CVE-2026-3466

Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 EOL, Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 beta before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting XSS attacks by tricking...

BIT-PYTHON-MIN-2026-4519 webbrowser.open() allows leading dashes in URLs

The webbrowser.open API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open...

GHSA-7GMJ-H9XC-MCXC mailparser vulnerable to Cross-site Scripting

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting XSS via the textToHtml function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded...

PT-2026-6490

A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...

CVE-2025-57665

Element Plus Link component el-link through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol...

argocd: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS)

A flaw was found in Argo CD, where improper filtering of repository URLs in the UI allows JavaScript injection. A crafted javascript: link can lead to cross-site scripting when viewed by another user. This can result in unauthorized API actions via the victim's session...

CVE-2024-50579

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible...

Incomplete Filtering of Special Elements

Overview org.webjars.bower:angular is a bower WebJar for angular. Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements due to improper sanitization of the href and xlink:href attributes in SVG elements. An attacker can bypass image source restrictions and...

CVE-2024-50579

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible...

CVE-2024-50579

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible...

EUVD-2024-44960

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible...

CVE-2024-50579

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible...

SUSE CVE-2018-5167

The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display...

CVE-2022-2040

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...

Cross-site Scripting (XSS)

dmn-js-properties-panel is vulnerable to cross-site scripting XSS. The vulnerability exists due to the lack of sanitization of links...

CVE-2018-5167

The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display...