CVE-2026-54759

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

Thinfinity Iframe Injection

A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter. id: CVE-2021-45092 info: name: Thinfinity Iframe Injection author: danielmofer severity: critical description: A vulnerability exist...

CVE-2025-71331

Flowise before 3.0.8 contains a cross-site scripting XSS vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload e.g., in a chat box, or by having a custom agent function return an X...

CVE-2025-71331

Flowise (pre-3.0.8) exposes a Cross-Site Scripting (XSS) vulnerability due to insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript via an iframe payload in chat or have a custom agent function return an external XSS payload. The inj...

EUVD-2025-210289

Flowise before 3.0.8 contains a cross-site scripting XSS vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload e.g., in a chat box, or by having a custom agent function return an X...

Astra Linux – Vulnerability in Firefox and Thunderbird

An iframe from a cross-origin origin that references an XSLT document would inherit the permissions of the parent domain such as access to microphones or cameras. This vulnerability affects Thunderbird 102.2, Thunderbird 91.13, Firefox ESR 91.13, Firefox ESR 102.2, and Firefox 104...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe...

Astra Linux – Vulnerability in Firefox and Thunderbird

When navigating from within an iframe while requesting fullscreen access, a tab controlled by an attacker could prevent the browser from exiting fullscreen mode. This vulnerability affects Firefox ESR 91.5, Firefox 96, and Thunderbird 91.5...

Astra Linux – Vulnerability in WebKit2GTK

Description: A cross-origin issue with iframe elements was addressed by improving the tracking of security origins. This issue is fixed in tvOS 14.6, iOS 14.6, iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, and watchOS 7.5. Processing maliciously crafted web content may lead to cross-site...

Astra Linux – Vulnerability in Firefox and Thunderbird

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox 94, Thunderbird 91.3, and Firefox ESR 91.3...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in the iFrameSandbox of Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions through a crafted HTML page...

Astra Linux – Vulnerability in Firefox and Thunderbird

Dragging a URL from a cross-origin iframe that was removed during the drag-and-drop process could lead to user confusion and website spoofing attacks. This vulnerability affects Firefox 111, Firefox ESR 102.9, and Thunderbird 102.9...

Astra Linux – Vulnerability in Firefox

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol, the browser would process the redirect and prompt the user appropriately. This vulnerability affects Firefox versions earlier than 102...

Astra Linux – Vulnerability in Firefox and Thunderbird

If an attacker could control the contents of an iframe that was sandboxed using allow-popups but not allow-scripts, they could create a link that, when clicked, would cause JavaScript execution, violating the sandboxing rules. This vulnerability affects Firefox 98, Firefox ESR 91.7, and Thunderbi...

CVE-2026-12047

CVE-2026-12047 – pgAdmin 4 : HTML injection in the cloud deployment module arises when unsanitised exception text (from verify_credentials, deploy, and related endpoints under /rds/, /azure/, /google/, and /cloud/) is echoed into JSON response fields (info/errormsg) and rendered by the Cloud Wiza...

CVE-2026-12047 pgAdmin 4: HTML injection in cloud verify_credentials / deploy endpoints via unsanitised SDK exception text

HTML injection in pgAdmin 4's cloud deployment module. The verifycredentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit...

EUVD-2026-36632

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when...

CVE-2026-12068

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when...

CVE-2026-12068 Avira Password Manager credential disclosure via cross-origin autofill in Firefox

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when...

PT-2026-49049

Name of the Vulnerable Software and Affected Versions Avira Password Manager affected versions not specified Description An information disclosure issue exists in Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux. A remote attacker operating a cross-origin iframe...