PT-2026-32585

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

EUVD-2026-13929

The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...

PT-2026-22839

Name of the Vulnerable Software and Affected Versions AliasVault versions 0.25.3 and lower Description AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting XSS issue exists in the email rendering feature of the AliasVault Web Client. When...

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML...

PT-2026-20917

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.7.0 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Modifying chat history before version 0.7.0 allows manipulation of the html property within...

MiracleLinux 9 : thunderbird-102.5.0-2.el9.ML.1 (AXSA:2023-5045:06)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5045:06 advisory. Mozilla: Service Workers might have learned size of cross-origin media files CVE-2022-45403 Mozilla: Fullscreen notification bypass CVE-2022-45404...

MiracleLinux 8 : firefox-102.5.0-1.el8.ML.1 (AXSA:2023-4657:01)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-4657:01 advisory. Mozilla: Service Workers might have learned size of cross-origin media files CVE-2022-45403 Mozilla: Fullscreen notification bypass CVE-2022-45404...

CVE-2022-45420

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR 102.5, Thunderbird 102.5, and Firefox 107...

DEBIAN-CVE-2022-45420

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR 102.5, Thunderbird 102.5, and Firefox 107...

DEBIAN-CVE-2022-28286

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird 91.8, Firefox 99, and Firefox ESR 91.8...

CVE-2022-28286

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird 91.8, Firefox 99, and Firefox ESR 91.8...

Mozilla: Iframe contents could be rendered outside the iframe

The Mozilla Foundation Security Advisory describes this flaw as: Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks...

Oracle Linux 9 : firefox (ELSA-2022-8580)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-8580 advisory. 102.5.0-1.0.1 - Updated homepages to use https Orabug: 34648274 102.5.0-1 - Update to 102.5.0 build1 102.4.0-1 - Update to 102.4.0 build1 102.3.0-7 - F...

Oracle Linux 9 : thunderbird (ELSA-2022-8561)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-8561 advisory. 102.5.0-2.0.1 - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js 102.5.0-2 - Update to 102.5.0 build2 102.5.0-1 -...

Mozilla: Iframe contents could be rendered outside the iframe

The Mozilla Foundation Security Advisory describes this flaw as: Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks...

MGASA-2022-0428 Updated thunderbird packages fix security vulnerability

Service Workers might have learned size of cross-origin media files. CVE-2022-45403 Fullscreen notification bypass. CVE-2022-45404 Use-after-free in InputStream implementation. CVE-2022-45405 Use-after-free of a JavaScript Realm. CVE-2022-45406 Fullscreen notification bypass via windowName...

Security Vulnerabilities fixed in Firefox ESR 102.5 — Mozilla

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. Through a series of popup and window.print calls, an...

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

...

Mozilla0.x Netscape 34 Firefox 1.0 - JavaScript IFRAME Rendering Denial of Service

Mozilla0.x Netscape 34 Firefox 1.0 - JavaScript IFRAME Rendering Denial of Service source: https://www.securityfocus.com/bid/11823/info Mozilla/Netscape and Firefox browsers are reported prone a remote denial of service vulnerability. It is reported that the affected browsers will crash as a resu...