508 matches found
CVE-2025-57665
Element Plus Link component el-link through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol...
CVE-2025-57665
CVE-2025-57665 affects Element Plus Link component (el-link) up to version 2.10.6. The root cause is insufficient input validation of the href attribute, with user-controlled href values passed directly to underlying anchor elements without protocol validation, URL sanitization, or security heade...
CVE-2025-57665
Element Plus Link component el-link through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol...
Element Plus 安全漏洞
Element Plus is an open source Vue.js 3 UI library from the China Element Plus organization. A security vulnerability exists in Element Plus 2.10.6 and earlier versions, which stems from insufficient input validation of the href attribute and could lead to cross-site scripting attacks and phishin...
PT-2025-36908
Name of the Vulnerable Software and Affected Versions: Element Plus versions through 2.10.6 Description: The Element Plus Link component el-link does not sufficiently validate input for the href attribute, creating a security gap. This allows attackers to inject malicious URLs using dangerous...
CVE-2014-125128
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...
UBUNTU-CVE-2014-125128
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...
Cross-site Scripting (XSS)
Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS via the naughtyHref function. An attacker can execute...
CVE-2014-125128
CVE-2014-125128 affects the sanitize-html library prior to 1.0.3. The root cause is the naughtyHref function not properly validating the href attribute in tags, allowing bypasses that rely on different casings, whitespace, or hexadecimal encodings. This leads to cross-site scripting (XSS) impact...
CVE-2014-125128
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...
CVE-2014-125128
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...
CVE-2014-125128
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting XSS. The function 'naughtyHref' doesn't properly validate the hyperreference href attribute in anchor tags , allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings...
PT-2025-36454
Name of the Vulnerable Software and Affected Versions: sanitize-html versions prior to 1.0.3 Description: The 'sanitize-html' software prior to version 1.0.3 is susceptible to Cross-site Scripting XSS. The naughtyHref function inadequately validates the href attribute within anchor tags , enablin...
CVE-2025-58353
Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions of Promptcraft Forge Studio sanitize user input using regex blacklists such as replace/javascript:/gi, ''. Because the package uses multi-character tokens and each replacement ...
CVE-2025-58361
Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips javascript: a...
CVE-2025-58361 Promptcraft Forge Studio's incomplete URL check is vulnerable to XSS via SVG
Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips javascript: a...
CVE-2025-58361
CVE-2025-58361 : Promptcraft Forge Studio contains an incomplete URL scheme check in its validation.ts that does not block XSS via SVG/data URLs. User-controlled URLs pass through the check and, if used in href/src, can allow script execution. Affected: Promptcraft Forge Studio (all versions) wit...
CVE-2025-58353 Promptcraft Forge Studio: Complete Sanitizer Bypass Enables XSS via Overlapping Patterns
Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions of Promptcraft Forge Studio sanitize user input using regex blacklists such as replace/javascript:/gi, ''. Because the package uses multi-character tokens and each replacement ...
CVE-2025-58353
Promptcraft Forge Studio is affected by CVE-2025-58353 due to its input sanitization using a regex blacklist (e.g., replace(/javascript:/gi, '')). The issue arises because the sanitizer operates on multi-character tokens and applies each replacement only once, which can create new dangerous token...
PT-2025-36092
Name of the Vulnerable Software and Affected Versions: Promptcraft Forge Studio affected versions not specified Description: Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. The software’s input sanitization process, which utilizes regex...