CVE-2026-44727

Jupyter Server (prior to 2.20) is affected by a stored XSS in the nbconvert HTML export path. The nbconvert HTTP handlers NbconvertFileHandler and NbconvertPostHandler render notebook HTML under the Jupyter origin without a sandbox directive in Content-Security-Policy, and NbconvertHTMLExporter’s...

Astra Linux – Vulnerability in Thunderbird, Firefox

A poorly handled security check during the creation of a WebSocket in a WebWorker caused the Content Security Policy’s connect-src header to be ignored. This could lead to connections being made to restricted origins from within WebWorkers. This vulnerability affects Firefox 109, Firefox ESR 102....

Linux Distros Unpatched Vulnerability : CVE-2026-11025

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via...

CVE-2026-11267

Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. Chromium security severity: Low...

CVE-2026-11260

Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. Chromium security severity: Low...

CVE-2025-59874

HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable...

PT-2026-46787

Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. Chromium security severity: Low...

Linux Distros Unpatched Vulnerability : CVE-2026-44581

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces...

EUVD-2026-33548

An improper neutralization of active SVG content in OTRS or OTRS Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent o...

CVE-2026-9137

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource...

EUVD-2026-31155

The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion...

Astra Linux - уязвимость в chromium

Insufficient policy enforcement in the Content Security Policy of Google Chrome prior to version 91.0.4472.77 allowed a remote attacker to bypass the content security policy through a crafted HTML page...

PT-2026-42248

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The CSP report endpoint incorrectly allowed reports up to 1 MB before truncation, despite being intended to limit logged CSP reports to 1 KB. When this endpoint ...

ALSA-2026:18479 Important: qemu-kvm security update

Kernel-based Virtual Machine KVM is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fixes: firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shi...

Fedora 44 : yelp (2026-ed4f450fa9)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-ed4f450fa9 advisory. Yelp 49.1, fixing: Flatpak applications are able to exfiltrate host files due to yelp's CSP being too permissive Tenable has extracted the preceding...

Fedora 43 : yelp (2026-7c3b91a2bc)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-7c3b91a2bc advisory. Yelp 49.1, fixing: Flatpak applications are able to exfiltrate host files due to yelp's CSP being too permissive Tenable has extracted the preceding...

CVE-2026-44581

CVE-2026-44581 details a stored XSS in Next.js App Router apps relying on CSP nonces when deployed behind shared caches. Affected versions are 13.4.0–before 15.5.16 and 16.2.5; malformed nonce values derived from request headers could be reflected into rendered HTML, enabling cache-poisoning and ...

GHSA-FFHC-5MCF-PF4Q Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to...

CVE-2025-31983 HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header

HCL BigFix Service Management SM is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting XSS and potential exposure of sensitive information...

CVE-2025-31983

HCL BigFix Service Management SM is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting XSS and potential exposure of sensitive information...