CVE-2026-41063

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization...

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence AI assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhi...

CVE-2026-43899 DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl`

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass RCE. While the patch correctly restricted...

CVE-2026-43899

DeepChat (open-source AI agent platform) has a CVE-2026-43899 stating an incomplete fix for CVE-2025-55733 prior to v1.0.4-beta.1. The issue: mitigation restricted api.openExternal() in renderer preload/index.ts but did not sanitize native Electron pop-up window handlers, allowing a compromised A...

CVE-2026-43899 DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl`

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass RCE. While the patch correctly restricted...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering process of the pending user overlay content due to improper sanitization order. An attacker can execute arbitrary JavaScript in the browser context of affected users ...

CVE-2026-41063

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization...

CVE-2026-41063 WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization...

CVE-2026-41063 WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization...

CVE-2026-41063

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization...

CVE-2026-41063

CVE-2026-33500 / CVE-2026-41063 (AVideo) : In versions up to 26.0, WWBN AVideo’s custom ParsedownSafeWithLinks sanitizes raw HTML but does not override inlineLink() and inlineUrlTag() in the base Parsedown, so markdown links using [text](javascript:…) or bypass sanitization. Public docs confirm ...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

GHSA-M7R8-6Q9J-M2HC WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS

Summary The incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization. Affected Package - Ecosystem: Other - Package: AVideo - Affected...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the ParsedownSafeWithLinks process. An attacker can execute arbitrary JavaScript in the context of another user's browser session by...

WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS

Summary The incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink or inlineUrlTag, allowing javascript: URLs in markdown link syntax to bypass sanitization. Affected Package - Ecosystem: Other - Package: AVideo - Affected...

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...

GHSA-45Q4-X4R9-8FQJ Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...

CVE-2026-35166

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in...

CVE-2026-35166

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in...