CVE-2026-1466 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau

Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image except for...

firefox: thunderbird: Use-after-free in the JavaScript: GC component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript: GC component...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

firefox: thunderbird: Use-after-free in the JavaScript: GC component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript: GC component...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

GHSA-HG6J-8H7M-3W3J vulnerabilities

Vulnerabilities for packages: nodejs...

CVE-2026-1513

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding...

CVE-2026-1513

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding...

CVE-2026-1513

CVE-2026-1513 affects billboard.js prior to 3.18.0, enabling cross-site scripting via improper sanitization during chart option binding. Multiple sources (Red Hat, OSV, Snyk) confirm an XSS risk in the affected library. Remediation: upgrade billboard.js to 3.18.0-next.2 or higher (per OSV/Snyk gu...

EUVD-2026-4915

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding...

CVE-2026-1513

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding...

billboard.js security vulnerability

billboard.js is a reusable and easy-to-use JavaScript chart library developed by NAVER based on D3.js. Versions of billboard.js prior to 3.18.0 contained a security vulnerability. This vulnerability stemmed from improper cleanup during the binding of chart options, which could allow for the...

PT-2026-5114

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary...

Live Helper Chat Cross-Site Script Vulnerabilities

Live Helper Chat is an open-source plugin for personal developers that provides chat functionality for web platforms. Versions of Live Helper Chat prior to 4.72 contained a cross-site scripting vulnerability. This vulnerability stemmed from a storage-based cross-site scripting in the PDF file...

CVE-2026-23830 SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction. The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version...

CVE-2026-24778

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially...

CVE-2026-24778

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially...

SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor

Summary A sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction Details The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version SandboxFunction. This is handled in utils.ts by mapping Function to...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

firefox: thunderbird: Use-after-free in the JavaScript: GC component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript: GC component...