CVE-2026-27568

WWBN AVideo (open source video platform) is affected prior to version 21.0 by CVE-2026-27568, where Markdown in video comments processed by Parsedown v1.7.4 without Safe Mode allows javascript: URIs to be rendered as links. An authenticated low-privilege attacker can post a malicious comment whos...

CVE-2026-27568 AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated...

CVE-2026-27568 AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated...

AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

Vulnerability Type Stored Cross-Site Scripting XSS — CWE-79. Affected Product/Versions AVideo 18.0. Root Cause Summary AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be...

EUVD-2021-27294

Malware in sbrugna...

EUVD-2024-2136

Malicious code in bioql PyPI...

CVE-2024-38527

CVE-2024-38527 affects ZenUML, a JavaScript-based diagram tool that renders Markdown-inspired diagram definitions. The vulnerability arises from unsanitized Markdown comments in the ZenUML diagram syntax, allowing attacker-controlled comments to trigger Cross-site Scripting (XSS) when diagrams ar...

DjangoBlog 跨站脚本漏洞

DjangoBlog is a blogging system based on Django. DjangoBlog suffers from a cross-site scripting vulnerability that stems from the use of Markdown comments leading to XSS...

PortlandLabs Concrete CMS Cross-Site Scripting Vulnerability (CNVD-2021-76090)

PortlandLabs Concrete Cms is a team-oriented open source content management system from PortlandLabs, Inc. PortlandLabs Concrete CMS 8.5.5 and earlier has a cross-site scripting vulnerability that could be attacked by an attacker via the "Markdown Comments" field...

CVE-2021-40105

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments...

CVE-2021-40105

Concrete CMS up to version 8.5.5 is affected by a cross-site scripting (XSS) vulnerability via the Markdown Comments field. The root cause is improper sanitization/display handling in Markdown Comments, enabling an attacker to inject script through that field. Impact is described as XSS (no expli...

PortlandLabs Concrete Cms 跨站脚本漏洞

PortlandLabs Concrete Cms is a team-oriented open source content management system from PortlandLabs, Inc. PortlandLabs Concrete CMS 8.5.5 and earlier has a cross-site scripting vulnerability that could be attacked by an attacker via the "Markdown Comments" field...

Leanote Cross-Site Scripting Vulnerability

Leanote is an open source notepad application. A cross-site scripting vulnerability exists in Leanote 2.5 and earlier versions, which stems from the program failing to filter input in markdown comments. A remote attacker can use this vulnerability to inject arbitrary web script or HTML...