CVE-2026-40922 SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...

CVE-2026-26223 SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area

SPIP before 4.4.8 allows cross-site scripting XSS in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in...

Linux Distros Unpatched Vulnerability : CVE-2026-26223

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SPIP before 4.4.8 allows cross-site scripting XSS in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe...

Tiny Technologies TinyMCE 安全漏洞

Tiny Technologies TinyMCE is a rich text editor from Tiny Technologies, USA. A security vulnerability exists in TinyMCE versions prior to 6.8.1, which stems from a cross-site scripting XSS vulnerability in the iframe element...

Simple Iframe < 1.2.0 - Contributor+ Stored XSS

The plugin does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks. POST /wp-json/wp/v2/posts/60?locale=user HTTP/1.1 Host: 127.0.0.1 Content-Length: 378 sec-ch-ua:...

SUSE-SU-2022:0906-1 Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: Updated to version 91.7 bsc1196900: - CVE-2022-26381: Fixed an invalid memory access due to text reflow when SVG objects were present. - CVE-2022-26383: Fixed an issue where, when resizing a popup after requesting fullscreen access, t...

Stripo Inc: Bypassing Content-Security-Policy leads to open-redirect and iframe xss

Summary: https://my.stripo.email/cabinet//template-editor/..... has the ff: code to make iframes more secure: html pointing to other domains won't work but, the whitelist in frame-src data has listed .firebaseapp.com, a free hosting domain, leading to iframe abuse and redirects Steps To Reproduce...

Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)

The iframe plugin before 4.5 does not sanitize a URL. iframe src="javascript:alertdocument.cookie" width="100%" height="500"...