Lucene search
+L

13 matches found

CVE
CVE
added 4 days ago6 views

CVE-2026-58486

CVE-2026-58486: HedgeDoc prior to 1.11.0 is vulnerable to a YAML alias bomb in note frontmatter. HedgeDoc parses frontmatter with js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, resolving YAML anchors and potentially expanding a malicious payload into a huge object, consuming CPU on each req...

8.3CVSS6.1AI score0.00235EPSS
Exploits0References2
NVD
NVD
added 5 days ago8 views

CVE-2026-15505

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS0.00195EPSS
Exploits0References4
CVE
CVE
added 5 days ago14 views

CVE-2026-15505

The CVE concerns vnotex vnote (up to version 3.20.1) where the YAML Frontmatter component exposes cross-site scripting via the file /src/data/extra/web/js/markdownit.js. The issue arises from manipulation of the argument p_metaData in the YAML Frontmatter code, which can potentially be exploited ...

5.1CVSS4.7AI score0.00195EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-15505 vnotex vnote YAML Frontmatter markdownit.js cross site scripting

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS0.00195EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-43246

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS4.6AI score0.00195EPSS
Exploits0References4
Metasploit
Metasploit
added 2025/12/12 6:56 p.m.503 views

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

This module exploits a Server-Side Template Injection SSTI vulnerability CVE-2025-66294 in Grav CMS that allows bypassing the Twig sandbox to achieve remote code execution. The cleanDangerousTwig method uses weak regex that fails to sanitize nested Twig calls within the evaluatetwig function. To...

9.6CVSS6.1AI score0.0264EPSS
Exploits5
RedhatCVE
RedhatCVE
added 2025/12/08 5:11 p.m.3 views

CVE-2025-66301

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

9.6CVSS6.8AI score0.01252EPSS
Exploits4References1
OSV
OSV
added 2025/12/02 12:36 a.m.5 views

GHSA-V8X2-FJV7-8HJH Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Summary Due to a broken access control vulnerability in the /admin/pages/pagename endpoint, an editor user with full permissions to pages can change the functionality of a form after submission. Details Due to improper authorization checks when modifying critical fields on a POST request to...

8.6CVSS6.8AI score0.01252EPSS
Exploits4References3
EUVD
EUVD
added 2025/12/02 12:36 a.m.7 views

EUVD-2025-200109

Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions...

8.6CVSS6.4AI score0.01252EPSS
Exploits4References2
NVD
NVD
added 2025/12/01 10:15 p.m.6 views

CVE-2025-66301

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

9.6CVSS0.01252EPSS
Exploits4References1
Vulnrichment
Vulnrichment
added 2025/12/01 9:30 p.m.2 views

CVE-2025-66301 Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

8.6CVSS6.3AI score0.01252EPSS
Exploits4References1
Cvelist
Cvelist
added 2025/12/01 9:30 p.m.14 views

CVE-2025-66301 Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

8.6CVSS0.01252EPSS
Exploits4References1
OSV
OSV
added 2025/12/01 9:30 p.m.10 views

CVE-2025-66301 Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

8.6CVSS6.8AI score0.01252EPSS
Exploits4References3
Rows per page
Query Builder