Astra Linux – Vulnerability in ruby-loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.2.0; versions before 2.19.1 use recursion to sanitize CDATA sections, which can lead to stack exhaustion and raise a SystemStackError exception. This may result in ...

Astra Linux – Vulnerability in ruby-loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built upon the Nokogiri framework. Loofah 2.19.1 contains a inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lea...

Astra Linux – Vulnerability in ruby-loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.1.0; versions less than 2.19.1 are vulnerable to cross-site scripting due to the image/svg+xml media type in data URIs. This issue has been fixed in version 2.19.1...

Astra Linux – Vulnerability in ruby-rails-html-sanitizer

Rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions starting from 1.0.3 and before 1.4.4 are vulnerable to cross-site scripting through data URIs when used in conjunction with Loofah version 2.1.0 or higher. This issue has been fixed in version 1.4.4...

Loofah has improper detection of disallowed URIs via `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

GHSA-2J22-PR5W-6GQ8 Loofah has improper detection of disallowed URIs via `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

GHSA-46FP-8F5P-PF2M Improper detection of disallowed URIs by Loofah `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

Improper detection of disallowed URIs by Loofah `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

Cross-site Scripting (XSS)

Overview loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Loofah::HTML5::Scrub.alloweduri? function. An attacker can inject malicious script...

ruby4.0-rubygem-loofah-2.23.1-1.5 on GA media (moderate)

ruby4.0-rubygem-loofah-2.23.1-1.5 on GA media Announcement ID: openSUSE-SU-2026:10353-1 Rating: moderate Cross-References: CVE-2018-16468 CVE-2018-8048 CVE-2019-15587 CVE-2022-23514 CVE-2022-23515 CVE-2022-23516 CVSS scores: CVE-2018-16468 SUSE : 6.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L...

OPENSUSE-SU-2026:10353-1 ruby4.0-rubygem-loofah-2.23.1-1.5 on GA media

These are all security issues fixed in the ruby4.0-rubygem-loofah-2.23.1-1.5 package on the GA media of openSUSE Tumbleweed...

GHSA-VFPF-XMWH-8M65 Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references. Original Description Impact The prosemirrortohtml gem is vulnerable to Cross-Site Scripting XSS attacks through malicious HTML attribute...

EUVD-2018-0751

Malware in sbrugna...

EUVD-2019-0741

Malware in sbrugna...

EUVD-2018-0188

Malware in sbrugna...

EUVD-2022-7493

Malicious code in bioql PyPI...

EUVD-2022-7500

Malicious code in bioql PyPI...

EUVD-2022-7685

Malicious code in bioql PyPI...

EUVD-2022-7470

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2018-16468

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. CVE-2018-16468 Note...