Lucene search
K

62 matches found

NVD
NVD
added 6 days ago7 views

CVE-2026-59887

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test and .match can be invoked at every mailto: occurrence and scan the remaining input through srcemailname in lib/re.mjs, causing On^2 CPU consumption on crafted user text...

7.5CVSS0.00346EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago36 views

CVE-2026-59887 linkify-it: Quadratic-complexity DoS via the `mailto:` validator scan-loop on attacker text

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test and .match can be invoked at every mailto: occurrence and scan the remaining input through srcemailname in lib/re.mjs, causing On^2 CPU consumption on crafted user text...

7.5CVSS0.00346EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 6 days ago5 views

CVE-2026-59887

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test and .match can be invoked at every mailto: occurrence and scan the remaining input through srcemailname in lib/re.mjs, causing On^2 CPU consumption on crafted user text...

7.5CVSS5.9AI score0.00346EPSS
Exploits0References4Affected Software1
Circl
Circl
added 2026/06/26 10:35 p.m.5 views

CVE-2026-48801

creationtimestamp| type| source ---|---|--- 2026-06-26 22:35:32+00:00| published-proof-of-concept| https://github.com/markdown-it/linkify-it/security/advisories/GHSA-22p9-wv53-3rq4...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/06/26 8:47 p.m.3 views

GHSA-22P9-WV53-3RQ4 LinkifyIt#match scan loop has quadratic algorithmic complexity

Summary LinkifyIt.prototype.match — the package's primary public API — has ON² algorithmic complexity for inputs containing many fuzzy links or emails. This is not a regex backtrack bug; it's a structural issue in the JS-level scan loop that re-slices the input and re-runs unanchored regex search...

8.7CVSS5.8AI score
Exploits0References2
NVD
NVD
added 2026/04/21 4:16 p.m.5 views

CVE-2026-40565

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS0.00199EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 3:52 p.m.5 views

CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS5.9AI score0.00199EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/21 3:52 p.m.4 views

CVE-2026-40565

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS5.9AI score0.00199EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/04/21 3:52 p.m.5 views

EUVD-2026-24141

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS5.9AI score0.00199EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 3:52 p.m.14 views

CVE-2026-40565

FreeScout vulnerability CVE-2026-40565 affects versions prior to 1.8.213. The issue occurs in linkify() (app/Misc/Helper.php): plain-text URLs in email bodies are converted to HTML anchor tags without escaping double-quote (") characters, and because HTMLPurifier runs first via getCleanBody(), th...

6.1CVSS5.9AI score0.00199EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/21 3:52 p.m.37 views

CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS0.00199EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.15 views

FreeScout 安全漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.213 contained security vulnerabilities. These vulnerabilities stemmed from the linkify function in app/Misc/Helper.php, which...

6.1CVSS5.9AI score0.00199EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.9 views

PT-2026-33996

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS5.9AI score0.00199EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/12 6:30 a.m.10 views

markdown-it is has a Regular Expression Denial of Service (ReDoS)

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

7.5CVSS5.5AI score0.00503EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/02/12 6:30 a.m.11 views

GHSA-38C4-R59V-3VQW markdown-it is has a Regular Expression Denial of Service (ReDoS)

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

6.9CVSS5.9AI score0.00503EPSS
Exploits0References6
NVD
NVD
added 2026/02/12 6:16 a.m.5 views

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

7.5CVSS0.00503EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/02/12 6:16 a.m.10 views

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

7.5CVSS5.9AI score0.00503EPSS
Exploits0References5
OSV
OSV
added 2026/02/12 6:16 a.m.4 views

UBUNTU-CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

7.5CVSS5.8AI score0.00503EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/02/12 5:0 a.m.3 views

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

6.9CVSS5.5AI score0.00503EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/12 5:0 a.m.6 views

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service ReDoS due to the use of the regex /+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers...

6.9CVSS5.5AI score0.00503EPSS
Exploits0References5
Rows per page
Query Builder