CVE-2026-46396

CVE-2026-46396 stems from a stored XSS in HAX CMS prior to 26.0.0, caused by improper sanitization of elements that permit javascript: in the src attribute. When a victim views a page containing such an iframe, arbitrary JavaScript can execute in the browser context, enabling access to sensitive...

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser...

CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowediframes site setting, and it can potentially auto-run arbitrary JS...

SUSE CVE-2006-0884

The WYSIWYG rendering engine "rich mail" editor in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which i...