnerHTML function in various client and plugin page components. An attacker can execute arbitrar...

Stored Cross Site Scripting (XSS)

starcitizentools/citizen-skin is vulnerable to Stored Cross Site Scripting XSS. The vulnerability is due to improper handling of system message content in the sticky header, where innerHTML is assigned from user-editable message text, which allows an attacker with interface message edit privilege...

EUVD-2025-203124

Vuetify has a Cross-site Scripting XSS vulnerability in the VDatePicker component...

Cross-site Scripting (XSS)

Overview org.webjars.npm:vuetify is an a Material Design component framework for Vue.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the title-date-format property in the VDatePicker component. An attacker can execute arbitrary scripts in the context of the...

CVE-2025-8082 Vuetify XSS via unsanitized 'titleDateFormat' in 'VDatePicker'

Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting XSS https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the 'title-date-format'...

CVE-2025-66459 Lookyloo vulnerable to XSS due to unescaped error message passed to innerHTML

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, t...

CVE-2025-64495

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A cross-site scripting vulnerability exists in Open WebUI version 0.6.34 and earlier, which stems from a failure to clean up the prompt body when assigning it to the DOM receiver innerHtml, whi...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS via the replaceCommandWithText function, by allowing user-controlled HTML from a prompt body to be passed to tempDiv.innerHTML without proper sanitization. An attacker can execute...

PT-2025-45471

Name of the Vulnerable Software and Affected Versions Onlook versions 0.2.32 Description A DOM-based Cross-Site Scripting XSS issue exists in the text editor feature. The problem arises because user-supplied input is not properly sanitized before being injected into the DOM via innerHTML when...

EUVD-2025-25220

Malicious code in bioql PyPI...

CVE-2025-60249

vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting XSS vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and...

hunar-2intern-Project

Hunar Intern — XSS Fix Assignment-2 Summary I found an X...

GHSA-M79R-R765-5F9J Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages

Summary We identified a cross-site scripting XSS vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating ...

CVE-2025-59417

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting XSS vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. In lobe-chat, when the response from the...

CVE-2025-58172

drawnix is an all in one open-source whiteboard tool. In drawnix versions through 0.2.1, a cross-site scripting XSS vulnerability exists in the debug logging functionality. User controlled content is inserted directly into the DOM via innerHTML without sanitization when the global function...

CVE-2025-58172 drawnix debug logging cross-site scripting vulnerability

drawnix is an all in one open-source whiteboard tool. In drawnix versions through 0.2.1, a cross-site scripting XSS vulnerability exists in the debug logging functionality. User controlled content is inserted directly into the DOM via innerHTML without sanitization when the global function...

drawnix 跨站脚本漏洞

drawnix is a whiteboard tool from plait-board open source. A cross-site scripting vulnerability exists in drawnix 0.2.1 and earlier versions, which stems from not cleaning up user input and inserting it directly into the DOM via innerHTML, which may lead to cross-site scripting attacks...

CVE-2025-58768

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using innerHTML to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain,...