PT-2026-44729

Name of the Vulnerable Software and Affected Versions compliance-trestle version 4.0.2 Description The profile import mechanism in the compliance-trestle library fails to perform boundary checks when resolving trestle:// URIs and relative file paths. By joining these paths with trestle root and...

PT-2026-40844

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 3.2.12 Argo CD versions prior to 3.3.10 Argo CD versions prior to 3.4.2 Description A stored cross-site scripting XSS issue exists in the application Summary tab. A user with application write access developer role ca...

CVE-2026-43887

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous...

CVE-2026-43887

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous...

CVE-2026-43887 Outline: Stored XSS via Comment Mentions

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous...

PT-2026-39855

Name of the Vulnerable Software and Affected Versions Outline versions 0.84.0 through 1.6.1 Description The comment section allows users to mention other users, but the backend fails to validate or sanitize the href attribute associated with these mentions. This allows the use of dangerous...

Outline 跨站脚本漏洞

Outline is an open-source knowledge base developed by Outline. Versions 0.84.0 to 1.6.1 of Outline contain a cross-site scripting vulnerability. This vulnerability arises from the comment section, where users are allowed to mention others. However, the backend does not validate or clean up the hr...

PT-2026-28073

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

CVE-2026-30587

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...

PT-2025-36908

Name of the Vulnerable Software and Affected Versions: Element Plus versions through 2.10.6 Description: The Element Plus Link component el-link does not sufficiently validate input for the href attribute, creating a security gap. This allows attackers to inject malicious URLs using dangerous...

CVE-2025-55166

The CVE-2025-55166 issue affects the PHP SVG sanitizer project svg-sanitizer. Before version 0.22.0, the cleanXlinkHrefs function only searches for lower-case attribute names, allowing bypass of the isHrefSafeValue check and enabling cross-site scripting or linking to external domains. A fix is a...

ghtml Cross-Site Scripting Vulnerability

ghtml is a toolkit by the individual developer Gürgün Dayıoğlu. A cross-site scripting vulnerability exists in ghtml versions prior to 2.0.0, which stems from unprocessed attribute value encoding and lack of control over href values, and could lead to cross-site scripting...

Cross-site Scripting (XSS)

Overview dash-core-components is a Core component suite for Dash Affected versions of this package are vulnerable to Cross-site Scripting XSS when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data...

Cross site scripting

Anchor tag hrefs in Lexical prior to v0.10.0 would render javascript: URLs, allowing for cross-site scripting on link clicks in cases where input was being parsed from untrusted sources...

CVE-2022-2173

The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting...

GHSA-GR4J-R575-G665 Cross-Site Scripting in highcharts

Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link...