5 matches found
DEBIAN-CVE-2026-5090
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The htmlfilter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in would not be properly escaped. An attacke...
CVE-2026-5090
The CVE concerns Template::Plugin::HTML for Perl, affecting versions up to and including 3.102. The root cause is that html_filter fails to escape single quotes, allowing HTML attributes delimited by single quotes to be injected with limited HTML/JavaScript. For example, in , a value like var = "...
PT-2026-42022
Name of the Vulnerable Software and Affected Versions Template::Plugin::HTML versions prior to 3.103 Description Template::Plugin::HTML for Perl allows the injection of HTML and JavaScript. The html filter function fails to escape single quotes, which enables code injection within HTML attributes...
phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()
Summary The sanitization pipeline for FAQ content is: 1. Filter::filterVar$input, FILTERSANITIZESPECIALCHARS — encodes , ", ', & to HTML entities 2. htmlentitydecode$input, ENTQUOTES | ENTHTML5 — decodes entities back to characters 3. Filter::removeAttributes$input — removes dangerous HTML...
PT-2026-29670
Summary The sanitization pipeline for FAQ content is: 1. Filter::filterVar$input, FILTER SANITIZE SPECIAL CHARS — encodes , ", ', & to HTML entities 2. html entity decode$input, ENT QUOTES | ENT HTML5 — decodes entities back to characters 3. Filter::removeAttributes$input — removes dangerous HTML...