Lucene search
K

9 matches found

OSV
OSV
added 2026/06/15 7:28 p.m.6 views

GHSA-993G-76C3-P5M4 PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes

!NOTE The library does not directly return non-HTTPS URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws attacker write access to a filesystem path, untrusted jku derivation that this fix do...

4.2CVSS5.6AI score0.00181EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.10 views

CVE-2026-34718

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is...

6.1CVSS5.4AI score0.00149EPSS
Exploits0References1
NVD
NVD
added 2026/05/25 3:16 p.m.16 views

CVE-2026-47067

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackneyurl.erl converts every unrecognized URL scheme to a permanent BEAM atom via binarytoatom/2. BEAM atoms are never garbage-collected and the atom table defaults to a...

8.7CVSS0.00703EPSS
Exploits1References4
Veracode
Veracode
added 2026/03/20 7:30 a.m.7 views

Cross Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes in links, which allows an attacker to inject malicious javascript: URLs and execute arbitrary scripts in a user's browser...

5.4CVSS7.5AI score0.00222EPSS
Exploits0References5Affected Software2
Vulnrichment
Vulnrichment
added 2025/10/27 8:45 a.m.3 views

CVE-2025-12080 Intent Abuse in Google Messages for Wear OS for Silent Message Sending

On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTIONSENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier URI schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of...

6.9CVSS6.5AI score0.0015EPSS
Exploits0References1
OSV
OSV
added 2025/09/16 1:15 p.m.6 views

CVE-2025-10290

Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS 143.0...

6.5CVSS5.8AI score0.00236EPSS
Exploits0References2
Mozilla
Mozilla
added 2025/09/16 12:0 a.m.7 views

Security Vulnerabilities fixed in Focus for iOS 143.0 — Mozilla

Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press...

6.5CVSS6.8AI score0.00236EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2022/05/17 3:15 p.m.2 views

CVE-2022-30956

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads...

5.4CVSS5.9AI score0.71335EPSS
Exploits0References2
BDU FSTEC
BDU FSTEC
added 2015/12/29 12:0 a.m.3 views

Vulnerability of Firefox and Firefox ESR browsers, which allows hackers to circumvent existing access restrictions policies

The vulnerability of Firefox and Firefox ESR browsers is related to the lack of protection for service data. Exploiting this vulnerability allows a malicious actor to bypass existing access restrictions by using specially crafted data and URL schemes...

5CVSS7AI score0.06058EPSS
Exploits1References3Affected Software2
Rows per page
Query Builder