CVE-2026-46360 phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQEDIT permission can upload malicious SVG files with deeply...

CVE-2026-40186

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements textarea and option...

PT-2026-33174

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 sanitize-html version 2.17.1 Description A regression in the sanitize-html package allows a bypass of allowedTags enforcement for text within nonTextTagsArray elements, specifically textarea and option. T...

CVE-2026-34974

The CVE-2026-34974 vulnerability affects phpMyFAQ prior to version 4.1.1, where the SVG sanitizer (SvgSanitizer.php) uses regexes that can be bypassed by HTML entity encoding in javascript: URLs inside SVG attributes. An attacker with edit_faq permission can upload a malicious SVG that executes ...

PT-2026-29785

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit faq permission can upload a malicious SVG that executes...

GHSA-5CRX-PFHQ-4HGG phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation

Summary The regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with editfaq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from...

phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation

Summary The regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with editfaq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from...

BIT-GITLAB-2026-2973 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in...

SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials

Summary SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting XSS when applications pass untrusted input to createAvatar and serve the resulting SVG inline or...

Ruby on Rails: Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

A vulnerability was discovered in the Rails::HTML::Sanitizer.alloweduri? method of the rails-html-sanitizer library. The method incorrectly returned true for entity-encoded control-character-split javascript: URLs, which could lead to potential security issues if the application relied on the...

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...

PT-2026-7246

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling html entity decode before wp kses, and then calling html entity decode again...

FacturaScripts 跨站脚本漏洞

FacturaScripts is an open-source ERP software developed by Carlos Garcia, a Spanish developer. Versions of FacturaScripts prior to 2025.71 contained a cross-site scripting vulnerability. This vulnerability occurred due to improper HTML entity encoding during the rendering of historical data in th...

Siemens SIMATIC S7-1500 Out-of-bounds Write (CVE-2021-3517)

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this...

CVE-2025-34305

IPFire versions prior to 2.29 Core Update 198 contain multiple stored cross-site scripting XSS vulnerabilities caused by a bug in the cleanhtml function /var/ipfire/header.pl that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - fo...

JLSEC-2025-72 There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this...

EUVD-2020-13425

Malware in sbrugna...