CVE-2026-8877

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

EUVD-2026-32089

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

CVE-2026-8877 Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

Cross-site Scripting (XSS)

Overview @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

squidex 跨站脚本漏洞

squidex is a Headless CMS and content management center. A cross-site scripting vulnerability exists in Squidex versions prior to 7.9.0, which stems from the presence of an incomplete blacklist in the SVG check, and can be exploited by an attacker to conduct a cross-site scripting attack via the...

GHSA-W974-RQ9X-MH3V Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the src parameter...

PT-2023-11530 · Pandao · Editor.Md

Name of the Vulnerable Software and Affected Versions: Pandao Editor.md version 1.5.0 Description: A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via a crafted script in the src parameter. This enables the attacker to inject malicious scripts, potentially leading ...

Jenkins Dashboard View Plugin 跨站脚本漏洞

Jenkins and Jenkins Plugin are both products of Jenkins, an application. Jenkins Plugin is an application that provides hundreds of plugins to support building, deploying, and automating any project. Jenkins Dashboard View Plugin version 2.18 and earlier is vulnerable to a cross-site scripting...

CVE-2020-23369

In YzmCMS 5.6, XSS was discovered in member/membercontent/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3...

Yzmcms 跨站脚本漏洞

Yzmcms is an open source CMS Content Management System. A cross-site scripting vulnerability exists in YzmCMS version 5.6. The vulnerability stems from the program using UEditor 1.4.3.3, so the vulnerability can be exploited through the SRC attribute of the IFRAME element in...

U.S. Dept Of Defense: DOM XSS on https://www.███████

Description DOM XSS can be achieved due to missing sanitation when setting the source of an iframe. POC 1. Visit https://www.████frame.htmljavascript:alertdocument.domain 2. View alert Vulnerable Code javascript function Load str=document.location.hash,idx=str.indexOf'' ifidx=0 str=str.substr1;...

Baidu UEditor Cross-Site Scripting Vulnerability

Baidu UEditor is China's Baidu Baidu company's set of open source HTML editor . A cross-site scripting vulnerability exists in Baidu UEditor version 1.4.3.3. A remote attacker can leverage the SRC attribute of the IFRAME element to inject arbitrary web script or HTML...

CVE-2016-5149

The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a...

UBUNTU-CVE-2016-5149

The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a...

jcsmsy.jconline.cn XSS vulnerability

Open Bug Bounty ID: OBB-56765 Description| Value ---|--- Affected Website:| jcsmsy.jconline.cn Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation Guide:| OWASP XSS Prevention Cheat...

CVE-2012-2571

Multiple cross-site scripting XSS vulnerabilities in WinWebMail Server 3.8.1.6 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with 1 a SCRIPT element, 2 a crafted Cascading Style Sheets CSS expression property, 3 a CSS expression property in the STYLE...

Unfixed XSS vulnerability at www.jdsports.co.uk

Security researcher trv, has submitted on 08/01/2011 a cross-site-scripting XSS vulnerability affecting www.jdsports.co.uk, which at the time of submission ranked 27154 on the web according to Alexa. We manually validated and published a mirror of this vulnerability on 11/12/2011. It is currently...

Mozilla crash from bad iframe source (MFSA 2011-12)

Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service memory corruption and application crash or possibly execute arbitrary code vi...

Mozilla crash from bad iframe source (MFSA 2011-12)

Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service memory corruption and application crash or possibly execute arbitrary code vi...

Re: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY&#39;S PATCH

Well it's not quite as easy as you make it sound I think you only took a look at http-equiv's example I posted to full disclosure and based your post on that. You see this: --snip-- iframe src="c:windowswebtip.htm" style="width:400px;height:200px;"/iframe textarea id="code" style="display:none;"...