9 matches found
GHSA-993G-76C3-P5M4 PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes
!NOTE The library does not directly return non-HTTPS URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws attacker write access to a filesystem path, untrusted jku derivation that this fix do...
CVE-2026-34718
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is...
CVE-2026-47067
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackneyurl.erl converts every unrecognized URL scheme to a permanent BEAM atom via binarytoatom/2. BEAM atoms are never garbage-collected and the atom table defaults to a...
Cross Site Scripting (XSS)
code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes in links, which allows an attacker to inject malicious javascript: URLs and execute arbitrary scripts in a user's browser...
CVE-2025-12080 Intent Abuse in Google Messages for Wear OS for Silent Message Sending
On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTIONSENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier URI schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of...
CVE-2025-10290
Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS 143.0...
Security Vulnerabilities fixed in Focus for iOS 143.0 — Mozilla
Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press...
CVE-2022-30956
Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads...
Vulnerability of Firefox and Firefox ESR browsers, which allows hackers to circumvent existing access restrictions policies
The vulnerability of Firefox and Firefox ESR browsers is related to the lack of protection for service data. Exploiting this vulnerability allows a malicious actor to bypass existing access restrictions by using specially crafted data and URL schemes...