EUVD-2026-30556

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function and rendered via Vue's v-html directive witho...

CVE-2026-45228

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...

EUVD-2026-11099

The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are...

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Summary Comments rendered via v-html without sanitization, enabling stored XSS. Details Comments in Comments.vue were parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers. Impact Stored...

CVE-2025-68942

Gitea before 1.22.2 allows XSS because the search input box for creating tags and branches is v-html instead of v-text...