Lucene search
K

13 matches found

Snyk
Snyk
added 2026/05/20 7:7 p.m.6 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of unescaped name and version metadata fields. An attacker can execute arbitrary scripts or code within the application context by submitting specially crafted package metadata. Details...

9CVSS5.8AI score0.00361EPSS
Exploits0References3
CVE
CVE
added 2026/05/14 6:13 p.m.15 views

CVE-2026-45375

SiYuan’s Bazaar marketplace before version 3.7.0 renders unsanitized package metadata (name, version) from plugin.json (and equivalent theme/template/widget/icon.json) into the Marketplace UI via innerHTML. The kernel sanitizer escapes Author, DisplayName, and Description, but not Name/Version, a...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
OSV
OSV
added 2026/05/13 3:33 p.m.5 views

GHSA-27QC-M5GF-JV5R SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...

9CVSS6AI score0.00361EPSS
Exploits0References3
CVE
CVE
added 2026/04/29 1:31 p.m.16 views

CVE-2026-42524

CVE-2026-42524 : Jenkins HTML Publisher Plugin 427 and earlier is vulnerable to a stored XSS due to not escaping the job name and URL in the legacy wrapper file. This can be exploited by attackers with Item/Configure permission. The public descriptions identify the affected component and the root...

8CVSS4.8AI score0.00281EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.6 views

PT-2026-24630

Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...

5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2022/09/26 12:0 a.m.6 views

PT-2022-20278 · WordPress · Slider Hero

Name of the Vulnerable Software and Affected Versions: Slider Hero WordPress plugin versions prior to 8.4.4 Description: The issue allows high-privileged users to perform Cross-Site Scripting attacks due to the lack of escaping in the slider Name. Recommendations: For versions prior to 8.4.4,...

4.8CVSS4.9AI score0.0048EPSS
Exploits2References3
OSV
OSV
added 2022/06/30 6:15 p.m.6 views

CVE-2022-34791

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

5.4CVSS5.7AI score0.00602EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/06/23 5:15 p.m.3 views

CVE-2022-34188

Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

5.4CVSS6.2AI score0.00602EPSS
Exploits0References2
CNNVD
CNNVD
added 2022/06/22 12:0 a.m.6 views

Jenkins Plugin Image Tag Parameter 跨站脚本漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is an application. Jenkins Plugin is an application that provides hundreds of plug-ins to support building, deploying, and automating any project. cross-site scripting vulnerability exists in Jenkins Image Tag Parameter Plug...

5.4CVSS5.6AI score0.00602EPSS
Exploits0References4
CNNVD
CNNVD
added 2022/06/22 12:0 a.m.4 views

Jenkins Plugin Filesystem List Parameter 跨站脚本漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products. jenkins is an application. Jenkins Plugin is an application that provides hundreds of plug-ins to support building, deploying, and automating any project. Jenkins Filesystem List Parameter Plugin version 0.0.7 and earlier versions...

5.4CVSS5AI score0.00738EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2019/12/03 3:13 p.m.7 views

knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.

There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it...

6.1CVSS6.8AI score0.01988EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2019/12/03 2:58 p.m.6 views

knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.

There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it...

6.1CVSS6.8AI score0.01988EPSS
Exploits1References5
Hacker One
Hacker One
added 2015/09/07 1:43 p.m.15 views

Vimeo: XSS on vimeo.com/home after other user follows you

Description If some user follows you on Vimeo, the Name of the user appears in the header of your Home like "Name followed you. The staff posted...". The problem is that the Name is not escaped, which allows to insert HTML code. Proof of concept 1. Using the attacker's account, go to...

0.7AI score
Exploits0
Rows per page
Query Builder