Lucene search
+L

90 matches found

euvd
euvd
added 2026/03/26 8:25 p.m.6 views

EUVD-2026-16417

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...

4.8CVSS5.9AI score0.00214EPSS
Exploits1References4
redhatcve
redhatcve
added 2026/03/26 3:0 p.m.21 views

CVE-2026-33301

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the Notes - my encounters role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read...

8.1CVSS5.9AI score0.00444EPSS
Exploits1References1
cnnvd
cnnvd
added 2026/03/20 12:0 a.m.11 views

Filament 安全漏洞

Filament is a set of open-source full-stack components developed by Filament, designed to accelerate Laravel development. Versions 4.0.0 to 4.8.4, as well as 5.0.0 to 5.3.4, have security vulnerabilities. These vulnerabilities stem from two Filament Table summarizers not being escaped HTML...

7.3CVSS5.8AI score0.00296EPSS
Exploits0References4
nvd
nvd
added 2026/03/19 9:17 p.m.7 views

CVE-2026-33321

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the Notes - my encounters role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An Out-of-Band Server-Side...

7.6CVSS0.0028EPSS
Exploits1References2
osv
osv
added 2026/03/19 8:20 p.m.5 views

CVE-2026-33321 OpenEMR has Out-of-Band Server-Side Request Forgery (OOB SSRF)

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the Notes - my encounters role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An Out-of-Band Server-Side...

7.2CVSS5.9AI score0.0028EPSS
Exploits1References4
vulnrichment
vulnrichment
added 2026/03/19 8:10 p.m.3 views

CVE-2026-33301 OpenEMR has arbitrary image file read via PDF generator

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the Notes - my encounters role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read...

7.1CVSS5.9AI score0.00444EPSS
Exploits1References2
ptsecurity
ptsecurity
added 2026/03/16 12:0 a.m.12 views

PT-2026-25826

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below SiYuan versions prior to 3.6.1 Description SiYuan is a personal knowledge management system. The mobile file tree component MobileFiles.ts renders notebook names using innerHTML without proper HTML escaping when...

9CVSS6AI score0.00796EPSS
Exploits1References9
github
github
added 2026/03/12 2:23 p.m.15 views

ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Summary The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References3Affected Software1
vulnrichment
vulnrichment
added 2026/03/11 8:42 p.m.1 views

CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References1
cve
cve
added 2026/03/11 8:42 p.m.19 views

CVE-2026-32112

ha-mcp (Home Assistant MCP Server) is affected prior to 7.0.0 by an XSS vulnerability in the OAuth consent form. The issue arises because the consent form renders user-controlled parameters using Python f-strings without HTML escaping, allowing an attacker who can reach the OAuth endpoint and ind...

6.8CVSS5.8AI score0.00181EPSS
Exploits0References1Affected Software1
osv
osv
added 2026/03/11 8:42 p.m.5 views

CVE-2026-32112 ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

6.8CVSS5.9AI score0.00181EPSS
Exploits0References3
cve
cve
added 2026/03/07 5:49 a.m.20 views

CVE-2026-30830

Summary of technical details (Defuddle CVE-2026-30830): The vulnerability arises in the findContentBySchemaText path of Defuddle (src/defuddle.ts) where image src and alt attributes are interpolated into HTML via a string template without escaping. If the image’s alt attribute contains a quotatio...

6.1CVSS5.7AI score0.00252EPSS
Exploits1References2Affected Software1
github
github
added 2026/03/03 10:9 p.m.8 views

OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering

Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session...

6.1AI score
Exploits0References3Affected Software1
euvd
euvd
added 2026/02/28 2:49 a.m.7 views

EUVD-2026-9069

PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages...

6.8CVSS5.9AI score0.00297EPSS
Exploits1References4
snyk
snyk
added 2026/02/28 12:14 a.m.7 views

Cross-site Scripting (XSS)

Overview net.sourceforge.pmd:pmd-core is an extensible multilanguage static code analyzer. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the vbhtml or yahtml report formats, which include rule violation messages in HTML output, in renderFileViolations and...

6.8CVSS5.7AI score0.00297EPSS
Exploits1References2
nvd
nvd
added 2026/02/27 9:16 p.m.9 views

CVE-2026-28338

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains...

6.8CVSS0.00297EPSS
Exploits1References3
osv
osv
added 2026/02/11 6:39 p.m.6 views

GHSA-M4G2-2Q66-VC9V Vikunja Vulnerable to XSS Via Task Preview

Summary The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task Details In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or...

8.6CVSS5.5AI score0.00227EPSS
Exploits0References6
osv
osv
added 2025/12/02 6:34 p.m.6 views

CVE-2025-66460 Lookyloo vulnerable to XSS due to lack of escaping in HTML elements passed to Datatables

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popu...

5.3CVSS6.6AI score0.00161EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2025/12/02 6:34 p.m.4 views

CVE-2025-66460 Lookyloo vulnerable to XSS due to lack of escaping in HTML elements passed to Datatables

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popu...

5.3CVSS6.3AI score0.00161EPSS
Exploits0References2
redhatcve
redhatcve
added 2025/11/14 8:59 p.m.11 views

CVE-2025-64744

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

3.5CVSS6.5AI score0.00175EPSS
Exploits0References1
Rows per page
Query Builder