157 matches found
EUVD-2026-14907
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting XSS vulnerability in...
CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting XSS vulnerability in...
CVE-2026-33334
Summary (CVE-2026-33334): Vikunja Desktop Electron wrapper prior to 2.2.0 enables nodeIntegration in the renderer without contextIsolation or sandbox, turning any web frontend XSS into full remote code execution on the victim’s machine. Affected range: Vikunja 0.21.0 through 2.1.x (up to
PT-2026-27444
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in...
PT-2026-27442
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables nodeIntegration in the renderer process without contextIsolation or sandbox. This means any cross-site scripting XSS vulnerability in...
CVE-2026-33066 SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any...
CVE-2026-32751
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree MobileFiles.ts renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version Files.ts properly uses escapeHtml for the same...
GHSA-MVPM-V6Q4-M2PF SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata
Stored XSS to RCE via Unsanitized Bazaar Package Metadata Summary SiYuan's Bazaar community marketplace renders package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which...
SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS
Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Summary SiYuan's Bazaar community marketplace renders plugin/theme/template metadata and README content without sanitization. A malicious package author can achieve RCE on any user who browses the Bazaar by: 1. Package metadata...
GHSA-QR46-RCV3-4HQ3 SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Summary SiYuan's mobile file tree MobileFiles.ts renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version Files.ts properly uses escapeHtml for the same...
PT-2026-25826
Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below SiYuan versions prior to 3.6.1 Description SiYuan is a personal knowledge management system. The mobile file tree component MobileFiles.ts renders notebook names using innerHTML without proper HTML escaping when...
EUVD-2020-8569
Malware in sbrugna...
EUVD-2020-18783
Malware in sbrugna...
EUVD-2018-1933
Malware in sbrugna...
EUVD-2019-8356
Malware in sbrugna...
EUVD-2017-1605
Malware in sbrugna...
EUVD-2020-18784
Malware in sbrugna...
EUVD-2022-4421
Malicious code in bioql PyPI...
CVE-2024-3166
A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...
CVE-2022-41709
Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled...