GHSA-JH3H-RPXG-FR36 Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the conte...

CVE-2026-28971

CVE-2026-28971 affects Apple platforms via improper UI handling that can be exploited by a malicious iframe to leverage a website’s download settings. Concrete details across connected sources indicate fixes are delivered in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. The vulnerab...

CVE-2026-41886

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...

CVE-2025-58405

The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into...

CVE-2026-27511

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an...

CVE-2026-24399

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the pushstate event listener, which allows manipulation of the URL fragment identifier. An attacker can execute arbitrary JavaScript i...

GHSA-MHPG-C27V-6MXR NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS

Summary An unsafe implementation in the pushstate event listener used by ui.subpages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. Details The problem is traced as follows: 1. On pushstate, handleStateEvent is...

EUVD-2021-17454

Malware in sbrugna...

EUVD-2023-58005

Malicious code in bioql PyPI...

CVE-2025-52478 Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

n8n is a workflow automation platform. From 1.77.0 to before 1.98.2, a stored Cross-Site Scripting XSS vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes...

CVE-2025-52478

CVE-2025-52478 is a stored XSS in the n8n Form Trigger HTML element affecting versions 1.77.0 up to before 1.98.2. An authenticated attacker can inject malicious HTML via an with a srcdoc payload or through with a using onerror, enabling exfiltration of cookies/browser identifiers and enabling...

Linux Distros Unpatched Vulnerability : CVE-2025-24208

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lea...

UBUNTU-CVE-2025-51591

A Server-Side Request Forgery SSRF in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilitie...

CVE-2025-49139

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is...

CVE-2025-49139 @haxtheweb/haxcms-nodejs Iframe Phishing vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is...

CVE-2024-29203

TinyMCE is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by...

CVE-2023-5718

The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...

CVE-2019-15062

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element containing a user/card.php CSRF request in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. The protection mechanism for CSRF is to check the Referer...

CVE-2012-6301

The Browser application in Android 4.0.3 allows remote attackers to cause a denial of service application crash via a crafted market: URI in the SRC attribute of an IFRAME element...