96 matches found
CVE-2026-25500
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme e.g. javascript:alert1, the...
CVE-2026-22867
LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacke...
CVE-2022-38790
Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluste...
GHSA-HQ57-C72X-4774 Gitea vulnerable to Cross-site Scripting
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...
CVE-2025-68946
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...
Stored Cross-Site Scripting (XSS)
Jenkins AnchorChain Plugin is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes when generating links from workspace content, allowing attackers to inject javascript: URLs that execute malicious scripts in the Jenkins user interface...
Cross-site Scripting (XSS)
Jenkins Coverage Plugin is vulnerable to a stored Cross-Site Scripting. The vulnerability is caused by missing validation of the coverage results ID when configured via the REST API, allowing attackers with Item/Configure permission to inject a javascript: URL that executes in users’ browsers...
EUVD-2025-177298
Malicious code in passport-wasat-javascript-link npm...
CVE-2011-10036 Nagios XI < 2011R1.9 XSS via backend_url JavaScript Link Handler
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...
CVE-2011-10036 Nagios XI < 2011R1.9 XSS via backend_url JavaScript Link Handler
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...
CVE-2025-58747
Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...
Linux Distros Unpatched Vulnerability : CVE-2019-12308
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the...
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended...
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended...
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended...
Cross-site Scripting (XSS)
Overview @tiptap/extension-link is a link extension for tiptap Affected versions of this package are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by...
PT-2024-40146 · Typo3 · Typo3
Name of the Vulnerable Software and Affected Versions: TYPO3 affected versions not specified Description: The issue concerns Cross-Site Scripting where authorized editors can insert javascript commands by using the url scheme javascript: in all link fields within the TYPO3 installation...
Red Hat Keycloak 跨站脚本漏洞
Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A cross-site scripting vulnerability exists in Red Hat Keycloak, which stems from a flaw found in SAML client registration that could allow an...
Mozilla Firefox 安全漏洞
Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security bypass vulnerability exists in Mozilla Firefox for iOS due to a Javascript URL being loaded when dragging to the address bar. An attacker can exploit the vulnerability to bypass restrictions...
QStar Archive Solutions Security Breach
QStar Archive Solutions is QStar's range of storage technologies for managing disk arrays, object storage, tape libraries, optical libraries, WORM, and clouds private and hybrid. A security vulnerability exists in QStar Archive Solutions RELEASE3-0 Build 7 release that stems from the presence of ...