CVE-2026-34479

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

Rails has a possible XSS vulnerability in its Action View tag helpers

Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Application...

CVE-2026-25582 iccDEV vulnerable to Heap Buffer Overflow in CIccIO::WriteUInt16Float()

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow read vulnerability in CIccIO::WriteUInt16Float when converting malformed XML to ICC profiles via...

EUVD-2026-3700

ImageMagick has a Memory Leak in LoadOpenCLDeviceBenchmark when parsing malformed XML...

ROS-20251111-05

The vulnerability in the Ruby REXML XML toolkit is related to the fact that the application does not properly control the internal resource consumption when analyzing malformed XML code containing multiple XML declarations. Exploitation of the vulnerability could allow an attacker to cause a deni...

EUVD-2025-29746

Malicious code in bioql PyPI...

DEBIAN-CVE-2023-43665

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars and words methods when used with html=True are subject to a potential DoS denial of service attack via certain inputs with very long, potentially malformed HTML text. The chars and words...

SUSE CVE-2007-0451

Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."...

USN-5638-1 expat vulnerability

Rhodri James discovered that Expat incorrectly handled memory when processing certain malformed XML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code...

nekohtml资源管理错误漏洞

nekohtml is a simple HTML scanner and tag compensator. A resource management error vulnerability exists in nekohtml, which stems from the fact that "org.cyberneko.html" used by Nokogiri Rubygem throws a "java.lang. OutOfMemoryError" exception when parsing malformed HTML markup...

CKEditor 跨站脚本漏洞

CKEditor is an open source, web-based text editor. A cross-site scripting vulnerability exists in ckeeditor that allows injection of malformed fake object HTML, which could lead to the execution of JavaScript code...

CKEditor 跨站脚本漏洞

CKEditor is an open source, web-based text editor. A cross-site scripting vulnerability exists in ckeditor that allows a user to abuse the undo function using malformed HTML, which could lead to the execution of JavaScript code...

business-central: Reflected XSS in artifact upload error message

JBoss BRMS 6 and BPM Suite 6 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code with...

rubygem-actionpack: XSS Vulnerability in strip_tags

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup...

DEBIAN-CVE-2012-3465

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup...

CVE-2012-3465

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup...

DEBIAN-CVE-2011-1157

Cross-site scripting XSS vulnerability in feedparser.py in Universal Feed Parser aka feedparser or python-feedparser 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments...

DEBIAN-CVE-2008-2956

Memory leak in Pidgin 2.0.0, and possibly other versions, allows remote attackers to cause a denial of service memory consumption via malformed XML documents. NOTE: this issue has been disputed by the upstream vendor, who states: "I was never able to identify a scenario under which a problem...

security flaw

Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."...