PT-2026-42666

Summary A cross-site scripting XSS vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution ...

EUVD-2026-30835

The /api/v1/autotranslate.translateMessage endpoint in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allows any authenticated user to retrieve the full content of any message from any room private groups, direct messages, channels by simply providing the target message ID...

Remote Code Execution (RCE)

tinacms is vulnerable to remote code execution. The vulnerability is due to improper handling of markdown content using the gray-matter package, which allows an attacker to execute arbitrary code by injecting malicious content into processed markdown files such as blog posts...

CVE-2026-0969

The CVE-2026-0969 issue stems from the serialize function used to compile MDX in next-mdx-remote, with insufficient sanitization enabling arbitrary code execution in React server-side rendering of untrusted MDX content. The description provides a CVSSv3.1 base score of 8.8 (HIGH) and a network at...

CVE-2024-2651

An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content...

CVE-2025-68278

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

CVE-2025-68278

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

PT-2025-52257

Name of the Vulnerable Software and Affected Versions Tina versions prior to 3.1.1 Description Tina is a headless content management system. Versions of Tina prior to 3.1.1 improperly utilize the gray-matter package, potentially allowing attackers who control the content of markdown files—such as...

Improper Input Validation

mkdocs-include-markdown-plugin is vulnerable to improper input validation. The vulnerability is due to unvalidated input colliding with substitution placeholders, which allows an attacker to manipulate included Markdown content and potentially inject or alter data...

ExploitReport

The Exploit Report — Portfolio React A single-page React si...

PT-2025-35094

Name of the Vulnerable Software and Affected Versions: lychee link checking action versions prior to 2.0.2 Description: The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action. This can potentially compromise the security of the target...

Stored Cross-site Scripting (XSS)

File Browser is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of Markdown content, allowing JavaScript code in uploaded Markdown files to be executed by the browser...

CVE-2024-54138

NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight...

CVE-2019-19619

domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS...

CVE-2025-46558 org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting XSS through HTML. In particular, using Markdown syntax, it's possible for...

CVE-2025-46558 org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting XSS through HTML. In particular, using Markdown syntax, it's possible for...

Stored Cross-site Scripting (XSS)

Piranha is vulnerable to stored cross-site scripting XSS. The vulnerability is due to improper sanitization of user-provided input in markdown content, allowing malicious JavaScript to be stored and executed in a user's web browser...