CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters...

Improper Signature Validation

aws-database-encryption-sdk-dynamodb is vulnerable to Improper Signature Validation. The vulnerability occurs when a Set type is assigned a SIGNONLY attribute action. In such cases, there is a chance that the signature validation of the record containing a Set may fail during read, even if the Se...

GHSA-72FP-W44G-625Q Signing DynamoDB Sets when using the AWS Database Encryption SDK.

Impact This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGNONLY in the AWS Database Encryption SDK DB-ESDK for DynamoDB. This also includes when a Set is part of a List or a Map. DB-ESDK for DynamoDB supports SIGNONLY and ENCRYPTANDSIGN attribute actions. In version...

Protection Bypass

Overview Affected versions of this package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc allowing binding to Javascript. The fix was to require bindings to formaction to be $sce.RESOURCEURL and bindings to iframesrcdoc to be $sce.HTML Remediation Upgrade angularjs to...