EUVD-2022-24394

Malicious code in bioql PyPI...

CVE-2025-9512

The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments...

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Linkify linkifyjs allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2...

GHSA-95JQ-XPH2-CX9H Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Linkify linkifyjs allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2...

CVE-2025-8101 Linkify 4.3.1 - Prototype Pollution & HTML Attribute Injection (XSS)

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Linkify linkifyjs allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2...

CVE-2025-8101 Linkify 4.3.1 - Prototype Pollution & HTML Attribute Injection (XSS)

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Linkify linkifyjs allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2...

CVE-2022-1047

The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability...

CVE-2020-5574

HTML attribute value injection vulnerability in Movable Type series Movable Type 7 r.4606 7.2.1 and earlier Movable Type 7, Movable Type Advanced 7 r.4606 7.2.1 and earlier Movable Type Advanced 7, Movable Type for AWS 7 r.4606 7.2.1 and earlier Movable Type for AWS 7, Movable Type 6.5.3 and...

Cross-site Scripting (XSS)

symfony/ux-live-component and symfony/ux-twig-component is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper output escaping due to unescaped rendering of ComponentAttributes values, which may contain unsafe user input leading to HTML attribute injection...

Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact Rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these values are unsafe e.g. contain user input, this can lead to HTML attribute injection and XSS vulnerabilities. Patche...

CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

PT-2025-22110 · Symfony · Symfony/Ux-Live-Component +1

Name of the Vulnerable Software and Affected Versions: symfony/ux-twig-component versions prior to 2.25.1 symfony/ux-live-component versions prior to 2.25.1 Description: The issue concerns the rendering of attributes or the use of methods that return a ComponentAttributes instance, which can lead...

Cross-site Scripting (XSS)

league/commonmark is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient sanitization due to the Attributes extension allowing arbitrary HTML attribute injection through Markdown syntax, bypassing existing XSS protections...

📄 SilverStripe 5.3.8 Cross Site Scripting

SilverStripe version 5.34.8 suffers from a persistent cross site scripting vulnerability. Exploit Title: SilverStripe 5.3.8 - Stored Cross Site Scripting XSS Authenticated Date: 2025-01-15 Exploit Author: James Nicoll Vendor Homepage: https://www.silverstripe.org/ Software Link:...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to HTML attribute injection due to Jinja package (CVE-2024-22195)

Summary Jinja is used by DataStage on Cloud Pak for Data as part of HTML templating. Vulnerability Details CVEID:CVE-2024-22195 DESCRIPTION: Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitra...

SUSE-SU-2025:20035-1 Security update for python-Jinja2

This update for python-Jinja2 fixes the following issues: - CVE-2024-34064, CVE-2024-22195: HTML attribute injection when passing user input as keys to xmlattr filter bsc1223980, bsc1218722...