CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...

PT-2026-21341

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 21.0 AVideo version 18.0 Description AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered...

Payload-XSS

Payload-XSS Daftar Isi 1. Payload Dasar 1-20payload-...

CVE-2026-24399 ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2026-24399 ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

CVE-2021-31712

react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...

CVE-2025-13308

The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'rejecturl' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes ...

PT-2025-49339

The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes...

CVE-2025-58747 Dify MCP OAuth Flow Vulnerable to XSS

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...

CVE-2025-58747

CVE-2025-58747 affects Dify up to version 1.9.1, where the MCP OAuth flow passes the remote server’s authorization_url directly to window.open without validation, enabling arbitrary JavaScript execution (XSS) when a victim connects to a malicious MCP server. Affected component: MCP OAuth in Dify....

EUVD-2006-0241

Malware in sbrugna...

EUVD-2006-2966

Malware in sbrugna...

EUVD-2006-0476

Malware in sbrugna...

EUVD-2009-3002

Malware in sbrugna...

EUVD-2006-3755

Malware in sbrugna...

EUVD-2007-0777

Malware in sbrugna...

EUVD-2010-1612

Malware in sbrugna...

EUVD-2017-1561

Malware in sbrugna...

EUVD-2009-1593

Malware in sbrugna...

EUVD-2009-1592

Malware in sbrugna...