Lucene search
K

466 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/26 8:39 p.m.11 views

CVE-2026-44708

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math $...$ and block math $$...$$ by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is...

6.1CVSS5.8AI score0.00228EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.9 views

mistune 跨站脚本漏洞

Mistune is a fast and powerful Python Markdown parser developed by Hsiaoming Yang. Versions of Mistune prior to 3.2.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the mathematical plugin not properly escaping HTML when rendering inline and block-level mathematic...

6.1CVSS5.7AI score0.00228EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/22 5:42 p.m.22 views

Cross-site Scripting (XSS)

Overview golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the writeQuoted function, which does not properly handle characters in DOCTYPE data. An attacker can cause the...

8.1CVSS5.7AI score0.00178EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/19 9:30 a.m.10 views

CVE-2026-31906 Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

5.8AI score0.0044EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/16 1:57 a.m.12 views

CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.9 views

Vvveb 跨站脚本漏洞

Vvveb is a powerful and easy-to-use CMS developed by Givan’s individual developers. It is used to build websites, blogs, or e-commerce stores. Versions of Vvveb prior to 1.0.8.3 had a cross-site scripting vulnerability. This vulnerability stemmed from the lack of HTML escaping for the...

5.3CVSS5.6AI score0.00258EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/14 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-42338

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape...

8.1CVSS6.7AI score0.00471EPSS
Exploits1References3
OSV
OSV
added 2026/05/12 8:16 p.m.6 views

DEBIAN-CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

6.1CVSS5.4AI score0.00471EPSS
Exploits1References1
NVD
NVD
added 2026/05/12 8:16 p.m.20 views

CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

8.1CVSS0.00471EPSS
Exploits1References17
OSV
OSV
added 2026/05/12 8:16 p.m.6 views

UBUNTU-CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

8.1CVSS5.4AI score0.00471EPSS
Exploits1References3
UbuntuCve
UbuntuCve
added 2026/05/12 8:16 p.m.16 views

CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

6.1CVSS5.4AI score0.00471EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2026/05/12 7:43 p.m.12 views

CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

8.1CVSS5.4AI score0.00471EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/05/11 3:56 p.m.31 views

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Impact Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break ou...

6.1CVSS5.7AI score0.00205EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/08 4:53 p.m.9 views

GHSA-2H64-C999-C9R6 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE

Summary The kernel stores Attribute View AV / database names without any HTML escape, then a render template uses raw strings.ReplaceAlltpl, "$avName", nodeAvName to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths render.ts:120 → outerHTML,...

9.4CVSS5.9AI score0.00509EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/08 3:23 a.m.50 views

CVE-2026-42150 wlc: print_html outputs API data without HTML escaping, enabling stored XSS

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0...

5.1CVSS0.00174EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/08 3:23 a.m.8 views

CVE-2026-42150 wlc: print_html outputs API data without HTML escaping, enabling stored XSS

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0...

5.1CVSS5.6AI score0.00174EPSS
Exploits0References4
CVE
CVE
added 2026/05/08 3:23 a.m.20 views

CVE-2026-42150

The vulnerability CVE-2026-42150 affects the Weblate WebCLI tool wlc. Prior to version 2.0.0, wlc’s HTML output format embeds API response data directly into HTML without escaping, enabling cross-site scripting when rendered in a browser. The issue is mitigated by upgrading to version 2.0.0 or la...

5.1CVSS5.5AI score0.00174EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.21 views

PT-2026-39263

Name of the Vulnerable Software and Affected Versions MCP Registry versions prior to 1.7.7 Description The public catalogue UI served at the 'GET /' endpoint is subject to stored cross-site scripting. This occurs via the server.websiteUrl field of published server.json files. The server-side...

5.4CVSS5.7AI score0.00167EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.12 views

PT-2026-39292

Name of the Vulnerable Software and Affected Versions Mistune affected versions not specified Description The math plugin in Mistune fails to sanitize user-supplied content when rendering inline math $...$ and block math $$...$$. The plugin concatenates raw input directly into the HTML output,...

6.1CVSS5.9AI score0.00228EPSS
Exploits1References6
OSV
OSV
added 2026/05/07 9:18 p.m.6 views

GHSA-3V85-FQVH-7RXF Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers

Summary The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.AppendfrenderedContent, "%s", tag.Name at internal/service/common/common.go:120, and the Markdown renderer at internal/util/md/md.go does not set the html.SkipHTML...

4.8CVSS5.9AI score
Exploits0References3
Rows per page
Query Builder