Lucene search
K

26 matches found

UbuntuCve
UbuntuCve
added 2026/04/23 4:16 p.m.7 views

CVE-2026-41240

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214. The same fix was not...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/20 7:23 p.m.8 views

CVE-2026-40301

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize allows...

4.7CVSS5.7AI score0.00271EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/17 8:51 p.m.23 views

CVE-2026-40301 rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to...

4.7CVSS0.00271EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/17 8:51 p.m.5 views

CVE-2026-40301

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize allows...

4.7CVSS5.8AI score0.00271EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/17 8:51 p.m.19 views

CVE-2026-40301

Summary of CVE-2026-40301 : The PHP library rhukster/dom-sanitizer (and related advisories) contains a flaw prior to version 1.0.10 where DOMSanitizer::sanitize() does not inspect the text content of elements inside SVG. As a result, CSS rules using url() and @import can reference attacker-contr...

4.7CVSS5.7AI score0.00271EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/10 9:8 p.m.2 views

Cross-site Scripting (XSS)

Overview rhukster/dom-sanitizer is an a simple but effective DOM/SVG/MathML Sanitizer for PHP 7.4+. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sanitize process. An attacker can cause the browser to send HTTP requests to attacker-controlled hosts, exfiltrat...

5.3CVSS5.6AI score0.00271EPSS
Exploits0References2
OSV
OSV
added 2026/04/10 9:8 p.m.2 views

GHSA-93VF-569F-22CQ rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

Summary DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Details In...

4.7CVSS6AI score0.00271EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/10 9:8 p.m.11 views

rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

Summary DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Details In...

4.7CVSS6AI score0.00271EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.4 views

PT-2026-32980

Summary DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Details In...

4.7CVSS5.9AI score0.00271EPSS
Exploits0References8
Snyk
Snyk
added 2026/03/13 8:56 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of internationalized attribute bindings. An attacker can execute arbitrary scripts in the context of the application by injecting malicious input into attributes such as href, src, or similar, wh...

8.6CVSS5.8AI score0.00339EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:56 p.m.5 views

Cross-site Scripting (XSS)

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

8.6CVSS5.8AI score0.00339EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-7663

Malware in sbrugna...

6.1CVSS7.8AI score0.01594EPSS
Exploits0References26
Tenable Nessus
Tenable Nessus
added 2024/10/09 12:0 a.m.17 views

CentOS 7 : firefox (RHSA-2020:4080)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:4080 advisory. - In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds...

9.3CVSS8.1AI score0.01961EPSS
Exploits0References13
Tenable Nessus
Tenable Nessus
added 2024/10/09 12:0 a.m.15 views

CentOS 6 : firefox (RHSA-2020:3835)

The remote CentOS Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:3835 advisory. - Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption an...

8.8CVSS8.1AI score0.01961EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2023/11/22 10:15 p.m.5 views

CVE-2023-49146

DOMSanitizer aka dom-sanitizer before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions...

6.1CVSS5.8AI score0.00429EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2021/03/10 12:0 a.m.186 views

NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2021-0018)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has firefox packages installed that are affected by multiple vulnerabilities: - In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition...

9.8CVSS8.4AI score0.42327EPSS
Exploits5References33
CVE
CVE
added 2020/10/01 6:31 p.m.250 views

CVE-2020-15676

CVE-2020-15676 affects Firefox (and related Mozilla products) where the onload handler for SVG elements could run after the DOM sanitizer removed content, enabling JavaScript execution when pasting attacker-controlled data into a contenteditable area. Affected versions: Firefox &lt; 81, Thunderbi...

6.1CVSS6.5AI score0.01594EPSS
Exploits0References9Affected Software3
AlpineLinux
AlpineLinux
added 2020/10/01 6:31 p.m.31 views

CVE-2020-15676

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox 81, Thunderbird 78.3, and Firefox ESR 78.3...

6.1CVSS6.8AI score0.01594EPSS
Exploits0
RedHat Linux
RedHat Linux
added 2020/10/01 1:22 p.m.3 views

Mozilla: XSS when pasting attacker-controlled data into a contenteditable element

The Mozilla Foundation Security Advisory describes this flaw as: Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element...

6.1CVSS7.3AI score0.01594EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2020/10/01 1:10 p.m.3 views

Mozilla: XSS when pasting attacker-controlled data into a contenteditable element

The Mozilla Foundation Security Advisory describes this flaw as: Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element...

6.1CVSS7.3AI score0.01594EPSS
Exploits0References5
Rows per page
Query Builder