Lucene search
K

88 matches found

Cvelist
Cvelist
added 8 hours ago5 views

CVE-2026-58655 Grav Flex Objects - Server-Side Template Injection via Dynamic Titles

The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...

8.8CVSS
Exploits0References2
EUVD
EUVD
added 8 hours ago5 views

EUVD-2026-44633

The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...

8.8CVSS6.3AI score
Exploits0References2
NVD
NVD
added 2 days ago6 views

CVE-2026-58486

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, HedgeDoc was vulnerable to a YAML alias bomb due to unsafe processing of the note frontmatter. HedgeDoc parsed frontmatter with js-yaml.load js-yaml v3 via @hedgedoc/meta-marked, which...

8.3CVSS0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-58486 HedgeDoc: Denial-of-service via YAML alias expansion in note frontmatter

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, HedgeDoc was vulnerable to a YAML alias bomb due to unsafe processing of the note frontmatter. HedgeDoc parsed frontmatter with js-yaml.load js-yaml v3 via @hedgedoc/meta-marked, which...

8.3CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2 days ago6 views

CVE-2026-58486

CVE-2026-58486: HedgeDoc prior to 1.11.0 is vulnerable to a YAML alias bomb in note frontmatter. HedgeDoc parses frontmatter with js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, resolving YAML anchors and potentially expanding a malicious payload into a huge object, consuming CPU on each req...

8.3CVSS6.1AI score0.00235EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-57919

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.11.0 Description Unsafe processing of note frontmatter allows a YAML alias bomb, where a compact malicious payload expands into a massive object structure. This occurs because the application uses js-yaml.load...

8.3CVSS6.1AI score0.00235EPSS
Exploits0References4
NVD
NVD
added 3 days ago8 views

CVE-2026-15505

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS0.00195EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-15505 vnotex vnote YAML Frontmatter markdownit.js cross site scripting

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS0.00195EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-43246

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS4.6AI score0.00195EPSS
Exploits0References4
CVE
CVE
added 3 days ago14 views

CVE-2026-15505

The CVE concerns vnotex vnote (up to version 3.20.1) where the YAML Frontmatter component exposes cross-site scripting via the file /src/data/extra/web/js/markdownit.js. The issue arises from manipulation of the argument p_metaData in the YAML Frontmatter code, which can potentially be exploited ...

5.1CVSS4.7AI score0.00195EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/08 4:15 a.m.6 views

CVE-2026-59711

A flaw was found in showdown. This cross-site scripting XSS vulnerability occurs in the metadata title handling when the completeHTMLDocument option is enabled. An attacker can exploit this by injecting unescaped less-than and greater-than characters into markdown frontmatter metadata. This allow...

6.1CVSS6.5AI score0.00187EPSS
Exploits0References6
NVD
NVD
added 2026/07/06 9:16 p.m.8 views

CVE-2026-59711

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/06 9:0 p.m.37 views

CVE-2026-59711 showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS0.00187EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/07/06 9:0 p.m.8 views

CVE-2026-59711 showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS6AI score0.00187EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:0 p.m.4 views

CVE-2026-59711

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS6AI score0.00187EPSS
Exploits0References4
CVE
CVE
added 2026/07/06 9:0 p.m.12 views

CVE-2026-59711

CVE-2026-59711 affects the showdown library. A cross-site scripting vulnerability exists in metadata title handling when the completeHTMLDocument option is enabled; unescaped characters in markdown frontmatter metadata are placed into HTML title tags, allowing script execution in the rendered pa...

6.1CVSS6AI score0.00187EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/06 9:0 p.m.6 views

EUVD-2026-41948

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS6AI score0.00187EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 9:0 p.m.5 views

CVE-2026-59711 showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

5.3CVSS6AI score0.00187EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.7 views

PT-2026-56013

Name of the Vulnerable Software and Affected Versions showdown affected versions not specified Description An issue exists in metadata title handling that allows the injection of arbitrary HTML and JavaScript. When the completeHTMLDocument option is enabled, unescaped less-than and greater-than...

6.1CVSS6.2AI score0.00187EPSS
Exploits0References5
OSV
OSV
added 2026/03/02 10:51 p.m.3 views

GHSA-XW4P-PW82-HQR7 OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace

Overview In affected versions, OpenClaw’s sandbox skill mirroring used the skill’s frontmatter name as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments for example ../ or an absolute path could cause the copy to write...

7.1CVSS5.9AI score0.00134EPSS
Exploits0References5
Rows per page
Query Builder