Cross-site Scripting (XSS)

Overview ammonia is a whitelist-based HTML sanitization library. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the cleaning process when handling embedded svg or math tags. An attacker can execute arbitrary scripts in the context of the affected application by...

Ammonia incorrectly handles embedded SVG and MathML leading to mutation XSS after removal

Affected versions of this crate did not correctly strip namespace-incompatible tags in certain situations, causing it to incorrectly account for differences between HTML, SVG, and MathML. This vulnerability only has an effect when the svg or math tag is allowed, because it relies on a tag being...

MAL-2025-47230 Malicious code in yoo-styles (npm)

Suspicious postinstall script executing bundle.js and YARA rule unsignedbitwisemathexcess match strongly suggests malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9b064ef82c07e5538a3269d44de4c6750b224f665f808a5099715143c8be21e4 Any computer that h...

MAL-2025-47229 Malicious code in tbssnch (npm)

Package is likely malware. Suspicious postinstall script executes a file with excessive unsigned bitwise math, indicating potential malicious intent. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a3d97140873f47a4a2f00551bfb18c9257dcbfa870e93cfaa642c2e8a4bbb00 Any...

Malicious code in tbssnch (npm)

Package is likely malware. Suspicious postinstall script executes a file with excessive unsigned bitwise math, indicating potential malicious intent. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a3d97140873f47a4a2f00551bfb18c9257dcbfa870e93cfaa642c2e8a4bbb00 Any...

MAL-2025-47219 Malicious code in @operato/headroom (npm)

Suspicious postinstall script executing bundle.js and YARA rule match unsignedbitwisemathexcess indicate malicious behavior. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 71e970ada08943ee1043ac40c48714a5f5c29ae9c3c5d925c6dbfff9bcc47719 Any computer that has this...

BIT-PRESTASHOP-2024-36626

In prestashop 8.1.4, a NULL pointer dereference was identified in the mathround function within Tools.php...

MAL-2025-47228 Malicious code in remark-preset-lint-crowdstrike (npm)

Suspicious postinstall script executes a file with excessive bitwise math. Likely malware. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 165b629be2876c01b20135bbf391a92b4ae66e6645b8f390bcbb5373f8d43c5b Any computer that has this package installed or running should...

Malicious code in eslint-config-crowdstrike-node (npm)

Suspicious postinstall script executing bundle.js with excessive bitwise math indicates malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 40d780d93001ede85edbf1e9b83f884f84ab20fc210cd34a95b114599c01387a Any computer that has this package installed ...

MAL-2025-47227 Malicious code in eslint-config-crowdstrike-node (npm)

Suspicious postinstall script executing bundle.js with excessive bitwise math indicates malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 40d780d93001ede85edbf1e9b83f884f84ab20fc210cd34a95b114599c01387a Any computer that has this package installed ...

MAL-2025-47218 Malicious code in @crowdstrike/logscale-parser-edit (npm)

Suspicious postinstall script executing bundle.js and bundle.js contains excessive unsigned bitwise math, indicating potential malware. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ff5e2fca0afc744f9b2cec20ddf740574c42864336447119ed7715555896bde9 Any computer that...

CLSA-2025-1757947030 nettle: Fix of CVE-2018-16869

Port side-channel silent functions from 3.4.1. Partially fix for CVE-2018-16869 - CVE-2018-16869: Add side-channel silent memory, math, PKCS1, RSA functions - Added tests for side-channel silent implementations...

CVE-2025-59035

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as...

WordPress Rank Math SEO plugin <= 1.0.252.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Abu Hurayra in WordPress Plugin Rank Math SEO versions = 1.0.252.1...

WordPress Rank Math SEO plugin <= 1.0.252.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Abu Hurayra in WordPress Plugin Rank Math SEO versions = 1.0.252.1...

GHSA-7CF7-9WRR-VRF4 Indico vulnerable to Cross-Site Scripting via LaTeX math code

Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds Only let trustworthy users create content on...

Indico vulnerable to Cross-Site Scripting via LaTeX math code

Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds Only let trustworthy users create content on...

CVE-2025-59035

CVE-2025-59035 — Indico XSS via LaTeX math rendering : Multiple sources (NVD, Red Hat, OSV, GHSA advisories, Snyk) confirm a Cross-Site Scripting vulnerability in Indico prior to version 3.3.8, triggered when rendering LaTeX math code in contribution or abstract descriptions. A fixed release is I...

CVE-2025-59035 Indico vulnerable to Cross-Site Scripting via LaTeX math code

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as...

CVE-2025-59035 Indico vulnerable to Cross-Site Scripting via LaTeX math code

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as...