EUVD-2025-8255

Malicious code in bioql PyPI...

Cross-site Scripting (XSS)

django-tomselect is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization due to user-supplied values not being fully escaped in form widget attributes, allowing potentially dangerous HTML tags to be rendered in the browser...

GHSA-785H-76CM-CPMF Django TomSelect incomplete escaping of dangerous characters in widget attributes

Summary User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags. Details Attributes passed to the widget such as labelfield containing , and similar tokens are no...

Django TomSelect incomplete escaping of dangerous characters in widget attributes

Summary User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags. Details Attributes passed to the widget such as labelfield containing , and similar tokens are no...

Improper Encoding or Escaping of Output

Overview django-tomselect is a Django autocomplete widgets and views using Tom Select Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in form widget input, including the labelfield parameter. An attacker can hide the contents between tags in code from...