CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

EUVD-2026-33324

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

CVE-2026-41159

Mermaid (mermaid-js) contains a CSS injection vulnerability (CVE-2026-41159) affecting prior releases. Before fixes in v10.9.6 and v11.15.0, its default config allows injecting CSS via fontFamily, themeCSS, and altFontFamily. The injected CSS exploits stylis’s scope handling, where :not(&) escape...

GHSA-XCJ9-5M2H-648R Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection

Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures classDef values with an unrestricted regex: jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 ^\n...

Canvas Breach Disrupts Schools & Colleges Nationwide

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service's login page with a ransom demand that threatened to...

CVE-2026-29100

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

PT-2026-26438

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...

EUVD-2025-35187

Cross-Site Scripting XSS vulnerability in Bang Resto v1.0 could allow an attacker to inject malicious JavaScript code into the application's web pages. This vulnerability exists due to insufficient input sanitization or output encoding, allowing attacker-controlled input to be rendered directly i...

CVE-2025-32390

EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base KB articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through the bazariframe endpoint. An attacker can manipulate the web page content or hijack user sessions by injecting malicious scripts into the URL parameters. This allows stealing cookies from an authenticate...

Code injection

JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users...

GitLab 跨站脚本漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A cross-site scripting vulnerability exists in GitLab CE/EE, which can be...

TYPO3 跨站脚本漏洞

TYPO3 is a free and open source content management system framework CMS/CMF of the Swiss TYPO3 Typo3 Association. TYPO3 suffers from a cross-site scripting vulnerability that originates from insufficient processing of user-supplied data in the system extension Fluid typo3 / cms-fluid when...

FineCMS轻量版csrf漏洞后台添加管理+任意挂黑页

简要描述： FineCMS轻量版csrf漏洞后台添加管理+任意挂黑页 详细说明： 又一个cms的csrf漏洞，没有任何token验证 漏洞证明： 1、后台，管理员，添加 2、抓包截断 没有验证 3、构造表单 4、挂黑页，他有一个模版，里面可以添加修改html文件 截断一下，看也是可以csrf的 img src="https://images.seebug.org/upload/201501/21100205e8d7713cf6b1d8086e7f8660c7201da6...

Samsung Cross Site Scripting

Advisory: design.samsung.com– Cross-Site Script Vulnerability XSS Advisory ID: 03062014 Author: Roberto Garcia @1gbDeInfo Affected Software: Successfully tested on design.samsung.com Vendor URL: http://www.design.samsung.com Vendor Status: informed and solved Vulnerability Description The website...

Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Vulnerabilities

Jupiter CMS , to redirect the user to a page of your choice, to avoid suspicion and disclosure of your cookiestealer's location. This injections would allow an attacker to redirect users to a page of his choice, effectively defacing the page:...