29 matches found
malla: Stored XSS via Meshtastic node names in multiple frontend pages
Node names longname, shortname received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor. Affecte...
CVE-2026-8656
CVE-2026-8656 affects jsondiffpatch versions before 0.7.6. The vulnerability is Cross-site Scripting (XSS) via the annotated formatter caused by improper sanitization of JSON values and property names. When an application renders annotated formatter output in the DOM from untrusted JSON/object da...
CVE-2026-8656
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM,...
CVE-2026-33404
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....
CVE-2025-66501
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66521
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time t...
CVE-2025-66502
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected...
CVE-2025-66502
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected...
CVE-2025-66501
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66521 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Trusted Certificates Feature
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time t...
CVE-2025-66521 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Trusted Certificates Feature
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time t...
CVE-2025-66521
Summary: CVE-2025-66521 is a stored XSS in Foxit’s pdfonline.foxit.com, specifically in the Trusted Certificates feature. What’s affected: The certificate name field accepts crafted input that is later rendered into the DOM without proper sanitization. Root cause: Insufficient sanitization of the...
CVE-2025-66519
The CVE-2025-66519 issue affects pdfonline.foxit.com, specifically the Layer Import functionality, where a crafted payload placed in the Create new Layer field is later rendered into the DOM without proper sanitization. This leads to stored XSS, with script execution when the Layers panel is acce...
EUVD-2025-204457
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected...
CVE-2025-66502
CVE-2025-66502 describes a stored cross-site scripting (XSS) vulnerability in Foxit’s pdfonline.foxit.com Page Templates. A crafted payload can be stored as the template name and later rendered into the DOM without proper sanitization, causing the injected script to execute each time the affected...
CVE-2025-66501 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the...
CVE-2025-66501
Foxit pdfonline.foxit.com Predefined Text in Foxit eSign is affected by a stored XSS via the Identity field “First Name,” where unsanitized input is rendered into the DOM when predefined text is used or document properties are viewed. The description is consistently reported across CVE entries (N...
PT-2025-52431
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected...
PT-2025-52433
A stored cross-site scripting XSS vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time t...
CVE-2025-63714
Cross-Site Scripting XSS vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of...