46 matches found
UBUNTU-CVE-2026-42043
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...
CVE-2026-42038
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...
UBUNTU-CVE-2026-42040
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...
CVE-2026-42038
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...
EUVD-2017-6586
Malware in sbrugna...
EUVD-2025-18677
Malicious code in bioql PyPI...
CVE-2024-40794
This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication...
The case against self-closing tags in HTML
Let's talk about /: You'll see this syntax on my blog because it's what Prettier does, and I really like Prettier. However, I don't think / is a good thing. First up: The facts Enter XHTML Back in the late 90s and early 2000s, the W3C had a real thing for XML, and thought that it should replace...
MAL-2023-611 Malicious code in mv-browser-support (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a8942832656feb0a5ad201155c0335c5e5d8bd5c8fa7efcb575a25b9542327cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in mv-browser-support (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a8942832656feb0a5ad201155c0335c5e5d8bd5c8fa7efcb575a25b9542327cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Eta 跨站脚本漏洞
Eta is Eta open source a lightweight , fast embedded JS template engine . Can run in Node, Deno and browser . A cross-site scripting vulnerability exists in Eta. An attacker could exploit this vulnerability to perform cross-site scripting attacks...
XSS via uploaded gpx file
A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data. By default, Silverstripe CMS will no longer all...
PT-2022-26919 · Jenkins · Jenkins 360 Fireline Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins 360 FireLine Plugin versions 1.7.2 and earlier Description: The issue concerns the Jenkins 360 FireLine Plugin, which programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived...
Cross-fading any two DOM elements is currently impossible
Update: A spec change has landed to make this possible, it'll ship in Chrome 100, it's been implemented in Firefox, and it already existed as a non-standard feature in Safari. Soon this feature will be supported across all major browsers! Ok, it isn't always impossible. Be amazed as I cross-fade...
CVE-2021-39222
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting XSS vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict...
CVE-2021-39221
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting XSS vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due t...
XSS in Nextcloud Circles
None...
Cross site scripting
Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a text/html Content-Type when serving files to...
CSS paint API: Being predictably random
Take a look at this: Space invaders If you're using a browser that supports the CSS paint API, the element will have a 'random' pixel-art gradient in the background. But it turns out, doing random in CSS isn't as easy as it seems… Initial implementation This isn't a full tutorial on the CSS paint...
Understanding Emerging Video Formats
In my previous post, we discussed two new image formats: High-Efficiency Image File HEIF and AV1 Image File AVIF. In this article, we'll take a closer look at two emerging video formats built on the same foundations. Akamai Image & Video Manager IVM already supports the key video codecs H.264,...