CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

58929 matches found

Snyk•added 2026/03/10 11:49 p.m.•2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SanitizeSVG component. An attacker can execute arbitrary JavaScript in the context of the application by injecting crafted SVG content containing or elements that dynamically assign dangerous attributes ...

9.3CVSS7.4AI score0.00445EPSS

Exploits1References2

NVD•added 2026/03/10 9:16 p.m.•3 views

CVE-2026-31807

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangero...

6.4CVSS0.00445EPSS

Exploits1References1

NVD•added 2026/03/10 9:16 p.m.•3 views

CVE-2026-31809

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...

6.4CVSS0.00505EPSS

Exploits1References1

ATTACKERKB•added 2026/03/10 9:1 p.m.•5 views

CVE-2026-31808

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF WMV/WMA file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value...

5.3CVSS5.8AI score0.00325EPSS

Exploits0References3Affected Software1

ATTACKERKB•added 2026/03/10 8:58 p.m.•3 views

CVE-2026-31809

9.3CVSS5.8AI score0.00625EPSS

Exploits2References2Affected Software1

Vulnrichment•added 2026/03/10 8:58 p.m.•3 views

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

6.4CVSS5.8AI score0.00505EPSS

Exploits1References1

CVE•added 2026/03/10 8:58 p.m.•9 views

CVE-2026-31809

SiYuan before v3.5.10 is vulnerable via the SVG sanitizer (SanitizeSVG) which checks href for javascript: prefixes using strings.HasPrefix(), but allows ASCII tab, newline, or carriage return characters to bypass the check. These characters are stripped by browsers per WHATWG URL rules before par...

6.4CVSS5.8AI score0.00505EPSS

Exploits1References1Affected Software1

Cvelist•added 2026/03/10 8:58 p.m.•26 views

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

6.4CVSS0.00505EPSS

Exploits1References1

OSV•added 2026/03/10 8:58 p.m.•2 views

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

6.4CVSS5.8AI score0.00505EPSS

Exploits1References3

EUVD•added 2026/03/10 6:31 p.m.•4 views

EUVD-2025-208501

CWE-79 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server...

5.1CVSS5.9AI score0.00392EPSS

Exploits0References2

NVD•added 2026/03/10 6:18 p.m.•2 views

CVE-2026-30974

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...

5.4CVSS0.00323EPSS

Exploits0References3

NVD•added 2026/03/10 6:18 p.m.•5 views

CVE-2026-30973

Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation extractAllTo via ZipExtractor.extract with a path traversal Zip Slip check that is non-functional. The chec...

6.5CVSS0.00388EPSS

Exploits1References2

NVD•added 2026/03/10 6:17 p.m.•4 views

CVE-2025-13902

5.1CVSS0.00392EPSS

Exploits0References1

EUVD•added 2026/03/10 5:40 p.m.•3 views

EUVD-2026-10713

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...

2CVSS5.8AI score0.00472EPSS

Exploits0References3

NVD•added 2026/03/10 5:40 p.m.•5 views

CVE-2026-30925

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...

8.2CVSS0.00446EPSS

Exploits0References3

CVE•added 2026/03/10 5:37 p.m.•11 views

CVE-2026-30974

The copyparty advisory GHSA-M6HV-X64C-27MM describes a vulnerability where the nohtml volflag failed to block JavaScript in SVG files. Although not a vulnerability by itself, this allowed a user with write access to upload an SVG containing embedded JavaScript that could execute when opened, pote...

5.4CVSS5.8AI score0.00323EPSS

Exploits0References3Affected Software1

Cvelist•added 2026/03/10 5:37 p.m.•25 views

CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files

4.6CVSS0.00323EPSS

Exploits0References3

ATTACKERKB•added 2026/03/10 5:37 p.m.•2 views

CVE-2026-30974

4.6CVSS5.8AI score0.00323EPSS

Exploits0References4Affected Software1

EUVD•added 2026/03/10 5:37 p.m.•3 views

EUVD-2026-10712