32 matches found
CVE-2026-55596
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as...
CVE-2026-55596 Plate: Media embed provider metadata can bypass URL sanitization and execute iframe JavaScript
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as...
CVE-2026-55596
Plate is a rich-text editor (with AI and shadcn/ui). Affects versions 53.0.0 through 53.1.4 where the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation. This allows a crafted Plate document to set a known video provi...
PT-2026-56579
Name of the Vulnerable Software and Affected Versions Plate versions 53.0.0 through 53.1.3 Description The media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation. This allows a crafted document to specify a known video...
CVE-2026-54720
Silverstripe Framework (PHP) contains an XSS vulnerability in the CMS “Insert media from web” feature, exploitable via a specially crafted embed. The issue affects versions prior to 6.2.2 and is mitigated by upgrading to 6.2.2 or later. The vulnerability stems from the media embed handling and co...
CVE-2026-54720 Silverstripe Framework: Possible XSS attack through media embed
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In versions prior to 6.2.2, the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2/...
CVE-2026-54720 - XSS attack through media embed
More info at https://www.silverstripe.org/download/security-releases/cve-2026-54720...
EUVD-2023-32127
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2019-1010091
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The...
CVE-2023-28439
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages ...
USN-7258-1 ckeditor vulnerabilities
Kevin Backhouse discovered that CKEditor did not properly sanitize HTML content. An attacker could possibly use this issue to perform cross site scripting and obtain sensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS...
CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media
Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...
Plate Security Breach
Plate is a plugin system for Ziad Beyens individual developers to make it easier to build fully functional editors. Plate has a security vulnerability that stems from when the editor uses the MediaEmbedElement component and passes custom urlParsers via the useMediaState hook, if the custom parser...
Fedora 39 : ckeditor (2023-426b3a500d)
The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-426b3a500d advisory. - 4.22.0/4.22.1 - 4.21.0 - GHSA-vh5c-xwqv-cv9g / CVE-2023-28439 - 4.20.2 - 4.20.1 Tenable has extracted the preceding description block directly from the...
Fedora 38 : ckeditor (2023-79b5902a52)
The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-79b5902a52 advisory. - 4.22.0/4.22.1 - 4.21.0 - GHSA-vh5c-xwqv-cv9g / CVE-2023-28439 - 4.20.2 - 4.20.1 Tenable has extracted the preceding description block directly from the...
Fedora 37 : ckeditor (2023-983ff03630)
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-983ff03630 advisory. - 4.22.0/4.22.1 - 4.21.0 - GHSA-vh5c-xwqv-cv9g / CVE-2023-28439 - 4.20.2 - 4.20.1 Tenable has extracted the preceding description block directly from the...
The vulnerability of the Iframe Dialog and Media Embed functions in CKEditor’s WYSIWYG editor allows a hacker to execute arbitrary JavaScript code.
The vulnerability of the Iframe Dialog and Media Embed functions in the CKEditor WYSIWYG editor is related to the lack of measures taken to protect the structure of web pages. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code remotely...
UBUNTU-CVE-2022-25276
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities...
CKEditor 4.x < 4.21 XSS Vulnerability - Linux
CKEditor 4 is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
CVE-2023-28439
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages ...