CVE-2026-28445 Typebot: Stored XSS via Rating Block Custom Icon Bypasses isUnsafe Sandbox in Builder Preview

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere ...

CVE-2026-23847 SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the S...

CVE-2023-4497

Easy Chat Server, in its 3.1 version and before, does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting XSS vulnerability stored via /registresult.htm POST method, in the Icon parameter. The XSS is loaded from /users.ghp...