EUVD-2019-4659

Malware in sbrugna...

EUVD-2021-29102

Malicious code in bioql PyPI...

Citizen vulnerable to Stored XSS through short descriptions

Summary Short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. Details The shortdesc property, which contains unsanitized user input, is retrieved from the OutputPage and...

CVE-2025-53369

Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue...

CVE-2025-53369 Citizen Short Description stored XSS vulnerability through wikitext

Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue...

CVE-2025-53370

CVE-2025-53370 concerns the Citizen MediaWiki skin. Versions 1.9.4 up to 3.3.9 expose a stored XSS via the ShortDescription extension: the shortdesc is inserted into the DOM as raw HTML, enabling arbitrary HTML/JS execution by page edits. A patch exists in version 3.4.0. Public references and adv...

TabberNeue vulnerable to Stored XSS through wikitext

Summary Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the tag. Details The args provided within the wikitext as attributes to the tag are passed to the TabberComponentTabs class:...

CVE-2025-49577

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1...

CVE-2025-49579

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group h...

CVE-2025-49575

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the...

CVE-2025-49577

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1...

CVE-2025-49576 Citizen allows stored XSS in search no result messages

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerabilit...

CVE-2025-49578

Citizen is a MediaWiki skin. CVE-2025-49578 describes an XSS where date messages produced by Language::userDate are inserted into raw HTML, enabling stored XSS on wikis where a user has the editinterface right but not the editsitejs right. The issue affects Citizen versions prior to 3.3.1 and is ...

CVE-2025-49579 Citizen allows stored XSS in menu heading message

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group h...

CVE-2025-49575

The CVE-2025-49575 issue affects the Citizen skin for MediaWiki. The underlying problem is that multiple system messages are inserted into the CommandPaletteFooter as raw HTML, enabling stored HTML injection by users who can edit those messages. This could allow arbitrary HTML execution in the af...

CVE-2024-47781 Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki

CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS...

Cross-site Scripting (XSS)

Mautic is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the ability of an attacker to edit a Mautic form, allowing them to insert malicious HTML that can steal sensitive information from the user's current session...

Cross-Site Scripting (XSS)

github.com/alexxit/go2rtc is vulnerable for Cross-Site Scripting XSS. The vulnerability due to the links.html page appending the src GET parameter in all of its links for 1-click previews, where the context of appending is innerHTML, leading to the insertion of the text as HTML which results in X...

CVE-2024-29191

CVE-2024-29191 affects gotortc (camera streaming app); versions 1.8.5 and earlier are vulnerable to DOM-based XSS. The vulnerability arises when links.html appends the src GET parameter into links via innerHTML, causing text to be interpreted as HTML. A patch was committed (3b3d5b033aac3a019af64f...

CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's UsingChat page says "If you know some HTML code, you can use it in your text to do things like insert image...