Lucene search
K

20 matches found

Github Security Blog
Github Security Blog
added 2026/05/14 8:23 p.m.10 views

pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal

Summary The packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $div.htmlhtml. No escaping runs between the API value and innerHTML. An...

8.7CVSS5.9AI score0.00199EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/14 8:23 p.m.5 views

GHSA-FCJQ-435V-JX94 pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal

Summary The packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $div.htmlhtml. No escaping runs between the API value and innerHTML. An...

8.7CVSS5.9AI score0.00199EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.17 views

PT-2026-38893

Name of the Vulnerable Software and Affected Versions Auto Affiliate Links versions prior to 6.8.9 Description The plugin is subject to Stored Cross-Site Scripting due to insufficient input sanitization of the url POST parameter within the aal url stats save action function and a lack of output...

7.2CVSS5.9AI score0.00366EPSS
Exploits0References16
ATTACKERKB
ATTACKERKB
added 2026/04/08 9:35 p.m.2 views

CVE-2026-40029

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename wi...

8.5CVSS6.2AI score0.00805EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/03/11 7:9 a.m.3 views

CVE-2025-70128

A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...

6.1CVSS6.2AI score0.00742EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2025/12/09 5:0 a.m.4 views

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

6.1CVSS6.3AI score0.00302EPSS
Exploits1References4
CVE
CVE
added 2025/12/01 10:43 p.m.29 views

CVE-2025-66401

MCP Watch vulnerability (CVE-2025-66401) affects MCPWatch

9.8CVSS7.5AI score0.02004EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2025/11/18 8:55 a.m.5 views

EUVD-2025-197926

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

4.8CVSS6.3AI score0.00217EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/10/22 12:11 a.m.10 views

CVE-2025-60507

Cross site scripting vulnerability in Moodle GeniAI plugin localgeniai 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users including Students or...

8.9CVSS6.2AI score0.00282EPSS
Exploits0References1
NVD
NVD
added 2025/10/21 6:15 p.m.27 views

CVE-2025-60507

Cross site scripting vulnerability in Moodle GeniAI plugin localgeniai 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users including Students or...

8.9CVSS0.00282EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/10/21 12:0 a.m.14 views

CVE-2025-60507

Cross site scripting vulnerability in Moodle GeniAI plugin localgeniai 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users including Students or...

8.9CVSS0.00282EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-49874

Malicious code in bioql PyPI...

8.9CVSS6.5AI score0.00475EPSS
Exploits0References1
CVE
CVE
added 2025/09/12 6:0 a.m.12 views

CVE-2025-3650

CVE-2025-3650 refers to a stored XSS flaw in the WordPress plugin jQuery Colorbox (versions

3.5CVSS5.8AI score0.00168EPSS
Exploits0References1
OSV
OSV
added 2024/05/15 2:15 a.m.4 views

CVE-2024-4618

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member widget in all versions up to, and including, 2.6.9.6 due to insufficient input sanitization and output escaping on user supplied 'url' attribute. This makes it possible for...

5.4CVSS6AI score0.00418EPSS
Exploits0References4
CNNVD
CNNVD
added 2022/09/08 12:0 a.m.4 views

JGraph draw.io 跨站脚本漏洞

JGraph draw.io is a configurable chart/whiteboard visualization application for JGraph. A cross-site scripting vulnerability exists in JGraph draw.io versions prior to 20.3.0, which stems from the application using a parameter to specify a url on the refresh and back buttons, assigning it to...

6.1CVSS4.9AI score0.00518EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2022/03/28 12:0 a.m.11 views

PT-2022-13147 · WordPress · Interactive Medical Drawing Of Human Body

Name of the Vulnerable Software and Affected Versions: Interactive Medical Drawing of Human Body WordPress plugin versions prior to 2.6 Description: The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization and escaping of the Link field, even...

4.8CVSS4.7AI score0.00588EPSS
Exploits2References4
OSV
OSV
added 2022/03/07 9:15 a.m.5 views

CVE-2022-0429

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability...

6.1CVSS6.4AI score
Exploits0References1
CNNVD
CNNVD
added 2022/03/07 12:0 a.m.5 views

WordPress plugin WP Cerber Security, Anti-spam & Malware Scan 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in WordPress WP Cerber Security, Anti-spam & Malware Scan Plugin...

6.1CVSS5.8AI score0.01378EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2022/02/14 12:0 a.m.2 views

VulnCheck KEV: CVE-2022-0429

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability...

6.1CVSS6.4AI score0.01378EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2021/05/25 12:0 a.m.6 views

PT-2021-14703 · Jenkins · Jenkins Markdown Formatter Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Markdown Formatter Plugin versions 0.1.0 and earlier Description: The issue results from the plugin's failure to sanitize crafted link target URLs, leading to a stored cross-site scripting XSS vulnerability. This vulnerability can be...

5.4CVSS5.2AI score0.01087EPSS
Exploits0References7
Rows per page
Query Builder