Lucene search
K

311 matches found

Snyk
Snyk
added 2026/01/07 7:28 p.m.5 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview preact is a fast 3kB alternative to React with the same modern API. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' during rendering in the vnode constructor. An attacker can inject arbitrary HTML or execute scripts by...

9.2CVSS6.8AI score0.00227EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/12/27 12:4 a.m.3 views

CVE-2025-68927 Improper Neutralization of HTML Tags in a Web Page in libredesk

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/id/notes, the backend automatically wraps user input in tags. However, by intercepting the...

8.6CVSS6.6AI score0.00193EPSS
Exploits1References2
NVD
NVD
added 2025/12/26 3:15 p.m.5 views

CVE-2025-36230

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site...

5.4CVSS0.00166EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/12/26 2:22 p.m.4 views

CVE-2025-36230 XSS in IBM Aspera Faspex

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site...

5.4CVSS6.2AI score0.00166EPSS
Exploits0References1
CNVD
CNVD
added 2025/12/25 12:0 a.m.3 views

Kentico Xperience HTML Injection Vulnerability

Kentico Xperience is a digital experience platform from Kentico. Kentico Xperience suffers from an HTML injection vulnerability that stems from the lack of valid filtering and escaping of user-supplied data in unencoded form fields, which can be exploited by an attacker to execute arbitrary web...

6.1CVSS6.1AI score0.00165EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/12/23 7:35 p.m.3 views

CVE-2021-47737 CSZ CMS 1.2.7 HTML Injection Vulnerability via Member Dashboard

CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks...

5.4CVSS6.6AI score0.00244EPSS
Exploits1References4
NVD
NVD
added 2025/12/23 12:15 a.m.8 views

CVE-2025-68614

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject...

5.4CVSS0.03417EPSS
Exploits1References2
CVE
CVE
added 2025/12/18 1:17 p.m.14 views

CVE-2025-40893

The CVE-2025-40893 issue affects Nozomi Networks Guardian/CMC Asset List functionality where improper validation of network traffic data allows stored HTML injection (XSS) via specially crafted packets. Unauthenticated attackers can insert HTML into asset attributes, which then renders in a victi...

6.1CVSS5.7AI score0.0016EPSS
Exploits0References2Affected Software2
CNNVD
CNNVD
added 2025/12/18 12:0 a.m.4 views

Kentico Xperience 跨站脚本漏洞

Kentico Xperience is a digital experience platform from Kentico. Kentico Xperience suffers from an HTML injection vulnerability that stems from the lack of valid filtering and escaping of user-supplied data in unencoded form fields, which can be exploited by an attacker to execute arbitrary web...

6.1CVSS6.1AI score0.00165EPSS
Exploits0References2
EUVD
EUVD
added 2025/12/15 9:30 p.m.5 views

EUVD-2025-203408

A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML via the text parameter of addprojectcomment function...

6.3AI score0.00184EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/12/13 7:21 a.m.31 views

CVE-2025-9207 TI WooCommerce Wishlist <= 2.10.0 - Unauthenticated HTML Injection

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated...

5.3CVSS0.00373EPSS
Exploits0References4
Veracode
Veracode
added 2025/12/13 6:7 a.m.11 views

Persistent HTML Injection

privatebin/privatebin is vulnerable to persistent HTML injection. The vulnerability is due to an unsanitized attachment filename attachmentname when attachments are enabled, which allows an attacker to modify the filename before encryption so that, after decryption, arbitrary HTML is inserted...

5.8CVSS5.9AI score0.00277EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2025/12/11 5:16 a.m.5 views

UBUNTU-CVE-2025-8405

GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability...

7.7CVSS5.9AI score0.00494EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/12/11 4:5 a.m.39 views

CVE-2025-8405 Improper Encoding or Escaping of Output in GitLab

GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability...

7.7CVSS0.00494EPSS
Exploits0References3
EUVD
EUVD
added 2025/12/05 5:32 p.m.4 views

EUVD-2025-201464

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...

3.5CVSS6.2AI score0.00212EPSS
Exploits0References4
Veracode
Veracode
added 2025/12/02 1:9 p.m.7 views

HTML Injection

mailgen is vulnerable to HTML injection. The vulnerability is due to improper stripping of HTML tags in the generatePlaintext method when Unicode line-separator characters bypass the regex filter, which allows an attacker to inject unexpected HTML that can be interpreted as executable script...

6.3CVSS7AI score0.00409EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/12/01 9:14 a.m.5 views

Cross-site Scripting (XSS)

mailgen is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization in the generatePlaintext method, which fails to remove HTML tags provided as encoded entities, allowing an attacker to inject malicious HTML or JavaScript that can execute when the resulting...

6.3CVSS6.7AI score0.00395EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2025/11/27 11:4 a.m.2 views

CVE-2025-13742 Limited HTML injection in emails

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

6.1CVSS5.7AI score0.00155EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/11/13 1:50 a.m.9 views

CVE-2025-64711 PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on...

3.9CVSS0.00107EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/11/12 1:6 p.m.8 views

CVE-2025-41104

HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'customfield1' in '/estimaterequests/saveestimaterequest'...

5.4CVSS7.3AI score0.00158EPSS
Exploits0References1
Rows per page
Query Builder