6 matches found
GHSA-QVJF-922G-PJ44 Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
TL;DR This vulnerability affects all Kirby sites that allow the use of the link: … KirbyTag, the link: parameter of the image: … KirbyTag, the built-in image block with a link or the HTML importer for blocks, when content is authored by users who may not be fully trusted. The attack requires an...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of links in KirbyTags and image blocks in the site frontend when untrusted user input is processed. An attacker can execute arbitrary JavaScript code in the context of site visitors or logged-i...
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
TL;DR This vulnerability affects all Kirby sites that allow the use of the link: … KirbyTag, the link: parameter of the image: … KirbyTag, the built-in image block with a link or the HTML importer for blocks, when content is authored by users who may not be fully trusted. The attack requires an...
CVE-2026-32040
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType...
CVE-2026-32040
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType...
CVE-2026-32040
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType...