198 matches found
GHSA-692R-GRFM-V8X7 @angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
An issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism createComponent failed to reject mounting components directly onto a or namespaced script element such as . This...
@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
An issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism createComponent failed to reject mounting components directly onto a or namespaced script element such as . This...
CVE-2026-53608
ApostropheCMS (open-source Node.js) vulnerability CVE-2026-53608 affects the @apostrophecms/seo package up to 1.4.2, where seoGoogleTrackingId and seoGoogleTagManager are injected into [removed] bodies via template literals without sanitization. With editor-level access, an attacker can set these...
Medium: python3.13
Issue Overview: http.cookies.Morsel.jsoutput returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie valu...
CVE-2026-39642
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7...
CVE-2026-6002
Improper neutralization of Script-Related HTML tags in a web page basic XSS vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2...
Amazon Linux 2023 : golist (ALAS2023-2026-1742)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1742 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...
WordPress plugin Nyla 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
Important: amazon-ecr-credential-helper
Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...
Important: containerd
Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...
Important: nerdctl
Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...
Important: amazon-ecr-credential-helper
Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...
CVE-2026-41611
Improper neutralization of script-related html tags in a web page basic xss in Visual Studio Code allows an unauthorized attacker to execute code locally...
CVE-2026-41611
Improper neutralization of script-related html tags in a web page basic xss in Visual Studio Code allows an unauthorized attacker to execute code locally...
BIT-GOLANG-2026-39826 Escaper bypass leads to XSS in html/template
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block...
SUSE CVE-2026-39826
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block...
CVE-2026-41591 Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker...
CVE-2026-41591
The CVE affects Marko and @marko/runtime-tags, where dynamic text inside , ), enabling cross-site scripting (XSS) if untrusted input is interpolated inside these blocks. Affected versions are Marko <= 5.38.35 and @marko/runtime-tags <= 6.0.163; the issue is patched in Marko 5.38.36 and @mar...
EUVD-2026-28426
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block...
CVE-2026-39826
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block...