EUVD-2026-31515

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram and any other diagram type that routes...

Astra Linux - уязвимость в firefox

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol, the browser would process the redirect and prompt the user appropriately. This vulnerability affects Firefox versions earlier than 102...

CVE-2026-45303

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

CVE-2026-45303

Open WebUI vulnerability CVE-2026-45303: Stored XSS via the HTML rendering view affects Open WebUI prior to 0.6.5. The frontend renders chat HTML inside an iframe with sandbox=

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

Astra Linux - уязвимость в firefox, thunderbird

By tricking the browser with a X-Frame-Options header, a sandboxed iframe could present a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12...

Astra Linux - уязвимость в firefox

The element could have been manipulated to display content outside of a sandboxed iframe. This could allow untrusted content to be displayed under the guise of trusted content. This vulnerability affects Firefox versions earlier than 121...

CVE-2026-39426

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

EUVD-2026-22193

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

PT-2026-32585

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

CVE-2026-27978

A CSRF check bypass flaw has been discovered in Next.js. The origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass origin verification instead of being validated as cross-origin...

CVE-2026-27978 Next.js: null origin can bypass Server Actions CSRF checks

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass...

CVE-2026-27978 Next.js: null origin can bypass Server Actions CSRF checks

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass...

PT-2026-25909

Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.7 Description Next.js, a React framework for building full-stack web applications, had a flaw in its Server Action CSRF validation. Specifically, origin: null was incorrectly treated as a missing origin,...

CVE-2025-65203

KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials...

Linux Distros Unpatched Vulnerability : CVE-2025-11716

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Links in a sandboxed iframe could open an external app on Android without the required allow- permission. This vulnerability was fixed in Firefox 144 and...

EUVD-2025-34199

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox 144 and Thunderbird 144...

CVE-2025-11716

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144...

CVE-2025-11716

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox 144 and Thunderbird 144...

CVE-2025-11716

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox 144 and Thunderbird 144...