Lucene search
K

10590 matches found

OSV
OSV
added 3 days ago3 views

PYSEC-2026-2077 Zope vulnerable to Stored Cross Site Scripting with SVG images

Impact There is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user...

3.7CVSS5.6AI score0.00599EPSS
Exploits1References8
NVD
NVD
added 4 days ago7 views

CVE-2026-59710

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS0.00198EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-59710 showdown - Stored XSS via Unescaped Table Header ID Attribute Injection

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS0.00198EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago11 views

PT-2026-56029

Name of the Vulnerable Software and Affected Versions showdown affected versions not specified Description A stored cross-site scripting issue exists in the parseHeaders function within src/subParsers/makehtml/tables.js. The software fails to properly escape table header ID attributes, allowing...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/07/03 6:40 a.m.8 views

CVE-2025-71385

A flaw was found in Netdata. A remote unauthenticated attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. By injecting malicious script into the love query parameter, an attacker could trick a victim into executing...

6.1CVSS6.2AI score0.0024EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 8:17 p.m.8 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS0.0024EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/02 7:37 p.m.5 views

CVE-2025-71385 Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.9AI score0.0024EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/02 7:37 p.m.36 views

CVE-2025-71385 Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS0.0024EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 7:37 p.m.7 views

EUVD-2025-210409

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.7AI score0.0024EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/07/02 7:37 p.m.5 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.9AI score0.0024EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/07/02 7:37 p.m.7 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.9AI score0.0024EPSS
Exploits0
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.4 views

DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization

A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and...

6.1CVSS7.4AI score0.00263EPSS
Exploits1References7
NVD
NVD
added 2026/07/01 1:17 p.m.7 views

CVE-2026-53907

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

5.4CVSS0.0014EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:58 a.m.18 views

CVE-2026-53907

MCO is vulnerable to a Stored Cross‑Site Scripting (XSS) flaw in the application logo upload feature. A user who can change the logo can upload a crafted SVG containing JavaScript that executes when the logo renders, enabling code execution in the origin context. The vulnerability is confirmed fo...

5.4CVSS5.8AI score0.0014EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/01 11:58 a.m.8 views

EUVD-2026-40953

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

7.1CVSS5.8AI score0.00208EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/07/01 3:35 a.m.5 views

SUSE CVE-2026-13601

A flaw was found in Yelp due to an overly permissive Content Security Policy CSP implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document,...

7.1CVSS5.9AI score0.0012EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40701

Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...

5.8AI score0.0019EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.6 views

EUVD-2026-40704

Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...

5.8AI score0.0019EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40479

Insufficient policy enforcement in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

5.8AI score0.00233EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/07/01 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-14016

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromiu...

6.5CVSS6AI score0.0019EPSS
Exploits0References2
Rows per page
Query Builder