GHSA-3GXM-WFJX-M847 beets has a Cross-site Scripting vulnerability

During code logic analyis, an area that may lead to unintended behavior under specific conditions was discovered. Overview - Verified Version: 80cd21554124da07d17a4f962c7d770a4f70d0f2 - Vulnerability Type: Stored XSS - Affected Location: beetsplug/web/templates/index.html:42 - Trigger Scenario:...

beets has a Cross-site Scripting vulnerability

During code logic analyis, an area that may lead to unintended behavior under specific conditions was discovered. Overview - Verified Version: 80cd21554124da07d17a4f962c7d770a4f70d0f2 - Vulnerability Type: Stored XSS - Affected Location: beetsplug/web/templates/index.html:42 - Trigger Scenario:...

Cross-site Scripting (XSS)

Overview beets is a media library management system for obsessive music geeks. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the included index.html template. An attacker can execute scripts in a victim’s browser by supplying crafted music metadata fields su...

CVE-2026-33005

Apache OpenMeetings is affected by an Improper Handling of Insufficient Privileges vulnerability. A registered user can query the web service with their credentials and retrieve metadata (e.g., id, type, name, and other FileItemDTO fields) for files and sub-folders of any folder by ID, with no co...

CVE-2026-33664

Kestra 1.x (up to 1.3.3) is vulnerable to Stored Cross-Site Scripting in Markdown-based YAML flow metadata. The issue arises when user-supplied flow YAML fields—specifically description, inputs[].displayName, and inputs[].description—are rendered by Markdown.vue with html: true and then injected ...

CVE-2026-33664 Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...

SUSE CVE-2026-30934

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...

CVE-2018-12304

Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL...

Cross-Site Scripting (XSS)

getgrav/grav is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient input validation in the /admin/pages/page endpoint, which allows an attacker to inject malicious scripts into page metadata and taxonomy fields that are stored and executed when the page is...

CVE-2025-62430

ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 145 allows stored cross-site scripting XSS in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept...

CVE-2025-62430

ClipBucket v5.x stores XSS via metadata fields in videos and photos. Specifically, builds up to 5.5.2 #145 allow stored XSS in video fields (Tags; Genre, Actors, Producer, Executive Producer, Director in Movieinfos) and photo fields (Photo Title and Photo Tags) when edited by a user, with the scr...

EUVD-2025-34915

ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 145 allows stored cross-site scripting XSS in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of user-supplied metadata fields such as title, description, subject, and others. An attacker can execute arbitrary HTML or JavaScript in the context of a user's browser by injecting malicious...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of user-supplied metadata fields such as title, description, subject, and others. An attacker can execute arbitrary HTML or JavaScript in the context of a user's browser by injecting malicious...

EUVD-2018-4278

Malware in sbrugna...

EUVD-2024-26043

Malicious code in bioql PyPI...

Cross site scripting

Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL...

CVE-2018-12304

Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL...

CVE-2018-12304

Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL...

Deja-XNU

Posted by Ian Beer, Google Project Zero This blog post revisits an old bug found by Pangu Team and combines it with a new, albeit very similar issue I recently found to try to build a "perfect" exploit for iOS 7.1.2. State of the art An idea I've wanted to play with for a while is to revisit old...