Lucene search
K

451 matches found

Snyk
Snyk
added 2026/03/02 6:35 p.m.3 views

Cross-site Scripting (XSS)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CommentsService component, which uses v-html without proper sanitization. An attacker can execute arbitrary JavaScript code in the context of a user's browser by submitting crafted inp...

5.4CVSS5.9AI score0.00179EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/26 4:15 a.m.6 views

CVE-2026-27627

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,...

8.2CVSS5.3AI score0.00319EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/02/25 12:0 a.m.6 views

PT-2026-21852

Name of the Vulnerable Software and Affected Versions Karakeep version 0.30.0 Description Karakeep is an elf-hostable bookmark-everything app. Version 0.30.0 does not properly sanitize HTML content received from the Reddit metascraper plugin. Specifically, when the plugin returns...

8.2CVSS5.9AI score0.00319EPSS
Exploits1References13
Github Security Blog
Github Security Blog
added 2026/02/23 10:10 p.m.56 views

New API has Potential XSS in its MarkdownRenderer component

Summary A potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site ScriptingXSS when the model outputs items containing tag. Details Line 212-231 of MarkdownRenderer.jsx is unsafe, it use dangerouslySetInnerHTML to preview html the model generates. This can...

7.6CVSS5.4AI score0.00222EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/02/18 1:13 p.m.25 views

CVE-2026-1439 Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

5.3CVSS0.00178EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/18 12:0 a.m.8 views

Graylog Web Interface 跨站脚本漏洞

The Graylog Web Interface is a web interface provided by the American company Graylog. Version 2.2.3 of the Graylog Web Interface contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient cleaning and escaping of HTML output, which could allow arbitrary JavaScri...

6.1CVSS5.8AI score0.00178EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/03 12:0 a.m.2 views

CVE-2025-65924

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically hyperlinks in fields that are intended for plain text. Although JavaScript is blocked preventing XSS, the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable...

5.5AI score0.00227EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.9 views

ERPNext 安全漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext 15.88.1 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the failure to clean or remove HTML tags from plain-text fields, which cou...

4.1CVSS5.8AI score0.00227EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/01/22 9:41 p.m.12 views

Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Summary An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to store...

5.4CVSS5.9AI score0.00253EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/01/21 9:31 p.m.8 views

CVE-2026-22849 Saleor lacks proper HTML sanitization in rich text fields

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and...

7.2CVSS5.4AI score0.00201EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/01/09 9:31 a.m.49 views

CVE-2023-25572

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

5.4CVSS5.4AI score0.00694EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:27 a.m.7 views

CVE-2023-45819

TinyMCE is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully craft...

6.1CVSS5.6AI score0.00601EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:14 a.m.8 views

CVE-2022-23494

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

6.1CVSS5.6AI score0.00939EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:41 a.m.5 views

CVE-2022-0427

Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover...

8.8CVSS6.4AI score0.00815EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:37 a.m.9 views

CVE-2019-20374

A mutation cross-site scripting XSS issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML...

9.6CVSS6.9AI score0.023EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/01/08 12:0 a.m.6 views

salvo 跨站脚本漏洞

salvo is a web framework from Salvo open source. A cross-site scripting vulnerability exists in versions prior to salvo 0.88.1 , which stems from the listhtml function does not clean up the names of files and folders , which could lead to cross-site scripting attacks...

8.8CVSS5.7AI score0.003EPSS
Exploits1References3
CVE
CVE
added 2026/01/05 7:52 a.m.23 views

CVE-2025-15022

CVE-2025-15022 describes an XSS vulnerability in Vaadin where caption HTML was not sanitized. Affected are Vaadin Framework 7 (7.0.0–7.7.49) and 8 (8.0.0–8.29.1), as well as Vaadin 23.1.0–23.6.5, Vaadin 24.0.0–24.8.13, and Vaadin 24.9.0–24.9.6. Fixed versions sanitize captions by default and, for...

4.8CVSS5.9AI score0.00327EPSS
Exploits0References2
Vaadin
Vaadin
added 2026/01/05 12:0 a.m.32 views

Cross-site scripting in Action caption

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. See CWE-79 Improper Neutralization of Input During Web Page Generation Cross-site Scripting Description In Vaadin Framework 7 and 8...

4.8CVSS6AI score0.00327EPSS
Exploits0Affected Software4
Vulnrichment
Vulnrichment
added 2025/12/11 5:52 p.m.4 views

CVE-2025-14046 Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by...

8.6CVSS6AI score0.0032EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/12/11 5:52 p.m.28 views

CVE-2025-14046 Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by...

8.6CVSS0.0032EPSS
Exploits0References5
Rows per page
Query Builder