Lucene search
K

469 matches found

Github Security Blog
Github Security Blog
added 2026/03/30 5:20 p.m.6 views

Slippers Vulnerable to Cross-Site Scripting (XSS) in `attrs` Template Tag

Summary A Cross-site Scripting XSS vulnerability exists in the % attrs % template tag of the slippers Django package. When a context variable containing untrusted data is passed to % attrs %, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break o...

6.1CVSS6AI score0.00227EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/28 10:11 a.m.6 views

CVE-2026-33916

A flaw was found in Handlebars. The resolvePartial function in the Handlebars runtime does not properly guard against prototype-chain traversal when resolving partial names. This allows an attacker to inject malicious code into web pages. When Object.prototype has been polluted with a string valu...

4.7CVSS6.3AI score0.00276EPSS
Exploits1References6
SUSE CVE
SUSE CVE
added 2026/03/28 12:26 a.m.6 views

SUSE CVE-2026-32751

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree MobileFiles.ts renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version Files.ts properly uses escapeHtml for the same...

9CVSS6.1AI score0.00796EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/27 7:45 p.m.22 views

CVE-2026-33739 FOG has Stored XSS in Multiple Management Pages

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages Host, Storage, Group, Image, Printer, Snapin are vulnerable to Stored Cross-Site Scripting XSS, due to insufficient server-side parameter...

5.7CVSS0.00183EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/27 12:0 a.m.13 views

FOG 跨站脚本漏洞

FOG is an open-source computer cloning and management system developed by the FOG Project. Versions of FOG prior to 1.5.10.1812 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient server-side parameter cleaning and the lack of HTML escaping in list tables,...

5.7CVSS5.7AI score0.00183EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.8 views

PT-2026-28520

Name of the Vulnerable Software and Affected Versions FOG versions prior to 1.5.10.1812 Description FOG, a free open-source cloning/imaging/rescue suite/inventory management system, contains a Stored Cross-Site Scripting XSS issue. This occurs due to insufficient server-side parameter sanitizatio...

5.7CVSS5.9AI score0.00183EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.4 views

CVE-2026-32124

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions codetext that are rendered in the front end e.g. DataTables without HTML escaping. If an administrator or user...

5.4CVSS5.9AI score0.00162EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.4 views

CVE-2026-32751

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree MobileFiles.ts renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version Files.ts properly uses escapeHtml for the same...

9CVSS6.1AI score0.00796EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.5 views

CVE-2026-28499

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection Array / Dictionary via value. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes...

6.9CVSS5.8AI score0.00265EPSS
Exploits1References1
OSV
OSV
added 2026/03/25 5:15 p.m.2 views

GHSA-7Q9X-8G6P-3X75 @grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

Impact The renderPairingPage function embeds the error parameter directly into HTML without escaping: typescript const errorHtml = error ? $error : ""; All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future...

2.3CVSS5.9AI score
Exploits0References2
Cvelist
Cvelist
added 2026/03/23 11:9 p.m.29 views

CVE-2026-33170 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

5.3CVSS0.00327EPSS
Exploits0References7
Debian CVE
Debian CVE
added 2026/03/23 11:9 p.m.5 views

CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

6.1CVSS5.3AI score0.00327EPSS
Exploits0
SUSE Linux
SUSE Linux
added 2026/03/23 4:35 p.m.13 views

Security update for go1.25-openssl

This update for go1.25-openssl fixes the following issues: Update to go 1.25.8 bsc1244485, jscSLE-18320: CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated sessio...

9.6CVSS5.9AI score0.00765EPSS
Exploits1References24
Snyk
Snyk
added 2026/03/20 10:41 a.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Range or Values summarizer, which renders raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious content...

8.7CVSS5.8AI score0.00296EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/20 8:14 a.m.2 views

CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...

5.3CVSS6AI score0.00549EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.6 views

PT-2026-26754

Name of the Vulnerable Software and Affected Versions orpc versions prior to 1.13.9 Description orpc, a tool for building type-safe APIs adhering to OpenAPI standards, contains a stored cross-site scripting XSS issue in its OpenAPI documentation generation. An attacker controlling fields within t...

8.2CVSS6AI score0.00288EPSS
Exploits1References6
CVE
CVE
added 2026/03/19 9:11 p.m.17 views

CVE-2026-32751

SiYuan vulnerability CVE-2026-32751 affects versions 3.6.0 and earlier where the mobile file tree (MobileFiles.ts) renders notebook names with innerHTML without escaping during renamenotebook WebSocket events. This allows an authenticated user who can rename notebooks to inject HTML/JavaScript th...

9CVSS6.2AI score0.00796EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/18 4:9 p.m.4 views

GHSA-MVPM-V6Q4-M2PF SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Stored XSS to RCE via Unsanitized Bazaar Package Metadata Summary SiYuan's Bazaar community marketplace renders package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which...

5.3CVSS6.5AI score0.00549EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/03/18 1:19 a.m.26 views

CVE-2026-28499 LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection Array / Dictionary via value. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes...

6.9CVSS0.00265EPSS
Exploits1References3
CVE
CVE
added 2026/03/18 1:19 a.m.22 views

CVE-2026-28499

LeafKit (Vapor) prior to version 1.14.2 has an HTML escaping flaw when rendering collection values (Array/Dictionary) via #(value), which can cause XSS by unescaped output. The issue is fixed in LeafKit 1.14.2. Affected tooling references include CVE-2026-28499 and related advisories (NVD, Red Ha...

6.9CVSS5.7AI score0.00265EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder