362 matches found
CVE-2026-3495
CVE-2026-3495 affects Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13. The root cause is failure to escape certain variables during error page composition, enabling an attacker with access to edit site configuration to inject JavaScript and execute malicious code. The connected...
Mattermost 跨站脚本漏洞
Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 11.5.1 and earlier 11.5.x series as well as 10.11.13 and earlier 10.11.x series have a cross-site scripting vulnerability. This vulnerability arises from variables that...
SUSE CVE-2026-41181
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...
EUVD-2026-30557
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...
CVE-2026-34951
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input...
CVE-2026-34951
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input...
EUVD-2026-19357
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains a reflected cross-site scripting vulnerability via the footerScripts parameter, which does not sanitize user-supplied input...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in debug exceptions, which use ERB escaping. An attacker can execute JavaScript in the context of the affected application by triggering a malicious exception message that is rendered bypassing the intended...
GHSA-PGM4-439C-5JP6 Rails has a possible XSS vulnerability in its Action Pack debug exceptions
Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled config.considerallrequestslocal = true, whi...
CVE-2026-25545
Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page eg. 404.astro or 500.astro are vulnerable to SSRF. If the Host: header is changed to an attacker's server, it will be fetched on /500.html and they can redirect...
CVE-2026-25545 Astro has Full-Read SSRF in error rendering via Host: header injection
Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page eg. 404.astro or 500.astro are vulnerable to SSRF. If the Host: header is changed to an attacker's server, it will be fetched on /500.html and they can redirect...
Server-side Request Forgery (SSRF)
Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in renderError, when custom prerendered error pages like 404.astro or 500.astro are in use. The...
CVE-2025-66594
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Detailed messages are displayed on the error page. This information could be exploited by an attacker for other attacks. The affected products and versions are as follows: FAST/TOOLS Packages: RVSVRN, UNSVRN,...
Beckhoff Automation TwinCAT 3 HMI Server Cross-site Scripting Vulnerability
Beckhoff Automation TwinCAT 3 HMI Server is a data transmission and permission management component developed by the American company Beckhoff Automation. The Beckhoff Automation TwinCAT 3 HMI Server has a cross-site scripting vulnerability. This vulnerability allows authenticated administrators ...
MiracleLinux 7 : mod_auth_openidc-1.8.8-5.el7 (AXSA:2019-4244:01)
The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2019-4244:01 advisory. modauthopenidc: OIDCCLAIM and OIDCAuthNHeader not skipped in an AuthType oauth20 configuration CVE-2017-6413 modauthopenidc: Shows user-supplied...
OpenProject 信息泄露漏洞
OpenProject is a web-based project management software from OpenProject open source. An information disclosure vulnerability exists in OpenProject versions 11.2.1 through prior to 16.6.2, which originates from an error page that discloses username information and could lead to account enumeration...
UBUNTU-CVE-2025-67724
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for header injection or in HTML in the default error page where it could be used for XSS and can be exploited by...
CLSA-2025-1763467263 Fix CVE(s): CVE-2025-62168
SECURITY UPDATE: information disclosure via HTTP authentication credentials - debian/patches/CVE-2025-62168.patch: Fix bug causing visibility of proxy auth data to scripts by redacting credentials from error page code expansion output and mailto link generation - CVE-2025-62168...
CVE-2025-64745 Astro development server error page vulnerable to reflected Cross-site Scripting
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting XSS vulnerability exists in Astro's development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes ...
CVE-2025-64745 Astro development server error page vulnerable to reflected Cross-site Scripting
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting XSS vulnerability exists in Astro's development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes ...