Lucene search
K

51 matches found

NVD
NVD
added 5 days ago6 views

CVE-2026-12108

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS0.00208EPSS
Exploits0References8
CVE
CVE
added 5 days ago7 views

CVE-2026-12108

The CVE-2026-12108 entry concerns the WordPress Highlighting Code Block plugin. Affected: the Highlighting Code Block plugin for WordPress (versions up to 2.2.0). Vulnerability: Stored Cross-Site Scripting via admin settings caused by insufficient input sanitization and output escaping. Impact: a...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References8
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-42841

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References8
NVD
NVD
added 2026/07/06 8:16 p.m.10 views

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.4CVSS0.00172EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/07/06 7:19 p.m.8 views

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.4CVSS5.8AI score0.00172EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/06 7:19 p.m.34 views

CVE-2026-58402 Hugo default code block renderer XSS via unescaped code-fence language

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.1CVSS0.00172EPSS
Exploits0References4
OSV
OSV
added 2026/07/06 7:19 p.m.4 views

CVE-2026-58402 Hugo default code block renderer XSS via unescaped code-fence language

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.1CVSS5.9AI score0.00172EPSS
Exploits0References6
NVD
NVD
added 2026/06/29 7:16 p.m.13 views

CVE-2026-53428

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comraknif::lumisadapter::LumisAdapter::parsehighlightlines in native/comraknif/src/lumisadapter.rs eagerly expands a...

6.9CVSS0.00142EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/29 6:52 p.m.25 views

CVE-2026-53428 Unbounded memory allocation in highlight_lines range expansion in mdex

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comraknif::lumisadapter::LumisAdapter::parsehighlightlines in native/comraknif/src/lumisadapter.rs eagerly expands a...

6.9CVSS0.00142EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/29 6:52 p.m.11 views

CVE-2026-53428 Unbounded memory allocation in highlight_lines range expansion in mdex

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comraknif::lumisadapter::LumisAdapter::parsehighlightlines in native/comraknif/src/lumisadapter.rs eagerly expands a...

6.9CVSS5.9AI score0.00142EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/19 5:45 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the default code block rendering. An attacker can execute arbitrary JavaScript in the context of users viewing generated pages by supplying a crafted code-fence language info-string containing malicious...

5.4CVSS5.9AI score0.00172EPSS
Exploits0References2
OSV
OSV
added 2026/06/19 5:45 p.m.6 views

GHSA-Q76J-GCG9-VXC6 Hugo: XSS via unescaped code-fence language in default code block renderer

Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the wrapper without HTML escaping. A fence info-string containing a quote and a payload breaks out of the attribute and injects a live script element. This is not an issue if you fully trust every file...

5.1CVSS5.8AI score0.00172EPSS
Exploits0References2
OSV
OSV
added 2026/05/22 5:27 p.m.2 views

CVE-2026-39965 TypeBot: SSRF via Open Redirect Bypass in HTTP Request and Code Blocks

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl to block private IPs and cloud metadata hostnames. However, the HTTP clients ky and fetch follow 3...

7.7CVSS5.9AI score0.00239EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/08 6:42 a.m.4 views

Security Bulletin: Highlight.js Prototype Pollution Vulnerability in Code Block Parsing, affects watsonx.data

Summary Highlight.js versions prior to 9.18.2 and 10.1.2 are vulnerable to prototype pollution via malicious HTML in user-supplied code blocks. This can cause unexpected application behavior or crashes, representing a potential DoS vector. This can affect watsonx.data. Vulnerability Details...

8.7CVSS5.9AI score0.01307EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/01/18 3:37 p.m.8 views

CVE-2026-0863 Sandbox escape in n8n Python task runner allows for arbitrary code execution on the underlying host.

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissio...

8.5CVSS7.9AI score0.08497EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2026/01/07 8:21 a.m.1 views

CVE-2025-12958 Rankology SEO and Analytics Tool <= 2.0 - Incorrect Authorization to Authenticated (Editor+) Header & Footer Code Creation

The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankologycodeblock' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level acces...

2.7CVSS5.4AI score0.0021EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/07 8:21 a.m.29 views

CVE-2025-12958 Rankology SEO and Analytics Tool <= 2.0 - Incorrect Authorization to Authenticated (Editor+) Header & Footer Code Creation

The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankologycodeblock' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level acces...

2.7CVSS0.0021EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.6 views

PT-2026-1587

Name of the Vulnerable Software and Affected Versions Rankology SEO and Analytics Tool versions prior to 2.1 Description The Rankology SEO and Analytics Tool plugin for WordPress has an issue where data can be modified without proper authorization. This is due to a flawed capability check on the...

2.7CVSS6.7AI score0.0021EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2025/12/02 1:25 a.m.9 views

mdast-util-to-hast has unsanitized class attribute

Impact Multiple unprefixed classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown: markdown jsxss Would create If your page then applied .xss classes or...

6.9CVSS6.8AI score0.0026EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2019-6056

Malware in sbrugna...

6.1CVSS6.3AI score0.00785EPSS
Exploits0References2
Rows per page
Query Builder