CVE-2025-32014

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3...

CVE-2025-32014 estree-util-value-to-estree allows prototype pollution in generated ESTree

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3...

PT-2025-15241 · Unknown · Estree-Util-Value-To-Estree

Name of the Vulnerable Software and Affected Versions: estree-util-value-to-estree versions prior to 3.3.3 Description: The issue arises when estree-util-value-to-estree converts a JavaScript value to an ESTree expression. Specifically, when generating an ESTree from a value with a property named...

CVE-2025-31629

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jacob Allred Infusionsoft Web Form JavaScript infusionsoft-web-form-javascript allows Stored XSS.This issue affects Infusionsoft Web Form JavaScript: from n/a through = 1.1.1...

CVE-2025-3028

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability affects Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

CVE-2025-3028

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

CVE-2025-3028 Use-after-free triggered by XSLTProcessor

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

CVE-2025-3028

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

CVE-2025-3028

CVE-2025-3028 describes a use-after-free in memory handling when JavaScript runs during XSLTProcessor document transformation. Affected products include Firefox versions before 137 and Firefox ESR before 115.22/128.9, and Thunderbird versions before 137/128.9. Public advisories (e.g., ALAS2FIREFO...

CVE-2025-31629

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jacob Allred Infusionsoft Web Form JavaScript infusionsoft-web-form-javascript allows Stored XSS.This issue affects Infusionsoft Web Form JavaScript: from n/a through = 1.1.1...

CVE-2025-27406

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act...

Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. A security vulnerability exists in Vega 5.30.0 and prior versions...

CVE-2025-27406

Technical details (affected products, versions, root cause, exploit vectors) are not provided in the connected documents. Monitor for updates.

CVE-2025-27406

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act...

CVE-2025-27404

Icinga Web 2 is affected by CVE-2025-27404. Affected versions are prior to 2.11.5 and 2.12.13, where an attacker can craft a URL that, when visited by any user, allows embedding arbitrary JavaScript into Icinga Web and acting on behalf of that user. The issue is mitigated by upgrading to 2.11.5 o...

CVE-2025-2536

Cross-site scripting XSS vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's...

CVE-2025-30143

CVE-2025-30143 affects Akamai App & API Protector (with Akamai ASE) prior to 2024-12-10, where Rule 3000216 does not correctly handle JavaScript variable assignments to built-in functions/properties. The root cause is the mis-evaluation of such assignments, enabling bypass risks in the WAF logic....

Atlassian Plugin People Enterprise Mail Handler for Jira Data Center 安全漏洞

Atlassian Plugin People Enterprise Mail Handler for Jira Data Center is an enterprise message handling plugin from Atlassian Australia. A security vulnerability exists in Atlassian Plugin People Enterprise Mail Handler for Jira Data Center versions prior to 4.1.69-dc. An attacker can exploit this...

Esri ArcGIS Server Cross-Site Scripting Vulnerability (CNVD-2025-05058)

Esri ArcGIS Server is Esri's Web-oriented enterprise software platform for providing geolocation services. A cross-site scripting vulnerability exists in Esri ArcGIS Server versions 10.9.1 through 11.3, which can be exploited by an attacker to create a specially crafted link that, when clicked, m...

CVE-2025-26091

A Cross Site Scripting XSS vulnerability exists in TeamPasswordManager v12.162.284 and before that could allow a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'name' parameter when creating a new password in the "My...