Lucene search
K

75 matches found

Vulnrichment
Vulnrichment
added 2026/03/23 6:41 p.m.2 views

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

5.4CVSS5.9AI score0.00176EPSS
Exploits1References2
OSV
OSV
added 2026/03/23 6:41 p.m.5 views

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

5.4CVSS5.9AI score0.00176EPSS
Exploits1References4
OSV
OSV
added 2026/03/18 5:26 p.m.5 views

GHSA-46FP-8F5P-PF2M Improper detection of disallowed URIs by Loofah `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

6.9CVSS5.5AI score
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/10 9:26 a.m.3 views

CVE-2026-1866 Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling htmlentitydecode before wpkses, and then calling htmlentitydecode again on...

7.2CVSS5.6AI score0.00256EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/10 9:26 a.m.4 views

CVE-2026-1866

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling htmlentitydecode before wpkses, and then calling htmlentitydecode again on...

7.2CVSS5.6AI score0.00256EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/02/02 12:0 a.m.10 views

FacturaScripts 跨站脚本漏洞

FacturaScripts is an open-source ERP software developed by Carlos Garcia, a Spanish developer. Versions of FacturaScripts prior to 2025.71 contained a cross-site scripting vulnerability. This vulnerability occurred due to improper HTML entity encoding during the rendering of historical data in th...

9CVSS5.7AI score0.00385EPSS
Exploits1References2
GithubExploit
GithubExploit
added 2026/01/23 6:55 a.m.146 views

xss-protector

Lucy XSS Filter for Spring Boot 네이버 Lucy XSS Filter를 사용한 강력...

5.4AI score
Exploits0
Vulnrichment
Vulnrichment
added 2025/12/29 3:18 p.m.1 views

CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw

phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...

5.4CVSS5.6AI score0.0023EPSS
Exploits0References3
CVE
CVE
added 2025/12/29 3:18 p.m.11 views

CVE-2025-68951

CVE-2025-68951 affects phpMyFAQ. Versions 4.0.14 and 4.0.15 contain a stored XSS vulnerability where an attacker’s HTML entities in a display_name are decoded server-side and rendered unescaped in the admin user list (Twig |raw), enabling script execution in an administrator’s context. A patch ex...

6.1CVSS5.6AI score0.0023EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-13425

Malware in sbrugna...

6.1CVSS6.3AI score0.01016EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2025/08/11 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2019-11763

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment...

6.1CVSS7.5AI score0.00994EPSS
Exploits0References2
OSV
OSV
added 2025/03/07 8:58 p.m.6 views

BIT-MODSECURITY-2025-27110 Libmodsecurity3 has possible bypass of encoded HTML entities

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurit...

7.9CVSS7.3AI score0.00465EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/02/25 8:0 p.m.8 views

CVE-2025-27110 Libmodsecurity3 has possible bypass of encoded HTML entities

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurit...

7.9CVSS7.4AI score0.00465EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/02/25 8:0 p.m.22 views

CVE-2025-27110 Libmodsecurity3 has possible bypass of encoded HTML entities

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurit...

7.9CVSS0.00465EPSS
Exploits1References2
NVD
NVD
added 2025/01/14 11:15 p.m.13 views

CVE-2024-54142

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has be...

9CVSS0.00406EPSS
Exploits0References2
OSV
OSV
added 2025/01/14 10:39 p.m.7 views

CVE-2024-54142 Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has be...

9CVSS6.4AI score0.00406EPSS
Exploits0References4
Veracode
Veracode
added 2023/04/20 4:36 p.m.22 views

Cross-Site Scripting (XSS)

phpmyfaq is vulnerable to Cross-Site Scripting XSS attacks. The library contains a stored XSS in the Field Name category which does not properly escape before it output to the front end due to missing HTML entity conversions, which allows an attacker to execute malicious JavaScript on victim's...

6.3CVSS4.9AI score0.00476EPSS
Exploits1References4Affected Software2
CVE
CVE
added 2023/03/02 12:14 a.m.60 views

CVE-2023-26046

CVE-2023-26046 affects kitabisa/teler-waf (Go HTTP middleware). Prior to v0.1.1, it fails to properly sanitize HTML entities in user input, enabling bypass of common web attack rules and enabling cross-site scripting (XSS) in a victim’s browser. Impact described across multiple sources includes a...

6.5CVSS6.3AI score0.00536EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2023/03/01 12:0 a.m.9 views

teler-waf 跨站脚本漏洞

teler-waf is a Go HTTP middleware that provides teler IDS functionality to prevent Web-based attacks and improve the security of Go-based Web applications. It is highly configurable and easy to integrate into existing Go applications. A security vulnerability exists in teler-waf versions prior to...

6.5CVSS6.1AI score0.00536EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2023/02/15 6:15 a.m.4 views

SUSE CVE-2006-1490

PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the htmlentitydecode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to a...

5CVSS6.7AI score0.20514EPSS
Exploits1References5
Rows per page
Query Builder