26 matches found
PT-2026-42037
Summary The fetch-apify-docs tool validates URLs against a domain allowlist using String.startsWith instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains e.g., https://docs.apify.com.evil.com/, enabling the tool to fetch and return arbitrary web content ...
EUVD-2026-9038
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting XSS via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes method, which can be bypassed ...
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting XSS via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js lines 56-60 uses the includes method to verify the originUrl contains...
CVE-2026-26861
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting XSS via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes method, which can be bypassed ...
CVE-2026-26861
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting XSS via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes method, which can be bypassed ...
CVE-2026-26861
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting XSS via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes method, which can be bypassed ...
CVE-2026-26861
CVE-2026-26861 affects the CleverTap Web SDK up to version 1.15.2. The issue is an XSS vulnerability via window.postMessage triggered by the function handleCustomHtmlPreviewPostMessageEvent in src/util/campaignRender/nativeDisplay.js, which performs insufficient origin validation using the JavaSc...
Medium: libcap
Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...
EUVD-2024-16542
Malicious code in bioql PyPI...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...
Mozilla: HSTS policy on subdomain could bypass policy of upper domain
The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain...