CVE-2025-1087

CVE-2025-1087 : Kong Insomnia Desktop Application prior to 11.0.2 contains a template injection flaw that allows arbitrary code execution. The issue arises from insufficient validation of user-supplied input during template string processing, enabling arbitrary JavaScript execution within the app...

CVE-2025-1087 Arbitrary Code Execution in Kong Insomnia Desktop Application

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript...

PT-2025-20551

Name of the Vulnerable Software and Affected Versions Kong Insomnia Desktop Application versions prior to 11.0.2 Description The Kong Insomnia Desktop Application is susceptible to a template injection issue. This flaw stems from inadequate validation of user-provided input during template string...

Kibana 7.17.6 < 7.17.24 / 8.4.x < 8.12.0 XSS (ESA-2024-20)

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim's browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. Note that Nessus has n...

CVE-2025-46812

CVE-2025-46812 affects the Trix rich-text editor. Versions before 2.1.15 are vulnerable to XSS when pasting malicious content, enabling execution of arbitrary JavaScript in the user session; this could lead to unauthorized actions or data disclosure. The issue is patched in version 2.1.15. Remedi...

CVE-2025-46812 Trix vulnerable to Cross-site Scripting on copy & paste

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the...

CVE-2025-46812 Trix vulnerable to Cross-site Scripting on copy & paste

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the...

BIT-OPENCART-2025-1746 Cross-Site Scripting vulnerability in OpenCart

Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal...

CVE-2025-4318

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build...

CVE-2025-46824

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin...

PT-2025-20284 · Discourse · Discourse Code Review Plugin

Name of the Vulnerable Software and Affected Versions: Discourse Code Review Plugin versions prior to commit eed3a80 Description: The issue allows an attacker to execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This is a problem with the Discourse Code...

league/commonmark contains a XSS vulnerability in Attributes extension

Summary Cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. Details The league/commonmark library provides configuration options such as htmlinput:...

CVE-2025-4318

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build...

CVE-2025-46719 Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be...

CVE-2025-46571 Open WebUI vulnerable to limited stored XSS vila uploaded html file

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open t...

Amplify Codegen UI 安全漏洞

Amplify Codegen UI is an AWS Amplify open source React component generated for use in the AWS Amplify project. A security vulnerability exists in Amplify Codegen UI that stems from a lack of input validation for AWS Amplify Studio UI component property expressions, which could lead to the executi...

CVE-2024-11390

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

CVE-2022-27562

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2022-42449

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...

CVE-2025-46558

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting XSS through HTML. In particular, using Markdown syntax, it's possible for...