5709 matches found
GHSA-HCPF-QV9M-VFGP esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...
CVE-2025-65026
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
CVE-2025-65026
CVE-2025-65026 affects esm.sh prior to version 136. The vulnerability arises when the CSS-to-JavaScript module conversion inserts CSS into a JavaScript template literal without sanitization, allowing template literals to execute ${...} expressions. This can enable XSS in browsers and potential RC...
CVE-2025-65026 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
CVE-2025-65026 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter,...
CVE-2025-9625
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the mayberestrictcontent function. This makes it possible...
CVE-2025-11267
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'veucustomcss' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes i...
esm.sh 代码注入漏洞
esm.sh is a content delivery network of esm.sh open source. A code injection vulnerability exists in versions prior to esm.sh 136, which stems from a template literal injection vulnerability in the CSS to JavaScript module functionality that could lead to a cross-site scripting attack or remote...
PT-2025-47504
Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 136 Description The esm.sh CDN service has an issue where CSS-to-JavaScript module conversion lacks proper sanitization. When a CSS file is requested with the ?module parameter, it is converted to a JavaScript module,...
EUVD-2025-197955
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'veucustomcss' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes i...
CVE-2025-9625
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the mayberestrictcontent function. This makes it possible...
CVE-2025-9625
Affected software: WordPress Coil Web Monetization plugin. Vulnerability: Cross-Site Request Forgery due to missing/incorrect nonce validation on the coil-get-css-selector handling in the maybe_restrict_content function. Impact: Unauthenticated attackers can trigger CSS selector detection functio...
EUVD-2025-197947
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the mayberestrictcontent function. This makes it possible...
CVE-2025-9625 Coil Web Monetization <= 2.0.2 - Cross-Site Request Forgery
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the mayberestrictcontent function. This makes it possible...
CVE-2025-9625 Coil Web Monetization <= 2.0.2 - Cross-Site Request Forgery
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the mayberestrictcontent function. This makes it possible...
CVE-2025-11267
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'veucustomcss' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes i...
CVE-2025-11267
The VK All in One Expansion Unit WordPress plugin is affected by a Stored XSS in the _veu_custom_css value across versions up to 9.112.1. The vulnerability stems from insufficient input sanitization and output escaping, enabling authenticated attackers with Contributor-level access or higher to i...
PT-2025-47272
Name of the Vulnerable Software and Affected Versions Coil Web Monetization plugin for WordPress versions prior to 2.0.3 Description The software is susceptible to a Cross-Site Request Forgery CSRF issue. This is caused by inadequate nonce validation when handling the coil-get-css-selector...
Mozilla Thunderbird < 52.5.2
The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 52.5.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2017-30 advisory. - It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g...
EUVD-2025-178299
Malicious code in janus-robotics-optimize-css-assets-webpack-plugin-jovian npm...