CVE-2026-45228

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...

CVE-2026-29082 Kestra: Stored Cross-Site Scripting in Markdown File Preview

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown .md with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there a...

NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

Summary A Cross-Site Scripting XSS vulnerability exists in the ui.interactiveimage component of NiceGUI v3.3.1 and earlier. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG tag. Detail...

bbs-go 跨站脚本漏洞

bbs-go is an open source community system built using the Go language. bbs-go 3.3.0 and earlier versions have a cross-site scripting vulnerability that stems from the lack of filtering and escaping of user data in the v-html tag of vue used by the application. An attacker could use this...