CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

22 matches found

CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

5.3CVSS5.8AI score0.00044EPSS

Exploits0References5Affected Software1

Cvelist•added 2026/05/22 10:3 p.m.•8 views

CVE-2026-41148 Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram and any other diagram type that routes...

5.3CVSS0.00074EPSS

Exploits0References6

CVE•added 2026/03/12 5:20 p.m.•6 views

CVE-2026-31873

Unhead suffers a bypass of URI scheme sanitization in makeTagSafe prior to version 2.1.11: the code checks href values with String.includes(), which is case-sensitive. Since browsers treat URI schemes case-insensitively, inputs like DATA:text/css,... can evade the check and allow arbitrary CSS vi...

6.1CVSS5.9AI score0.0002EPSS

Exploits1References1Affected Software1

ATTACKERKB•added 2026/03/12 5:20 p.m.•2 views

CVE-2026-31873

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...

5.9AI score0.0002EPSS

Exploits1References2Affected Software1

Tenable Nessus•added 2026/01/20 12:0 a.m.•1 views

MiracleLinux 7 : firefox-91.11.0-2.0.1.el7.AXS7 (AXSA:2022-3440:15)

The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2022-3440:15 advisory. Mozilla: CSP sandbox header without allow-scripts can be bypassed via retargeted javascript: URI CVE-2022-34468 Mozilla: Use-after-free in nsSHistor...

9.8CVSS8.5AI score0.06199EPSS

Exploits1References9

OSV•added 2025/12/08 11:54 p.m.•2 views

CVE-2025-66469 NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.addcss, ui.addscss, and ui.addsass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or...

6.1CVSS6.4AI score0.00042EPSS

Exploits1References4

Tenable Nessus•added 2025/08/27 12:0 a.m.•4 views

Linux Distros Unpatched Vulnerability : CVE-2018-11563

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Open Ticket Request System OTRS 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary...

4.9CVSS6AI score0.00299EPSS

Exploits0References2

CNNVD•added 2024/07/12 12:0 a.m.•2 views

Apache Wicket Injection Vulnerability

Apache Wicket is a set of open source, lightweight, component-based frameworks from the Apache Foundation that provide an object-oriented approach to developing dynamic Web-based UI applications. Apache Wicket suffers from an injection vulnerability that stems from the default configuration of...

9.8CVSS8.4AI score0.08266EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 4:26 a.m.•2 views

SUSE CVE-2018-12398

By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy CSP. This vulnerability affects Firefox 63...

6.5CVSS8.5AI score0.00206EPSS

Exploits0References4