16 matches found
CVE-2026-44515
A flaw was found in Nextcloud News. An authenticated attacker could exploit this by providing a malicious feed URL that points to internal or private network addresses. This action causes the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations without relayin...
CVE-2026-27974 Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting XSS vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modificatio...
CVE-2025-58173
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language user configuration parameter, it's possible to call install.php and perform various administrative actions as an unprivileged user. These actions include logging in as the...
CVE-2025-31482 FreshRSS vulnerable to DoS by malicious feed entry loading logout URL
FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue...
CVE-2025-31482 FreshRSS vulnerable to DoS by malicious feed entry loading logout URL
FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue...
CVE-2025-31482 FreshRSS vulnerable to DoS by malicious feed entry loading logout URL
FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue...
CVE-2025-31482
CVE-2025-31482 – FreshRSS denial of service via logout . Affected: FreshRSS versions prior to 1.26.2. Vulnerability causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively resulting in denial of service. Root cause details are not elaborated beyond the observe...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
IkaIka RSS Reader vulnerable to cross-site scripting
Overview IkaIka RSS Reader contains a cross-site scripting vulnerability CWE-79, due to the improper processing of RSS registration. LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a malicio...
DEBIAN-CVE-2017-12980
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as...
CVE-2017-12980
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as...