Aim vulnerable to Cross-site Scripting

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

GHSA-GMVV-RJ92-9W35 Aim vulnerable to Cross-site Scripting

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

CVE-2025-51464

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

CVE-2025-51464

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

Cross-site Scripting (XSS)

@nuxtjs/mdc is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of Markdown content caused by allowing injection of a tag, which can alter relative URL resolution and enable loading of external attacker-controlled resources, leading to arbitrary JavaScript...

CVE-2025-51462

CVE-2025-51462 describes a stored XSS in RAGFlow 0.17.2, via api.apps.dialog_app.set_dialog: crafted input to the assistant greeting field is stored unsanitised and rendered by a markdown component with rehype-raw, enabling execution of arbitrary JavaScript. The vulnerability affects RAGFlow 0.17...

Mozilla Firefox ESR < 128.13

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 128.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-58 advisory. - Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbir...

Security Vulnerabilities fixed in Firefox 141 — Mozilla

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...

LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages

Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting XSS via Personal Canned Messages Date: 09/06/2025 Exploit Author: Manojkumar J TheWhiteEvil Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ Software...

Mozilla Thunderbird < 128.13

The version of Thunderbird installed on the remote Windows host is prior to 128.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-62 advisory. - Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140....

CVE-2025-51464

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

Mozilla Firefox ESR < 140.1

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 140.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-59 advisory. - Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140...

Mozilla Firefox ESR < 140.1

The version of Firefox ESR installed on the remote Windows host is prior to 140.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-59 advisory. - Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of...

Mozilla Thunderbird < 128.13

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 128.13. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-62 advisory. - Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbir...

LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function

Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting XSS via the Chat Transfer Function Date: 09/06/2025 Exploit Author: Manojkumar J TheWhiteEvil Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ Software...

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

Cross-site Scripting (XSS)

Overview cadwyn is a Production-ready community-driven modern Stripe-like API versioning in FastAPI Affected versions of this package are vulnerable to Cross-site Scripting XSS via the version parameter of the /docs endpoint. An attacker can execute arbitrary JavaScript code in a user's browser b...

CVE-2025-53528 Cadwyn is vulnerable to an XSS attack through its docs page

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...

GHSA-2GXP-6R36-M97R Cadwyn vulnerable to XSS on the docs page

Summary The version parameter of the /docs endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. PoC 1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/ 2. Click on the following PoC link:...