Lucene search
K

59120 matches found

EUVD
EUVD
added 2025/10/15 8:29 p.m.4 views

EUVD-2025-34678

happy-dom's --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript...

9.4CVSS6.1AI score0.00318EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2025/10/15 8:29 p.m.9 views

happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. Details The untrusted script and the rest of the application still run in the same Isolate/process, s...

9.4CVSS7.9AI score0.00318EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2025/10/15 8:29 p.m.3 views

GHSA-QPM2-6CQ5-7PQ5 happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. Details The untrusted script and the rest of the application still run in the same Isolate/process, s...

9.4CVSS7.8AI score0.00318EPSS
Exploits0References4
NVD
NVD
added 2025/10/15 6:15 p.m.10 views

CVE-2025-62410

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...

9.4CVSS0.00318EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/10/15 5:16 p.m.7 views

CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...

9.4CVSS6.4AI score0.00318EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/10/15 5:16 p.m.14 views

CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...

9.4CVSS0.00318EPSS
Exploits0References2
OSV
OSV
added 2025/10/15 5:16 p.m.4 views

CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...

9.4CVSS6.8AI score0.00318EPSS
Exploits0References4
CVE
CVE
added 2025/10/15 5:16 p.m.78 views

CVE-2025-62410

CVE-2025-62410 affects happy-dom prior to version 20.0.2, where the --disallow-code-generation-from-strings mitigation does not fully isolate untrusted JavaScript. The untrusted script and the rest of the application run in the same Isolate/process, allowing prototype-pollution payloads to hijack...

9.4CVSS6.4AI score0.00318EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/10/15 4:43 p.m.4 views

CVE-2025-42901

SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability ...

5.4CVSS6.6AI score0.00206EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2025/10/15 4:41 p.m.6 views

thunderbird: firefox: Some non-writable Object properties could be modified

A flaw was found in Thunderbird and Firefox. The Mozilla Foundation's Security Advisory describes the following issue: There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable...

6.5CVSS6.5AI score0.0021EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/10/15 4:0 p.m.6 views

thunderbird: firefox: Some non-writable Object properties could be modified

A flaw was found in Thunderbird and Firefox. The Mozilla Foundation's Security Advisory describes the following issue: There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable...

6.5CVSS6.5AI score0.0021EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/15 3:30 p.m.6 views

EUVD-2025-34656

A stored cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

8.4CVSS5.2AI score0.00257EPSS
Exploits0References2
NVD
NVD
added 2025/10/15 2:15 p.m.3 views

CVE-2025-59269

A stored cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

8.4CVSS0.00257EPSS
Exploits0References1
NVD
NVD
added 2025/10/15 2:15 p.m.10 views

CVE-2025-54858

When a BIG-IP Advanced WAF or BIG-IP ASM Security Policy is configured with a JSON content profile that has a malformed JSON schema, and the security policy is applied to a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End o...

8.7CVSS0.00317EPSS
Exploits0References1
CVE
CVE
added 2025/10/15 1:55 p.m.18 views

CVE-2025-59269

CVE-2025-59269 is a stored cross-site scripting (XSS) vulnerability in BIG-IP Configuration utility. It affects BIG-IP (all modules) and stems from insufficient input handling on an undisclosed page, allowing an attacker to store and execute JavaScript in the context of the currently logged-in us...

8.4CVSS5.3AI score0.00257EPSS
Exploits0References1Affected Software21
NVD
NVD
added 2025/10/15 1:16 p.m.4 views

CVE-2025-10869

Stored Cross-site Scripting XSS in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user...

6.1CVSS0.00216EPSS
Exploits0References1
OSV
OSV
added 2025/10/15 7:15 a.m.8 views

CVE-2025-11160

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes...

5.4CVSS6AI score
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/10/15 6:43 a.m.4 views

CVE-2025-11160 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes...

6.4CVSS4.8AI score0.00194EPSS
Exploits0References2
CVE
CVE
added 2025/10/15 6:43 a.m.17 views

CVE-2025-11160

The CVE CVE-2025-11160 applies to the WPBakery Page Builder (WordPress) and is a stored XSS via the Custom JS module in all versions up to 8.6.1. The vulnerability arises from insufficient input sanitization and output escaping of user-supplied JavaScript, enabling authenticated users with contri...

6.4CVSS4.8AI score0.00194EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/10/15 4:18 a.m.6 views

Malicious Package Injection

DuckDB is vulnerable to malicious package injection. The vulnerability is due to unauthorized access and compromise of the npm package publishing process, which allowed an attacker to upload malicious versions of DuckDB’s Node.js packages containing code that interfered with cryptocurrency...

8.6CVSS7.4AI score0.00349EPSS
Exploits0References5Affected Software4
Rows per page
Query Builder