Lucene search
+L

12 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/22 5:31 p.m.6 views

CVE-2026-50146

Astro is a web framework. Prior to 6.3.3, when a component uses a client: directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflect...

7.1CVSS5.9AI score0.00177EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/07 7:41 p.m.15 views

CVE-2026-39823 Bypass of meta content URL escaping causes XSS in html/template

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS...

7.3AI score0.00328EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/05/07 1:36 p.m.9 views

CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

6.1CVSS5.7AI score0.00238EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2026/04/13 12:0 a.m.16 views

Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1534)

"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1534 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir o...

9.1CVSS7.4AI score0.01557EPSS
Exploits1References10
OSV
OSV
added 2026/03/10 8:44 a.m.3 views

BIT-GOLANG-2026-27142 URLs in meta content attribute actions are not escaped in html/template

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actio...

6.1CVSS5.7AI score0.00328EPSS
Exploits0References5
OSV
OSV
added 2026/03/06 10:16 p.m.8 views

AZL-79622 CVE-2026-27142 affecting package golang 1.26.0-1

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actio...

6.1CVSS5.6AI score0.00328EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/03/06 9:28 p.m.2 views

CVE-2026-27142

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actio...

6.1CVSS5.7AI score0.00328EPSS
Exploits0
CVE
CVE
added 2026/03/06 9:28 p.m.95 views

CVE-2026-27142

CVE-2026-27142 is disclosed as an issue where URLs inserted into the content attribute of HTML meta tags were not escaped, potentially enabling XSS when the meta tag has http-equiv="refresh". Public advisories (ALAS2-2026-3310, ALAS2-2026-3313, ALAS2-2026-3311, ALAS2023-2026-1771, etc.) link this...

6.1CVSS5.7AI score0.00328EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2026/02/02 11:23 p.m.10 views

CVE-2025-61636

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from before 1.39.14, 1.43.4,...

4.8CVSS5.2AI score0.00211EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 10:28 a.m.12 views

CVE-2024-7132

The Page Builder Gutenberg Blocks WordPress plugin before 3.1.13 does not escape the content of post embed via one of its block, which could allow users with the capability to publish posts editor and admin by default to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml...

4.8CVSS5.9AI score0.00379EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 4:2 p.m.8 views

CVE-2020-2217

Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scripting XSS vulnerability...

6.1CVSS5.7AI score0.00699EPSS
Exploits0
RedHat Linux
RedHat Linux
added 2021/12/09 2:46 p.m.5 views

Mozilla: Bypass of CSP sandbox directive when embedding

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird 91.4.0, Firefox ESR 91.4.0, and Firefox 95...

6.1CVSS7.4AI score0.01352EPSS
Exploits0References4
Rows per page
Query Builder