Lucene search
+L

493 matches found

Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.7 views

PT-2026-57369

Name of the Vulnerable Software and Affected Versions secure headers versions prior to 7.3.0 Description The software fails to properly sanitize caller-supplied strings when building the Content-Security-Policy CSP header. Specifically, the functions build sandbox list directive, build media type...

4.7CVSS5.4AI score0.00031EPSS
Exploits0References7
Amazon
Amazon
added 2026/07/08 12:0 a.m.5 views

Important: ecs-init

Issue Overview: Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. CVE-2026-25680 Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt ...

9.6CVSS7AI score0.00939EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/06/22 3:27 p.m.8 views

CVE-2026-54265

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property...

6.1CVSS5.8AI score0.00195EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/22 12:18 p.m.9 views

CVE-2026-42573

A flaw was found in Svelte, a web framework. An attacker could exploit a DOM clobbering vulnerability, which allows manipulation of the Document Object Model DOM to overwrite internal framework state on elements. This could potentially lead to Cross-Site Scripting XSS attacks, enabling the attack...

8.1CVSS5.8AI score0.00319EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/16 11:43 p.m.10 views

Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass

Potential XSS in HTML session exports via Markdown URL handling Pi HTML exports render session Markdown into a static HTML file. Affected versions did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme cou...

2.5CVSS5.2AI score0.00132EPSS
Exploits0References4Affected Software2
OSV
OSV
added 2026/06/12 8:50 p.m.4 views

CVE-2026-53606 sanitize-html has an incomplete URI scheme validation that allows javascript: URIs through action, formaction, data, poster, and background attributes

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...

5.4CVSS6AI score0.00136EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.34 views

PT-2026-48990

Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.17.5 Description The software uses the allowedSchemesAppliedToAttributes variable to control the naughtyHref function, which is designed to block dangerous URI schemes such as javascript: and vbscript:. Howeve...

5.4CVSS5.2AI score0.00136EPSS
Exploits0References3
NVD
NVD
added 2026/06/09 5:17 p.m.9 views

CVE-2026-42573

Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7...

8.1CVSS0.00319EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:46 p.m.14 views

CVE-2026-42506

A flaw was found in golang.org/x/net/html. When parsing arbitrary HTML that is subsequently rendered, an unexpected HTML tree can be generated. A remote attacker could leverage this vulnerability to execute Cross-Site Scripting XSS attacks in applications that attempt to sanitize input HTML befor...

6.1CVSS6AI score0.00188EPSS
Exploits0References7
RubySec
RubySec
added 2026/06/04 12:0 a.m.4 views

around_render HTML-Safety Bypass

Summary ViewComponent::Basearoundrender can return HTML-unsafe strings that bypass the escaping behavior applied to normal call return values. This creates an XSS risk when downstream applications use aroundrender to wrap, replace, instrument, or conditionally return content that includes...

8.7CVSS6AI score
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/26 7:5 p.m.40 views

CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS

Summary CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags. Because the sanitizer only validates the src attribute of , and elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completel...

6.1CVSS6AI score0.00242EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/26 7:5 p.m.27 views

GHSA-G2G4-47GV-P72V CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS

Summary CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags. Because the sanitizer only validates the src attribute of , and elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completel...

6.1CVSS6AI score0.00242EPSS
Exploits0References4
Amazon
Amazon
added 2026/05/26 12:0 a.m.26 views

Important: golang-github-cpuguy83-md2man

Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 Within HostnameError.Error, when constructing an error string, there is no limit to the number of hosts that will be printed out...

7.5CVSS7.1AI score0.01945EPSS
Exploits3
Amazon
Amazon
added 2026/05/26 12:0 a.m.24 views

Important: libcap

Issue Overview: Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escapi...

7.5CVSS7.2AI score0.00813EPSS
Exploits0
UbuntuCve
UbuntuCve
added 2026/05/22 4:16 p.m.14 views

CVE-2026-25681

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6.1CVSS6AI score0.00178EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/22 3:1 p.m.9 views

CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6AI score0.00178EPSS
Exploits0References4
CVE
CVE
added 2026/05/22 3:1 p.m.108 views

CVE-2026-42506

CVE-2026-42506 affects the Go ecosystem, specifically parsing in golang.org/x/net/html. The root cause is "invoking incorrect handling of namespaced elements in foreign content" which can produce an unexpected HTML tree during rendering. This can enable XSS in applications that sanitize input HTM...

6.1CVSS6AI score0.00188EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/22 3:1 p.m.4 views

CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6.1CVSS6.1AI score0.00188EPSS
Exploits0References7
OSV
OSV
added 2026/05/22 3:1 p.m.3 views

CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6.1CVSS6.1AI score0.00178EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/22 3:1 p.m.8 views

CVE-2026-42506

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6.1CVSS6AI score0.00188EPSS
Exploits0References5
Rows per page
Query Builder