PT-2026-43519

The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notably 'window', 'class', a...

CVE-2026-44897

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

Astra Linux - уязвимость в python-reportlab

All versions of the reportlab package are vulnerable to Server-side Request Forgery SSRF via img tags. To reduce this risk, use trustedSchemes and trustedHosts see Reportlab’s documentation. Steps to reproduce by Karan Bamal: 1. Download and install the latest version of the reportlab package. 2...

CVE-2026-42611 Grav: Stored XSS via Tag Injection

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visit...

CVE-2026-42611

Grav CVE-2026-42611 is a stored XSS in Grav Core + Admin Plugin (versions around v1.7.49.5 / v1.10.49.1) that a low-privileged user can exploit via page content to exfiltrate admin context, including the admin nonce, potentially bypass CSRF protections and enable further actions on sensitive admi...

CVE-2026-42611 Grav: Stored XSS via Tag Injection

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visit...

GHSA-F5P7-2C9Q-8896 phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

Summary The FAQ creation and update endpoints in phpMyFAQ apply FILTERSANITIZESPECIALCHARS which HTML-encodes input, then immediately call htmlentitydecode which reverses the encoding, followed by Filter::removeAttributes which only strips HTML attributes — not tags. This allows , , , and tags to...

GHSA-W8CG-7JCJ-4VV2 Grav is Vulnerable to Stored XSS via Tag Injection

Summary A low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the...

Cross-site Scripting (XSS)

Overview @marko/runtime-tags is an Optimized runtime for Marko templates. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of closing tags. An attacker can execute arbitrar...

CVE-2026-3673

An authenticated attacker can store a crafted tag value in usertags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects...

PT-2026-33912

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's Helper::stripDangerousTags removes , , , but does NOT strip tags. The mailbox signature field is saved via POST /mailbox/settings/id and later rendered unescaped via !!...

EUVD-2026-23104

ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context...

ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context

Summary The @apostrophecms/color-field module bypasses color validation for values prefixed with -- intended for CSS custom properties, but performs no HTML sanitization on these values. When styles containing attacker-controlled color values are rendered into tags — both in the global stylesheet...

CVE-2026-33889 ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the...

CVE-2026-39629 WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through = 1.0.9...

CVE-2026-39839

Improper neutralization of Script-Related HTML tags in a web page basic XSS vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7...

Tandoor Recipes 跨站脚本漏洞

Tandoor Recipes is an open-source application designed for managing recipes, planning meals, creating shopping lists, and more. Versions of Tandoor Recipes prior to 2.6.4 contained a cross-site scripting vulnerability. This vulnerability stemmed from the ability to inject any tag into the recipe...

CVE-2019-25696

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the languagetag parameter. Attackers can submit malicious SQL statements in the languagetag parameter to extract sensitive database information or modify...

CVE-2026-22744

In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue inserts the value directly into the @field:VALUE RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0....

Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check

Summary useHeadSafe can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. Details XSS via data- attribute name injection The acceptDataAttrs function safe.t...