Mermaid 安全漏洞

Mermaid is an open-source application developed by mermaid-js. It uses text and code to create charts and visualizations. Mermaid versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, have security vulnerabilities. These vulnerabilities stem from HTML injection under default...

PT-2026-42781

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Parsing arbitrary HTML that is subsequently rendered using the Render function can lead to the creation of an unexpected HTML tree. This behavior can be exploite...

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. Patches This issue has been patched in 17.4.0...

GHSA-3R75-XC34-5F44 Crawlee for Python: SSRF via sitemap-derived URLs

Overview - Vulnerability type: Blind SSRF - Affected components: src/crawlee/utils/sitemap.py, src/crawlee/utils/robots.py, src/crawlee/requestloaders/sitemaprequestloader.py, and all built-in HTTP clients. - Trigger: an attacker-controlled sitemap or robots.txt containing a URL that points to an...

SUSE CVE-2026-9121

Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Medium...

PT-2026-42586

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

CVE-2026-9126

Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...

DEBIAN-CVE-2026-9112

Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-9121

Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Medium...

EUVD-2026-31168

Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-9110

Inappropriate implementation in UI in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-26028 CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS

CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and elements, leaving all other...

firefox: thunderbird: Use-after-free in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the DOM: Core & HTML component...

Astra Linux - уязвимость в chromium

Type confusion in V8 in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

Astra Linux - уязвимость в chromium

Inappropriate implementation in the iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions through a crafted HTML page...

Astra Linux - уязвимость в webkit2gtk

A vulnerable "use-after-free" vulnerability exists in the WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can exploit this vulnerability, leading to remote code execution. The victim must visit a malicious website to trigger the vulnerability...

Astra Linux - уязвимость в chromium

In Google Chrome, policy bypass in CORS before version 126.0.6478.54 allowed a remote attacker to bypass discretionary access control through a crafted HTML page. Chromium security severity: Medium...

Astra Linux - уязвимость в chromium

The use of after-free in Skia in Google Chrome before version 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: High...

Astra Linux - уязвимость в twisted

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web would process the requests asynchronously, without guaranteeing the order of responses. If either of the endpoints was controlled by an...

Astra Linux - уязвимость в chromium

A heap buffer overflow in UMA in Google Chrome prior to version 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: High...