8584 matches found
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
Cross-site Scripting (XSS)
Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the TableBlock class attributes. A user with access to create or edit pages containing TableBlock StreamField blocks in the admin interfac...
CVE-2026-0540 DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex. Attacke...
CVE-2026-0540
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex. Attacke...
EUVD-2025-208240
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
CVE-2025-15599 DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
SUSE-SU-2026:0761-1 Security update for freerdp
This update for freerdp fixes the following issues: - CVE-2026-22855: heap-buffer-overflow in smartcardunpacksetattribcall bsc1256721. - CVE-2026-22857: heap-use-after-free in irpthreadfunc bsc1256723. - CVE-2026-23533: improper validation can lead to heap buffer overflow in...
PT-2026-22763
Name of the Vulnerable Software and Affected Versions DOMPurify versions 2.5.3 through 2.5.8 DOMPurify versions 3.1.3 through 3.2.6 Description DOMPurify contains a cross-site scripting issue that allows attackers to bypass attribute sanitization. This is due to missing textarea rawtext element...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005575)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005575 advisory. In the Linux kernel, the following vulnerability has been resolved: iio: light: veml6030: fix IIO device retrieval from embedded device The dev pointer that is...
sssd default kerberos configuration allows privilege escalation on ad-joined linux systems
A flaw was found in the integration of Active Directory and the System Security Services Daemon SSSD on Linux systems. In default configurations, the Kerberos local authentication plugin sssdkrb5localauthplugin is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an...
Fedora 43 : 389-ds-base / python3-docs / python3.14 (2026-27ce708600)
The remote Fedora 43 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-27ce708600 advisory. - New minor version of the Python interpreter, bringing also security fixes. - 389-ds-base: Fix system index configuration issues - 389-ds-base: Fix...
CVE-2026-2362
The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using...
CVE-2025-14149
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-3268
A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeController.java of the component Session Attribute Handler. Performing a manipulation results in...
CVE-2026-1697
The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included...
GHSA-V4JW-M6RM-399H Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes
A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...
Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes
A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...
CVE-2025-14142
CVE-2025-14142 refers to the WordPress plugin Electric Enquiries, affected up to and including version 1.1. It enables a Stored Cross-Site Scripting (XSS) via the button attribute of the electric-enquiry shortcode, allowing authenticated attackers with Contributor-level access and above to inject...