CVE-2026-4995

wandb OpenUI up to version 1.0 is affected. The vulnerability targets the Window Message Event Handler in frontend/public/annotator/index.html, enabling cross-site scripting. Exploitation can be performed remotely, and the exploit has been publicly disclosed. The vendor was contacted early but di...

CVE-2026-4995 wandb OpenUI Window Message Event index.html cross site scripting

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely...

CVE-2026-4995 wandb OpenUI Window Message Event index.html cross site scripting

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely...

CVE-2022-42960

EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js...

Imperva Red Team Discovers Vulnerability in TikTok That Can Reveal User Activity and Information

TL;DR The Imperva Red Team discovered a vulnerability in TikTok, a popular social media platform with more than one billion users worldwide, that could allow attackers to monitor users activity on both mobile and desktop devices. This vulnerability, which has now been fixed, was caused by a windo...

SUSE CVE-2015-5827

WebKit in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain an object reference via vectors involving a 1 custom event, 2 message event, or 3 pop state event...

CVE-2022-42960

EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js...

Shopify: Admin bar: Incomplete message origin validation results in XSS

This issue is very similar to https://hackerone.com/reports/381192, identical logic in a different script. The JavaScript code at https://cdn.shopify.com/s/assets/storefront/bars/adminbarinjector-7461c2cab955bf9ef3df40acd10741df8c4e27c86d9dc323f65a4e786a1786f2.js loaded by the shop front when the...

UBUNTU-CVE-2015-5827

WebKit in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain an object reference via vectors involving a 1 custom event, 2 message event, or 3 pop state event...

Design/Logic Flaw

WebKit in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain an object reference via vectors involving a 1 custom event, 2 message event, or 3 pop state event...