135 matches found
CVE-2025-51462
Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
Summary A remote script-inclusion / stored XSS vulnerability in @nuxtjs/mdc lets a Markdown author inject a element. The tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and...
GHSA-CJ6R-RRR9-FG82 Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
Summary A remote script-inclusion / stored XSS vulnerability in @nuxtjs/mdc lets a Markdown author inject a element. The tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and...
CVE-2025-54075
Summary: CVE-2025-54075 affects @nuxtjs/mdc (Nuxt MDC) before version 0.17.2, where Markdown rendering allows a remote script-inclusion / stored XSS via injecting a tag. The vulnerability rewrites how subsequent relative URLs are resolved, enabling loading of scripts, styles, or images from atta...
CVE-2025-54075 mdc vulnerable to XSS in markdown rendering bypassing HTML filter. (N°4)
MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. Prior to version 0.17.2, a remote script-inclusion / stored cross-site scripting vulnerability in @nuxtjs/mdc lets a Markdown author inject a element. The tag rewrites how all subsequent relative...
CVE-2024-23345
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...
CVE-2024-55601
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are usin...
Hugo 跨站脚本漏洞
Hugo is a Go-based framework for rapid static site generation from the Gohugoio community. A cross-site scripting vulnerability exists in Hugo versions prior to 0.123.0 through 0.139.4, which stems from improperly escaping HTML attributes in certain Markdown in internal rendering hooks...
CVE-2024-41662 VNote vulnerable to Markdown XSS, which leads to RCE
VNote is a note-taking platform. A Cross-Site Scripting XSS vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which...
PT-2024-29491 · Vnote · Vnote
Name of the Vulnerable Software and Affected Versions: VNote versions 3.18.1 and prior Description: A Cross-Site Scripting XSS vulnerability has been identified in the Markdown rendering functionality of the VNote note-taking application. This issue allows the injection and execution of arbitrary...
CVE-2024-36109 Cross-site Scripting with Markdown rendering in CoCalc
CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows tags to be included which execute when published. This issue has been addressed in commit 419862a9c9879c. Users are advised to upgrade. There a...
CVE-2024-36109 Cross-site Scripting with Markdown rendering in CoCalc
CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows tags to be included which execute when published. This issue has been addressed in commit 419862a9c9879c. Users are advised to upgrade. There a...
XSS potential in rendered Markdown fields (comments, description, notes, etc.)
Impact All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including: - Circuit.comments - Cluster.comments - CustomField.description - Device.comments -...
CVE-2024-23345
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...
Cross site scripting
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...
PYSEC-2024-16
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...
CVE-2024-23345
Nautobot (Network Source of Truth and Network Automation Platform) versions prior to 1.6.10 and 2.1.2 are vulnerable to cross-site scripting (XSS) in any user-editable field that supports Markdown rendering due to inadequate input sanitization. The issue affects Markdown-enabled fields across the...
CVE-2024-23345 Nautobot has XSS potential in rendered Markdown fields
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...
CVE-2023-35054
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible...
CVE-2023-35054
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible...