CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

CVE-2026-40497

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's Helper::stripDangerousTags removes , , , but does NOT strip tags. The mailbox signature field is saved via POST /mailbox/settings/id and later rendered unescaped via !!...

CVE-2026-40497

Summary (concrete details available) : FreeScout prior to version 1.8.213 is vulnerable to CSS injection in the mailbox signature due to incomplete stripping of dangerous tags: stripDangerousTags() removes script/form/iframe/object but not style, allowing inline CSS to exfiltrate CSRF tokens. An ...

CVE-2026-40301

Summary of CVE-2026-40301 : The PHP library rhukster/dom-sanitizer (and related advisories) contains a flaw prior to version 1.0.10 where DOMSanitizer::sanitize() does not inspect the text content of elements inside SVG. As a result, CSS rules using url() and @import can reference attacker-contr...

CVE-2026-40301 rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to...

rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

Summary DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Details In...

CVE-2026-39840 CSS injection in multiple Cargo display formats

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7...

CVE-2026-39840 CSS injection in multiple Cargo display formats

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before 3.8.7...

CVE-2026-35046

CVE-2026-35046 affects Tandoor Recipes prior to version 2.6.4. Authenticated users can inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists , allowing the backend to persist and serve unsanitized CSS payloads via the API. Clients rendering instr...

CVE-2026-35046 Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...

Incorrect Resource Transfer Between Spheres

Overview Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres in the CSS sanitization process for HTML email messages. An attacker can inject malicious CSS by crafting specially formatted HTML emails that exploit the lack of proper sanitization,...

CVE-2026-31873

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...

CVE-2026-31873

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...

CVE-2026-31873 Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...

openSUSE 16 Security Update : roundcubemail (openSUSE-SU-2026:20323-1)

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20323-1 advisory. Changes to roundcubemail: Update to 1.6.13: This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to...

Security update for roundcubemail (important)

openSUSE security update: security update for roundcubemail ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20323-1 Rating: important References: bsc1255306 bsc1255308 bsc1257909 bsc1258052 Cross-References: CVE-2025-68460 CVE-2025-68461...

OPENSUSE-SU-2026:20323-1 Security update for roundcubemail

This update for roundcubemail fixes the following issues: Changes to roundcubemail: Update to 1.6.13: This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: + Fix CSS injection vulnerability reported by CERT Polsk...

Security update for roundcubemail (important)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2026:0071-1 Rating: important References: 1255306 1255308 1257909 1258052 Cross-References: CVE-2025-68460 CVE-2025-68461 CVE-2026-25916 CVE-2026-26079 CVSS scores: CVE-2026-26079 SUSE: 5.3...

Security update for roundcubemail (important)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2026:0070-1 Rating: important References: 1255306 1255308 1257909 1258052 Cross-References: CVE-2025-68460 CVE-2025-68461 CVE-2026-25916 CVE-2026-26079 CVSS scores: CVE-2026-26079 SUSE: 5.3...