CVE-2018-25269

ICEWARP 10.3.4 and 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the...

CVE-2026-33559

The CVE-2026-33559 entry concerns the WordPress OpenStreetMap plugin (MiKa). A cross-site scripting vulnerability exists in an affected plugin version where a logged-in user with page-creating/editing privileges can embed malicious script via a crafted HTTP request. When another user accesses the...

CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...

CVE-2026-25755

A flaw was found in jsPDF. The addJS method accepts user input without proper sanitization, allowing an attacker to inject arbitrary PDF objects into the document. A specially crafted payload that escapes the JavaScript string delimiter can execute malicious actions or alter the document structur...

CVE-2021-47837

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution...

PT-2026-3292

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution...

EUVD-2018-1475

Malware in sbrugna...

Cross Site Scripting(XSS)

LibreNMS is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the lack of proper validation and sanitization of user-uploaded SVG files, allowing users with the "admin" role to upload these files as backgrounds for custom maps without sufficient security checks, which enables...

RHEL 8 : python38:3.8 and python38-devel:3.8 (RHSA-2022:1764)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1764 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

RHEL 8 : python27:2.7 (RHSA-2022:1821)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1821 advisory. Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic...

SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc

xml2rfc allows script elements in SVG sources. In HTML output having these script elements can lead to XSS attacks. Sample XML snippet: Impact This vulnerability impacts website that publish HTML drafts and RFCs. Patches This has been fixed in version 3.12.4. Workarounds If SVG source is...

OESA-2022-1482 python-lxml security update

XML processing library combining libxml2/libxslt with the ElementTree API. Security Fixes: lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG...

Updated python-lxml packages fix security vulnerability

HTML Cleaner allows crafted and SVG embedded scripts to pass through CVE-2021-43818...

HTML Cleaner allows crafted and SVG embedded scripts to pass through

...

Cross-site Scripting (XSS)

lxml is vulnerable to Cross-site Scripting XSS. An attacker can inject and execute crafted and SVG embedded scripts through the data URIs in clean.py...

CVE-2021-43818 HTML Cleaner allows crafted and SVG embedded scripts to pass through

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...

File upload local preview can run embedded scripts after user interaction

Impact When uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file, but only after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely ...

CVE-2021-32622 File upload local preview can run embedded scripts after user interaction

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

CVE-2020-6278

SAP Business Objects Business Intelligence Platform BI Launchpad and CMC, versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting...

USN-4138-1: LibreOffice vulnerability

It was discovered that LibreOffice incorrectly handled embedded scripts in document files. If a user were tricked into opening a specially crafted document, a remote attacker could possibly execute arbitrary code...