CVE-2026-34777

CVE-2026-34777 affects Electron: prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, the origin passed to session.setPermissionRequestHandler() for iframe-permission requests (fullscreen, pointerLock, keyboardLock, openExternal, or media) was the top‑level page origin instead of the requesting ...

DOMPurify ADD_ATTR predicate skips URI validation

Summary DOMPurify allows ADDATTR to be provided as a predicate function via EXTRAELEMENTHANDLING.attributeCheck. When the predicate returns true, isValidAttribute short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific...

GHSA-R5P7-GP4J-QHRX Electron: Incorrect origin passed to permission request handler for iframe requests

Impact When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter ...

Electron: Incorrect origin passed to permission request handler for iframe requests

Impact When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter ...

EUVD-2026-18953

Electron: Incorrect origin passed to permission request handler for iframe requests...

GHSA-5VPR-4FGW-F69H File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file

Summary The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting XSS. JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. Details frontend/src/views/files/Preview.vue passes allowScriptedContent: true to the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the cleanupXss function when sanitizing HTML content with conflicting htmLawed configuration options. An attacker can execute arbitrary JavaScript in the context of the affected application by injecting...

GHSA-3H6J-9X8M-RG3G Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config

Summary Graby's cleanupXss function configures htmLawed with conflicting settings: safe=1 which removes combined with 'elements' = '+iframe-meta' which re-enables . htmLawed does not sanitize the srcdoc attribute, allowing injection of arbitrary JavaScript that executes when the content is render...

Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config

Summary Graby's cleanupXss function configures htmLawed with conflicting settings: safe=1 which removes combined with 'elements' = '+iframe-meta' which re-enables . htmLawed does not sanitize the srcdoc attribute, allowing injection of arbitrary JavaScript that executes when the content is render...

CVE-2026-33976

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...

CVE-2026-33976

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...

CVE-2026-33976 Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...

CVE-2026-33976

Notesnook stores attacker-controlled attributes from a source page into web-clip HTML during Web Clipper rendering. When a clip is later opened, Notesnook renders this HTML in a same-origin, unsandboxed iframe via contentDocument.write, allowing event-handler attributes (onload, onclick, onmouseo...

CVE-2026-33976 Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...

Open Redirect

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Open Redirect via the Form Node when an authenticated user with workflow creation or modification permissions configures an unsanitized HTML description field or leverages an overly permissive ifram...

CVE-2021-27375

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains...

CVE-2026-3516

The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clmapiframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFiel...

CVE-2026-27166

Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...

EUVD-2026-13929

The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...

EUVD-2026-13922

The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clmapiframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFiel...