EUVD-2026-11407

The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign / window.open with no scheme validation. An attacker with dashboard Editor privileges can set the link t...

PT-2025-40856

Name of the Vulnerable Software and Affected Versions Dashboard affected versions not specified Description The application is susceptible to session hijacking due to the execution of JavaScript code within the address bar. This is possible through the dashboard's "Open in new Tab" button. This...

CVE-2025-58746

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary...

PT-2024-21329 · Mozilla · Firefox For Ios

Name of the Vulnerable Software and Affected Versions: Firefox for iOS versions prior to 123 Description: An issue allows an attacker to execute unauthorized scripts on the current top origin sites in the URL bar when a JavaScript URI is scanned with the QR code scanner. Recommendations: For...

SUSE CVE-2008-4697

The Fast Forward feature in Opera before 9.61, when a page is located in a frame, executes a javascript: URL in the context of the outermost page instead of the page that contains this URL, which allows remote attackers to conduct cross-site scripting XSS attacks...

SUSE CVE-2013-7452

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via a crafted javascript URI...

Google Chrome Omnibox Cross-Site Scripting Vulnerability

Google Chrome is a web browser developed by Google, Inc. and Omnibox is a real-time search engine. A security vulnerability exists in Omnibox in versions prior to Google Chrome 63.0.3239.84, which stems from inadequate policy enforcement. An attacker can execute XSS by dragging and dropping a...

Gemirro Cross-Site Scripting Vulnerability

Gemirro is a RubyGems image creation program based on Ruby. A cross-site scripting vulnerability exists in versions of Gemirro prior to 0.16.0. A remote attacker can inject arbitrary web scripts using a specially crafted javascript: URL in the homepage value of a .gemspec file...

javascript: URLs in chrome documents (MFSA 2011-08)

The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remot...

security flaw

Cross-site scripting XSS vulnerability in Mozilla Firefox before 1.5.0.4 allows user-assisted remote attackers to inject arbitrary web script or HTML by tricking a user into 1 performing a "View Image" on a broken image in which the SRC attribute contains a Javascript URL, or 2 selecting "Show on...