287 matches found
CVE-2026-47901
Logseq is vulnerable to a sandbox escape flaw where plugins running in sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their container element in the host DOM. Due to a disabled Content Security Policy CSP, this allows a malicious plugin to execute arbitrary...
CVE-2026-44698
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...
PT-2026-44845
Name of the Vulnerable Software and Affected Versions Home Assistant Companion app for iOS versions prior to 2026.4.1 Home Assistant Companion app for Android versions prior to 2026.4.4 Description The Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app...
Astra Linux - уязвимость в firefox, thunderbird
When a parent page loaded a child in an iframe with unsafe-inline, the parent Content Security Policy could override the child Content Security Policy. This vulnerability affects Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7...
Astra Linux - уязвимость в chromium
Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. Chrome security severity: Low...
Astra Linux - уязвимость в firefox
Using a redirect embedded in sourceMappingUrls may allow navigation to external protocol links within sandboxed iframes, without the requirement of allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
Apple多款产品 安全漏洞
Apple iOS, among others, are products of the American company Apple. Apple iOS is an operating system developed for mobile devices. Apple macOS is a specialized operating system designed for Mac computers. Apple iPadOS is an operating system for iPad tablets. Several of Apple’s products have...
Astra Linux – Vulnerability in Firefox, Thunderbird
If a document creates a sandboxed iframe without allow-scripts, and then appends an element to the iframe’s document that has a JavaScript event handler—the event handler will still be executed despite the iframe being in a sandbox. This vulnerability affects Firefox versions earlier than 97,...
Origin Validation Error
Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Origin Validation Error in the session.setPermissionRequestHandler function. An attacker can gain...
BIT-DISCOURSE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0, 2026.2.1...
CVE-2026-27166
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
EUVD-2026-13187
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
PT-2026-26341
Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open source discussion platform. Insufficient cleanup in the default Codepen allowed iframes...
Next.js: null origin can bypass Server Actions CSRF checks
Summary origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass origin verification instead of being validated as cross-origin requests. Impact An attacker could induce a victim browser ...
CGM CLININET 安全漏洞
CGM CLININET is a hospital information management system developed by the German company CGM. CGM CLININET has a security vulnerability, which stems from the lack of mechanisms to prevent clickjacking attacks. This vulnerability could allow attackers to embed malicious IFRAMES into the applicatio...
CVE-2025-65922
CVE-2025-65922 affects PLANKA 2.0.0. The issue is missing X-Frame-Options and CSP frame-ancestors headers, allowing the app to be embedded in malicious iframes which could enable UI redressing and phishing on overlay forms. The supplier disputes the risk, citing SameSite=Strict cookies and cross-...