Lucene search
K

466 matches found

EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42327

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS6.1AI score0.00187EPSS
Exploits0References3
NVD
NVD
added 5 days ago6 views

CVE-2026-55437

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded...

5.4CVSS0.00316EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added last week5 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS6.9AI score0.00471EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added last week5 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS6.9AI score0.00471EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.5 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS5.8AI score0.00471EPSS
Exploits1References5
OSV
OSV
added 2026/07/06 12:0 a.m.5 views

ALSA-2026:35891 Important: nodejs:24 security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42338 undici: undici: Denial of Service due to...

9.8CVSS6.5AI score0.02806EPSS
Exploits1References32
EUVD
EUVD
added 2026/07/01 7:53 a.m.6 views

EUVD-2026-40923

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/25 3:53 p.m.30 views

CVE-2026-54025 LibreChat: Stored XSS via unescaped image alt text in markdown artifact preview

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls throu...

5.4CVSS0.0014EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/06/25 3:23 p.m.7 views

CVE-2026-48942

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/25 3:23 p.m.36 views

CVE-2026-48942 Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

0.00149EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:23 p.m.5 views

CVE-2026-48942

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/25 3:23 p.m.16 views

CVE-2026-48942

Affected software: K2 extension for Joomla (getk2.com), version constraint listed as K2 ≤ 2.26. Vulnerability: two templates render the database column __#k2_users.image directly into HTML src attributes without HTML escaping, revealing a stored-XSS risk. Root cause: lack of escaping when injecti...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 9:43 p.m.5 views

CVE-2026-48167

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant...

6.4CVSS5.9AI score0.00148EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/06/16 5:52 p.m.10 views

Cross-site Scripting (XSS)

Astro is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper HTML escaping of named slot content inserted into the data-astro-template attribute when using client: directives, which allows an attacker to break out of the attribute context and inject arbitrary HTML or...

7.1CVSS5.4AI score0.00177EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-49739

Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.4.6 Description The spreadAttributes function in the server-side rendering pipeline iterates over object keys and passes them to the addAttribute function, which interpolates the key into the HTML output without...

6.1CVSS5.9AI score0.0016EPSS
Exploits1References5
CVE
CVE
added 2026/06/12 8:36 p.m.21 views

CVE-2026-54395

CVE-2026-54395 affects MISP (UiBeta event index view) with a reflected XSS in the advanced filter popup. The urlparams value is inserted into an inline JavaScript handler inside a single-quoted string; browsers HTML-decode attribute values before JS parsing, enabling an attacker to craft a URL th...

5.3CVSS5.2AI score0.00256EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:21 p.m.12 views

EUVD-2026-36581

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal, bypassing the normal setSetting validation logic, including validatehomepage, which requires homepage...

5.1CVSS5.3AI score0.00377EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.20 views

PT-2026-48997

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A reflected cross-site scripting issue exists in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping within a single-quoted...

5.3CVSS4.9AI score0.00256EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.19 views

PT-2026-48995

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal, bypassing the normal setSetting validation logic, including validate homepage, which requires homepage...

5.1CVSS5.2AI score0.00377EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/10 2:34 p.m.8 views

CVE-2026-53693 MISP BSimVis stored cross-site scripting in tag and cluster rendering paths via unescaped tag metadata and UI labels

A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS...

6.9CVSS5.5AI score0.00277EPSS
Exploits0References1
Rows per page
Query Builder