CVE-2026-9818

CVE-2026-9818 is rejected/not used; this entry does not represent an active vulnerability.

CVE-2026-9818

...

PT-2026-44369

Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services...

GHSA-26WG-9XF2-Q495 Novu has a XSS sanitization bypass

Summary XSS sanitization is incomplete, some attributes are missing such as oncontentvisibilityautostatechange=. This allows for the email preview to render HTML that executes arbitrary JavaScript, Details Sanitization is implemented here:...

October 跨站脚本漏洞

October is an open-source content management system CMS and online platform developed by October. Versions prior to October 3.7.14 and 4.1.10 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper rendering of HTML content in the event log email preview function,...

CVE-2023-43658

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting XSS within the 'email preview' UI when a site has CSP disabled. Having CSP...

CVE-2023-43659

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the...

EUVD-2023-48048

Malicious code in bioql PyPI...

EUVD-2023-48047

Malicious code in bioql PyPI...

EUVD-2021-34241

Malicious code in bioql PyPI...

CVE-2021-4414

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.5. This is due to missing or incorrect nonce validation on the wcalpreviewemails function. This makes it possible for unauthenticated attackers to generat...

PT-2025-20988 · Microsoft · Office

Name of the Vulnerable Software and Affected Versions: Microsoft Office versions prior to the May 2025 updates Description: The issue is related to a use after free vulnerability in Microsoft Office, allowing an unauthorized attacker to execute code locally. This vulnerability can be exploited by...

CVE-2025-32426 Formie has a XSS vulnerability for email notification content for preview

Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means a delivered email. This would requir...

rami.io pretix 安全漏洞

rami.io pretix is a ticket store application for conferences, festivals, concerts, tech events, shows, exhibitions, workshops, bars, etc. from the German company rami.io. A security vulnerability exists in rami.io pretix version 2024.7.0 and earlier versions. An attacker can exploit the...

Cross site scripting

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting XSS within the 'email preview' UI when a site has CSP disabled. Having CSP...

CVE-2023-43658 Improper escaping of user input in discourse-calendar

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting XSS within the 'email preview' UI when a site has CSP disabled. Having CSP...

CVE-2023-43658

The CVE-2023-43658 entry describes a Cross-Site Scripting (XSS) flaw in the discourse-calendar plugin for the Discourse platform. The issue arises from improper escaping of event titles, which can trigger XSS in the email preview UI when CSP is disabled. This configuration is non-default, so most...

CVE-2023-43659 Cross-site Scripting via email preview when CSP disabled in Discourse

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the...

CVE-2023-43659

Discourse contains a Cross-site Scripting (XSS) vulnerability in the digest email preview UI when CSP is disabled. Root cause: improper escaping of user input. Affected releases include Discourse 3.1.x (up to 3.1.1) and the 3.2.0.beta1 release. The issue does not require network exploitation deta...

CVE-2023-43659 Cross-site Scripting via email preview when CSP disabled in Discourse

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the...