Lucene search
K

260 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/01 9:0 p.m.7 views

CVE-2026-55660

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler,...

7.6CVSS5.7AI score0.00196EPSS
Exploits0References3Affected Software2
CVE
CVE
added 2026/07/01 9:0 p.m.31 views

CVE-2026-55660

CVE-2026-55660 : TinaCMS and Tinacms app prior to versions 2.5.6 / 3.9.3 allow cross-origin postMessage abuse due to window message listeners that do not validate event.origin/source and post to non-specific origins, combined with insufficient URL sanitization in rich-text content. This enables s...

7.6CVSS5.7AI score0.00196EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41886

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...

7.5CVSS5.5AI score0.00101EPSS
Exploits0References1
NVD
NVD
added 2026/05/20 8:16 p.m.13 views

CVE-2026-47099

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS0.00358EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/20 6:0 p.m.10 views

CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS6AI score0.00358EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/19 7:57 p.m.14 views

CVE-2026-45243

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/18 9:50 p.m.15 views

Missing Authorization

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the window.postMessage bridge in the content script. An attacker can access, modify, or delete automation artifacts by sending crafted runtime messages with...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.12 views

Summarize contains a missing authorization vulnerability

Summarize prior to 0.15.0 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References7Affected Software1
NVD
NVD
added 2026/05/18 7:16 p.m.17 views

CVE-2026-45243

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

6.1CVSS0.00195EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/18 6:50 p.m.17 views

EUVD-2026-30794

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References4
CVE
CVE
added 2026/05/18 6:50 p.m.22 views

CVE-2026-45243

CVE-2026-45243 affects the Summarize browser extension prior to v0.15.1. The root cause is a missing authorization in the content script bridge (window.postMessage), allowing malicious pages to perform unauthorized operations on automation artifacts within the affected tab by spoofing sender iden...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.19 views

PT-2026-41720

Name of the Vulnerable Software and Affected Versions Summarize versions prior to 0.15.1 Description A missing authorization issue exists in the content script window.postMessage bridge. This allows malicious pages to simulate runtime messages using spoofed sender identifiers, enabling unauthoriz...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References7
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.12 views

Summarize 安全漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.15.1 contain security vulnerabilities. These vulnerabilities stem from an authorization flaw in the content script’s window.postMessage bridging mechanism, which could allow...

6.1CVSS5.9AI score0.00195EPSS
Exploits1References1
NVD
NVD
added 2026/05/08 4:16 p.m.19 views

CVE-2026-41886

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...

7.5CVSS0.00101EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/08 3:45 p.m.11 views

EUVD-2026-28796

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...

7.5CVSS5.8AI score0.00101EPSS
Exploits0References2
NVD
NVD
added 2026/05/03 8:16 a.m.25 views

CVE-2026-7686

A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the...

6.9CVSS0.00297EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/03 7:30 a.m.5 views

CVE-2026-7686 eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control

A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the...

6.9CVSS5.7AI score0.00297EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/03 7:30 a.m.44 views

CVE-2026-7686 eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control

A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the...

6.9CVSS0.00297EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/03 7:30 a.m.8 views

CVE-2026-7686

A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the...

6.9CVSS5.7AI score0.00297EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/03 12:0 a.m.15 views

PT-2026-36689

A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the...

6.9CVSS5.7AI score0.00297EPSS
Exploits0References6
Rows per page
Query Builder