CVE-2026-25516

CVE-2026-25516 affects NiceGUI’s ui.markdown() in multiple sources (NVD, Red Hat, OSV, etc.). The vulnerability arises because markdown2’s default behavior allows raw HTML to pass through, enabling attacker-controlled content to inject HTML/JS event handlers when rendered via innerHTML. ui.markdo...

CVE-2025-70458

A DOM-based Cross-Site Scripting XSS vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the...

EUVD-2025-206330

A DOM-based Cross-Site Scripting XSS vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the...

CVE-2025-70458

A DOM-based Cross-Site Scripting XSS vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the...

CVE-2025-70458

A DOM-based Cross-Site Scripting XSS vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the...

CVE-2025-70458

CVE-2025-70458 affects Sourcecodester Domain Availability Checker v1.0. The DOM-based XSS exists in DomainCheckerApp (domain/script.js) where createResultElement uses unsafe innerHTML to render domain search results, enabling injection. CVSS 3.1 base score 5.4 (MEDIUM). Remediation: update to a f...

CVE-2025-8082

A flaw was found in Vuetify's VDatePicker component. This vulnerability allows unsanitized HTML to be inserted into the page, leading to a Cross-Site Scripting XSS attack via the 'title-date-format' property accepting a user-created function and assigning its output to the 'innerHTML' property...

Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component

Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting XSS https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the 'title-date-format'...

Cross-site Scripting (XSS)

Overview vuetify is an a Material Design component framework for Vue.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the title-date-format property in the VDatePicker component. An attacker can execute arbitrary scripts in the context of the user's browser by...

CVE-2025-8082

Vuetify CVE-2025-8082 affects the VDatePicker component where the title-date-format property can output user-generated content which is assigned to innerHTML without sanitization, enabling Cross-Site Scripting. Affected versions are Vuetify 2.0.0 and above up to, but not including, 3.0.0. The iss...

CVE-2025-42620

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting XSS. On the backend, the relatedvulnerabilities field of bundles accepted arbitrary strings without format validation or proper...

CVE-2025-42620

The CVE-2025-42620 issue affects Vulnerability-Lookup prior to 2.18.0. The root cause is unsafe handling of user-controlled content in comments and bundles: the backend’s related_vulnerabilities field accepts unvalidated strings, while the frontend converts Markdown to HTML and injects it into th...

CVE-2025-63883

A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 Bhabishya-123/E-commerce. The site's client-side JavaScript reads attacker-controlled input for example, values derived from the URL or page fragment and inserts it into the DOM via unsafe sinks...

CVE-2025-63785

A DOM-based Cross-Site Scripting XSS vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An...

EUVD-2025-38263

A DOM-based Cross-Site Scripting XSS vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An...

CVE-2025-63785

CVE-2025-63785 affects the Onlook web application (version 0.2.32) in its text editor feature. The root cause is unsafe handling of user input: input is not sanitized before being injected into the DOM via innerHTML when editing a text element, enabling a DOM-based XSS attack. Exploitation would ...

PT-2025-45527

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.6.34 and below Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A stored DOM XSS issue exists in the functionality that inserts custom prompts into the chat...

CVE-2025-63785

A DOM-based Cross-Site Scripting XSS vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An...

GHSA-G955-VW6W-V6PP Citizen vulnerable to stored XSS in sticky header button messages

Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. Details In the copyButtonAttributes function in stickyHeader.js, when copying the button labels, the innerHTML of the new...

CVE-2025-62508 Citizen vulnerable to stored XSS in sticky header button messages

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s...