Lucene search
+L

15893 matches found

Github Security Blog
Github Security Blog
added 2026/07/10 4:5 p.m.10 views

tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies

Summary tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie. Details tarteaucitron.cookie.purge is called on any...

4.3CVSS6.1AI score0.00349EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/10 9:5 a.m.11 views

CVE-2026-41877

CVE-2026-41877 affects R-SOFT DMS. It is a Stored XSS in the file upload functionality: an authenticated attacker could inject arbitrary HTML/JS into the uploaded file’s name, which would be executed when other users view the file list or upload status. The issue has been fixed in version v3.19-2...

5.1CVSS6.2AI score0.0039EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/07/10 3:12 a.m.4 views

SUSE CVE-2026-59926

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, renderadmonition in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even...

6.1CVSS6AI score0.00191EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/09 10:19 p.m.6 views

CVE-2026-59855

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an...

8.6CVSS6AI score0.00305EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/07/09 7:22 a.m.10 views

CVE-2026-31981

A stored HTML injection vulnerability affects the Diagram tab and Graph view of Guardian/CMC (N2OS) prior to 26.2.0. An authenticated administrator can inject HTML into configuration data via multiple input vectors; when viewed by others, the HTML may render and enable phishing or open redirects....

5.9CVSS6AI score0.00142EPSS
Exploits0References1Affected Software2
EUVD
EUVD
added 2026/07/09 12:31 a.m.10 views

EUVD-2026-42456

Inappropriate implementation in WebGL in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: High...

6.1AI score0.00139EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/07/09 12:0 a.m.6 views

FreeBSD : Gitlab -- Vulnerabilities (84ce0c0c-7b4e-11f1-9c40-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 84ce0c0c-7b4e-11f1-9c40-2cf05da270f3 advisory. Gitlab reports: Cross-site Scripting issue in vulnerability evidence table renderer impacts...

8.7CVSS7AI score0.00282EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/08 1:48 p.m.6 views

EUVD-2026-42252

Capgo before 12.128.2 contains an html injection vulnerability in the organization settings endpoint that allows attackers to inject malicious HTML content. Attackers can craft payloads in the organization name field to redirect users to untrusted websites, enabling phishing attacks and...

5.4CVSS6AI score0.00138EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/08 1:48 p.m.30 views

CVE-2026-56283 Capgo - HTML Injection Leading to Open Redirection in Organization Settings

Capgo before 12.128.2 contains an html injection vulnerability in the organization settings endpoint that allows attackers to inject malicious HTML content. Attackers can craft payloads in the organization name field to redirect users to untrusted websites, enabling phishing attacks and...

5.4CVSS0.00138EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/08 12:29 a.m.8 views

EUVD-2026-42150

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded...

5.4CVSS6AI score0.00316EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/08 12:29 a.m.41 views

CVE-2026-55437 Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded...

5.4CVSS0.00316EPSS
Exploits0References6
CVE
CVE
added 2026/07/08 12:29 a.m.12 views

CVE-2026-55437

CVE-2026-55437 affects Coder: prior to 2.29.17, 2.32.7, 2.33.8, and 2.34.2, AgentLogLine uses ansi-to-html without escapeXML: true and injects via dangerouslySetInnerHTML, enabling stored HTML injection in workspace agent logs. Exploitation requires a user with workspace-owner access to view atta...

5.4CVSS6AI score0.00316EPSS
Exploits0References6Affected Software1
FreeBSD
FreeBSD
added 2026/07/08 12:0 a.m.5 views

Gitlab -- Vulnerabilities

Gitlab reports: Cross-site Scripting issue in vulnerability evidence table renderer impacts GitLab EE HTML Injection in wiki markup rendering impacts GitLab CE/EE Insufficiently Protected Credentials issue in repository mirroring impacts GitLab EE Improper Access Control issue in work items impac...

8.7CVSS5.9AI score0.00282EPSS
Exploits0References1
NVD
NVD
added 2026/07/07 11:16 p.m.7 views

CVE-2026-36163

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file...

5.4CVSS0.00141EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:37 p.m.5 views

CVE-2026-55647

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable...

5.1CVSS6AI score0.00269EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/07/07 4:2 p.m.12 views

HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

ImpactThe vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user...

8.8CVSS6.1AI score0.00373EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/07/07 4:2 p.m.5 views

PYSEC-2026-1481 HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user...

8.8CVSS6.1AI score0.00373EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/07 12:30 a.m.6 views

EUVD-2026-41954

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/07 12:0 a.m.25 views

CVE-2026-36163

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file...

0.00141EPSS
Exploits0References2
CVE
CVE
added 2026/07/07 12:0 a.m.16 views

CVE-2026-36163

CVE-2026-36163 describes an HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7. Authenticated attackers can upload and interact with a crafted HTML file to trigger arbitrary JavaScript execution in the victim’s browser. The affected component is the file view handling pa...

5.4CVSS6.2AI score0.00141EPSS
Exploits0References2
Rows per page
Query Builder