657 matches found
GHSA-Q3FM-4WCW-G57X vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter
Summary defaultSandboxPrepareStackTrace in lib/setup-sandbox.js lines 605, 607 appends to a fresh sandbox-realm lines = via lineslines.length = value. This is the exact invariant-violating pattern that GHSA-9qj6-qjgg-37qq commit ca195f0, 2026-05-01 just patched in neutralizeArraySpeciesBatch and...
Allocation of Resources Without Limits or Throttling
Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the date filter in filters/date.ts and the strftime formatter in...
CVE-2026-45249
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
Cross-site Scripting (XSS)
Overview org.webjars.npm:echarts is an Apache ECharts is a powerful, interactive charting and data visualization library for browser Affected versions of this package are vulnerable to Cross-site Scripting XSS in the tooltip rendering when both Lines series and tooltip are used without a...
Cross-site Scripting (XSS)
Overview echarts is an Apache ECharts is a powerful, interactive charting and data visualization library for browser Affected versions of this package are vulnerable to Cross-site Scripting XSS in the tooltip rendering when both Lines series and tooltip are used without a user-specified...
CVE-2026-45249 Apache ECharts: XSS in Lines series tooltip rendering
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
CVE-2026-45249
Apache ECharts contains an XSS risk in the Lines series tooltip rendering for versions before 6.1.0. If Lines and tooltip are used without a user-specified tooltip.formatter and series.data[i].name is set, a raw HTML string can be inserted into the tooltip via innerHTML, bypassing normal escaping...
EUVD-2026-31650
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
CVE-2026-45249 Apache ECharts: XSS in Lines series tooltip rendering
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
EUVD-2026-31381
Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...
CVE-2026-4929
Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...
CVE-2026-4929 Simple Hierarchical Select (Drupal 7) XSS in term-derived output
Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...
CVE-2026-4929
Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...
CVE-2026-4929 Simple Hierarchical Select (Drupal 7) XSS in term-derived output
Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the IntlExtension process. An attacker can cause excessive memory consumption by supplying a large number of unique arguments to the formatdatetime, formatdate, formattime,...
twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments
Description IntlExtension memoises every \IntlDateFormatter and \NumberFormatter it creates in instance-level arrays keyed on a hash that includes locale, pattern, attrs and other values that are ordinary named arguments of the formatdatetime / formatdate / formattime / formatnumber /...
PT-2026-42579
Name of the Vulnerable Software and Affected Versions Simple Hierarchical Select SHS for Drupal 7 versions 7.x-1.0 through 7.x-1.10 Description Cross-site scripting risk exists due to improper output escaping of term-derived text. Malicious taxonomy term names can be rendered unsafely depending o...
PT-2026-42588
Description IntlExtension memoises every IntlDateFormatter and NumberFormatter it creates in instance-level arrays keyed on a hash that includes locale, pattern, attrs and other values that are ordinary named arguments of the format datetime / format date / format time / format number / format...
Drupal 跨站脚本漏洞
Drupal is an open-source content management system developed using the PHP language by the Drupal community. Versions of Drupal 7.x-1.11 and earlier, including 7.x-1.x, have a cross-site scripting vulnerability. This vulnerability stems from the rendering pipeline of the Term Reference Tree...
MAL-2026-4640 Malicious code in pino-formatter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55 Package masquerades as a pino-pretty-style logger but performs multiple installer-harming actions when required. On import, dist/logger.js: 1 on Linu...