CVE-2026-9309

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScrip...

EUVD-2026-33630

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScrip...

PT-2026-44727

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

CVE-2025-70842

A Stored Cross-Site Scripting XSS vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who...

CVE-2026-4665

The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to...

EUVD-2026-11385

ha-mcp has XSS via Unescaped HTML in OAuth Consent Form...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the svg and icon related components. An authenticated user can execute arbitrary JavaScript in the context of higher-privileged users by injecting malicious scripts that are triggered when those users view t...

CVE-2026-28338

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains...

CVE-2026-1571

User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of reserved data attributes in the Sanitizer::validateAttributes function. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting malicious scripts...

EUVD-2018-14279

Malware in sbrugna...

EUVD-2018-16961

Malware in sbrugna...

EUVD-2022-31755

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-27793

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0,...

CVE-2025-45315

A cross-site scripting XSS vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter...

CVE-2023-27489

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This...

CVE-2023-30538

Discourse is an open source platform for community discussion. Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file. This issue is patched in the latest stable and tests-passed versions of Discourse. Use...

Cross-site Scripting (XSS)

Overview org.webjars.bowergithub.basecamp:trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the copy and paste functionality. An attacker can execute arbitrary JavaScript code within the user's session by tricking a user into pasting...

Aim 安全漏洞

Aim is an easy-to-use and high-performance open source experiment tracker from Aim Open Source USA. A security vulnerability exists in Aim version 3.23.0, which stems from a failure to properly clean up the Text Explorer component when using dangerouslySetInnerHTML, allowing arbitrary JavaScript ...

Cross-site Scripting (XSS)

Overview laravel/framework is a PHP framework for web artisans. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper encoding of request parameters in the debug-mode error page. When the application runs with APPDEBUG=true and encounters an error, the...