i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Summary Versions of i18nextify prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in src/localize.js replaceInside handler around line 122 only guards against a duplicated http:// origin prefix ...

PT-2026-37152

Name of the Vulnerable Software and Affected Versions i18nextify versions prior to 4.0.8 Description The software substitutes key interpolation tokens within src and href attribute values using the raw string from i18next.t. The substitution logic in the replaceInside handler within src/localize....

CVE-2026-39315

Unhead (document head/template manager) contains a vulnerability in useHeadSafe() where hasDangerousProtocol() decodes HTML entities before blocked-scheme checks. The decoder uses two fixed-width regexes; HTML5 allows leading zeros in numeric character references, and when a padded entity exceeds...

GHSA-2J22-PR5W-6GQ8 Loofah has improper detection of disallowed URIs via `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization

Summary The fix for CVE-2026-27568 GHSA-rcqw-6466-3mv7 introduced a custom ParsedownSafeWithLinks class that sanitizes raw HTML and tags in comments, but explicitly disables Parsedown's safeMode. This creates a bypass: markdown link syntax text is processed by Parsedown's inlineLink method, which...

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...

📄 Rack::Directory Cross Site Scripting

A persistent cross site scripting vulnerability affects Rack::Directory in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5. ============================================================================================================================================= | Title : Rack Rack::Directory...

SUSE CVE-2026-25500

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme e.g. javascript:alert1, the...

CVE-2026-25500

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme e.g. javascript:alert1, the...

Cross-site Scripting (XSS)

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...

CVE-2026-1985

The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing javascript:...

BIT-GITEA-2025-68946

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS when handling URLs in links, where schemes such as javascript, vbscript and data can be used. An attacker can execute arbitrary scripts in the context of the user's browser by enticing a user to click on a craft...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS when handling URLs in links, where schemes such as javascript, vbscript and data can be used. An attacker can execute arbitrary scripts in the context of the user's browser by enticing a user to click on a craft...

Gitea vulnerable to Cross-site Scripting

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

CVE-2025-68946

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

EUVD-2025-205421

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

CVE-2025-68946

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

CVE-2025-68946

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...