13 matches found
CVE-2026-57958
Summary: Mixpost
EUVD-2026-40143
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth...
GHSA-CH4J-VCF5-58X5 Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function and rendered via Vue's v-html directive witho...
Cross-site Scripting (XSS)
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of user-uploaded Office files as HTML using the Svelte @html directive without proper sanitization. An attacker can execute arbitrary JavaScript in the context of oth...
CVE-2026-45228
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...
CVE-2026-44245
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...
CVE-2026-44245
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...
CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...
GHSA-Q98M-7W8C-W388 Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...
PT-2026-38296
Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 2.5.2 Description The PropertyCard.vue component uses the Vue 3 v-html directive, which injects raw HTML and disables auto-escaping. The isURL function only filters values that parse as http: or https: URLs, allowing...
BIT-GITEA-2025-68942
Gitea before 1.22.2 allows XSS because the search input box for creating tags and branches is v-html instead of v-text...
CVE-2025-68942
Gitea before 1.22.2 allows XSS because the search input box for creating tags and branches is v-html instead of v-text...
Cross Site Scripting (XSS)
NiceGUI is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the ui.interactiveimage component rendering SVG content using Vue’s v-html directive without sanitization, which allows an attacker to inject malicious HTML or JavaScript via the SVG tag when the image component is...